This is part of a series comparing Jiu Jitsu with InfoSec.
Go to attend a Jiu Jitsu class at a Gracie academy or MMA gym and you will likely see an instructor who shows a three step progression on a simple move or position. First, they will show a basic setup of the position, have the students find a partner and each drill that a few times. Then come back and iterate on it. Perhaps show another option to form a “series” of moves that can be chained together (like a Chess match). Drill that improvement. And then maybe one last similar iteration before the class moves on to live sparring (“rolling”).
However, I’ve grown very fond of Jiu Jitsu instructors who, instead of just iterating on a series of positions, show both sides of a particular position or scenario. First, here’s the basic position and attack, go drill it. Second, let’s talk about defending that same position. “For every counter there is another counter.” And back and forth. For me, I learn more when I can put myself into my opponent’s headspace, because it helps me to anticipate what they will want to do and avoid it, instead of playing to their potential strengths.
In InfoSec, this concept is super valuable.
Try teaching a developer why they should sanitize all input from their users and that it’s good security hygiene — you may see they are not exactly connecting the dots, even if you mention what an attacker might do. But if you SHOW that same developer how unsanitized input can lead to breaking that application to behave in ways they never imagined, then that same developer will immediately understand and probably become an ally in your AppSec program.
You could hire brand new, inexperienced talent to work in your SOC and tell them all the bad things to look for and it will work to a degree, but if you put that same person in the passenger’s seat with your red team and let them SEE what offense looks like, they’ll be immeasurably more prepared for defense.
Somebody like me — who has been doing security work for a long, long time now — I still have plenty to learn and learn frequently. When I’m trying to improve something on the offense side of security (with a day job in red teaming) I almost exclusively study what defenders are seeing and doing, because it drives my team’s anticipation of the defender’s next moves.
Whether it’s thinking about getting a better position with an underhook to take your opponent’s back, or if you are on top and recognize that underhook with full understanding of what that position will give your opponent (so you apply the whizzer), thinking about both sides while training will drive your performance farther faster.
Study both sides. Go train and win (or learn).
Continue reading here: Defense in Depth.