Jiu Jitsu vs InfoSec: Threat Intelligence
This is a continuation of my series comparing Jiu Jitsu with CyberSecurity. You can start from the beginning here.
When you consistently train with the same cohort of training partners for months or years, you will begin to learn “their game” and they will learn yours. It’s entirely likely your most common training partners will become a thorn in your side, shutting down all of your best sequences of techniques. They’ll probably even talk to you about it, possibly bragging, (or worse, they’ll give tips to the lower ranking training partners so they can shut you down next time)! You may evolve a little bit, get some advantages over them, but find those advantages are short lived as they begin to catalog them and build answers for your techniques.
Amazingly, despite the likelihood your consistent jiu jitsu training partners may shut down your “A Game,” the results are likely to be completely different with a new training partner. You may just find your best or favorite sweeps, passes, or submissions work effortlessly on someone who hasn’t seen them, even if they’ve been training for awhile. Why is that? Due to the iron sharpening iron in your gym amongst your same training partners, the overall skill level of the entire room rises together. You may feel incremental progress over your peers coming and going — and they may feel the same towards you — but all of you are getting better. It’s likely not that just that your techniques are improving, but more likely your timing and setups are becoming more precise or complicated, and those setup details are the pieces an outsider or fresh training partner may not have encountered.
In Cybersecurity, there exists a sub-discipline known as “Threat Intelligence,” in which researchers chase the activities of known bad actors, cataloging their techniques, and sharing insights with defenders throughout the industry (typically for a fee or as part of another monetized service). In short, they are the higher ranking belts in the locker room giving you pointers on what to look out for.
A cyber defender who hasn’t seen or prepared for the particulars of a specific threat actor may find that threat actor’s “A Game” to be a nasty wake-up call resulting in material damages to the defending organization. Unlike jiu jitsu, it’s extremely unlikely that an enterprise organization will continually only face a single threat actor, such as FIN7, for years in a row. Unlike jiu jitsu, where your training partners are limited to those in the room during your mat time, cyber has a virtually unlimited number of potential bad actors, acting from distances as close as the inside of your building to the farthest reaches of the other side of the globe.
If cybersecurity was a high profile match of top competitors, Threat Intel would be even more important — akin to watching video footage of your competitor’s prior best performing matches. But for most (if not all) organizations, focusing on a specific threat actor is a waste of time. There’s not much reason for the average enterprise Blue Belt cyber defender to worry about the world’s best Black Belt threat actor’s latest TTPs (i.e. their coolest new sweep-to-submission sequence), when their basic overall pressure will defeat you without it; not to mention that there are N number of average threat actors who all have their own setups that you may not be ready for.
Remember who you are training and preparing for!
