Jiu Jitsu vs InfoSec: Competition vs Self Defense

Tim MalcomVetter
Jul 20, 2017 · 3 min read
Kids BJJ Competition

This is part of a series comparing Jiu Jitsu with InfoSec.

It’s natural to want challenge yourself to get a good estimate of your skills, especially when you have available opponents to compete with. Competition is good and fosters development in general. However, it’s possible for some competitors to take competition too far or to game the rules of the competition and miss the original intent of the skill development.

In BJJ, we see this in competitions where competitors do things they would never do in a street fight for self-defense, such as “pulling guard.” For those unfamiliar, this means immediately falling to the ground on your back in a defensive position, forcing an opponent to initiate a “guard pass” and play into a potential trap. In an actual street fight, if a thug approached you as you walked to your car in a dimly lit parking lot, falling to your back on the street is not only not advised, it’s flat out stupid. You could land on the pavement too hard, maybe even on your head, and it would be game over right there, with some potentially life altering injuries. In competition on the mats, however, it’s safe. Likewise, in competition, we see BJJ strategies to gain “points” while sustaining the several minute rounds, rather than go for the submissions to immediately end the fight and win — another ill-advised strategy in self-defense.

The same can be said of InfoSec.

We often challenge our own security through exercises like penetration tests and Red Team campaigns, which aim to simulate real attacks in various ways, but they often fall flat. It’s not uncommon for penetration tests to be initiated from known starting points that are “whitelisted” or immediately marked as trusted — maybe even with special rules to bypass firewalls and intrusion prevention systems. Or we paint penetration testers into a box with tight scopes, such as limited hours of the day, non-production environments that don’t look like production, or limited ability to move laterally after the initial exploitation.

Red Team campaigns aim to eliminate some of that limited bias, but they can be gamed as well. I’ve had several colleagues tell me stories about consulting clients who put strict rules on consulting red teams, such as foreknowledge of malware artifacts, origin domains/IP addresses, and notification when first phishing volleys begin, then with an uncanny ability and no explanation the Blue Team suddenly announces to their CISO how they stopped custom malware for which there was no AV or IDS signatures within mere minutes (Hat Tip to @Mubix for one of the most memorable examples). Even when Red and Blue get along well and authentically value the exercise as a means for training and measurement of defensive capability, there are still limitations — such as how real attackers can attack customers and then use that access to commit fraud, but Red Teams cannot (that whole pesky federal CFAA law).

Whether BJJ or InfoSec, the point of the competition is to train through pressure while improving readiness for the real conflict. Don’t get lost in the game.

Read more: Jiu Jitsu vs InfoSec: New Bypasses

)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade