Jiu Jitsu vs InfoSec: Positional Sparring
This is part of a series comparing Jiu Jitsu with InfoSec.
In Jiu Jitsu, it’s common to learn a new position by having a training partner assume a position as your opponent, while you go through the motions without resistance from them. This is how you learn the basics. They know what’s coming (they’ll likely take turns and switch places with you).
This is like traditional penetration testing in InfoSec. It’s a way to identify flaws in the form of your systems and applications, but the defenders know it’s coming and they don’t fight back. There’s no resistance.
After you learn the basics of the movement, your BJJ instructor might just suggest that you try to work the new move in during the free rolls at the end of your class. Yeah, that might work, but if it’s a new technique to you, you may not be well versed on how to get in and out of that position, so it may not happen at all. This is why many instructors and training partners may ask you “what are you working on today?” during the free rolls — so they can put you into the position you need to improve and give you active resistance while you work on that position — active resistance that you didn’t get during the initial drilling.
In InfoSec, Red Teaming is a lot like that. The Red Team aims to perform similar testing as the penetration tester, but with the Blue Team (defense) providing active resistance. Likewise, the Blue Team may take a simple action to isolate an affected computer based on a logging alert, but the Red Team, playing the role of an actively resistant opponent, may simply pivot and attempt a different lateral movement that the Blue Team wasn’t expecting and didn’t train for during static or non-resistant training. In fact, when the exercise is over, we often call for “Purple Team” (Red + Blue) to work on a specific situation: an offensive action and a defensive reaction, repeating it over and over again until the Blue Team can properly detect and respond to it. That’s just another form of positional sparring.
Read more: Jiu Jitsu vs InfoSec: Black vs Blue
