Jiu Jitsu vs InfoSec: Privileged Access

This is part of a series comparing Jiu Jitsu with InfoSec.

Both Jiu Jitsu and InfoSec have the concepts of privileged access. In Jiu Jitsu, it’s control of your opponent’s body. In InfoSec, it’s control over a computing system (e.g. root, admin, or system). This is another similarity between these two disparate realms. Let’s pick it apart…

In Jiu Jitsu, virtually everything you do involves controlling the space between your opponent’s arm pits to hips, on at least one side, and usually both simultaneously; however, even a multi-year Jiu Jitsu student may not have come to realize this in such simple terms (if that’s you, you’re welcome). Thinking about this as “privileged access” was a very profound paradigm shift for me.

Think of the red boxes as “root.”

Let’s examine this concept in common positions:

  • Cross-side (a.k.a. “side control”) involves the top (offensive) opponent physically occupying this space on one side of the bottom (defensive) opponent, usually with the offensive opponent’s torso in this space.
  • Knee-on-belly is just like cross-side (occupying one side between arm pit and hip), with the addition of the offensive opponent’s knee on top of the defensive opponent’s torso/belly.
  • Mount involves the top (offensive) opponent physically occupying this space on both sides of the bottom (defensive) opponent, usually with the offensive opponent’s legs/feet occupying this space.
  • North-South is like Mount, except the top (offensive) player is inverted, and as a result the top player likely controls this space with arms rather than legs.
  • Closed-Guard is the reversal of mount, where the bottom player typically has an advantage, because the bottom player’s legs are occupying this space on the top player, maintaining control.
  • Half-Guard is a position in which the bottom player can prevent the top player from fully occupying this space, while the bottom player’s leg occupies this space on one side.
  • Taking the Back requires the offensive player to use at least 2 limbs to control the spaces between the defensive player’s arm pits and hips (probably on both sides while also attacking the neck), but from behind the defensive player.
  • In the Turtle position, the top (offensive) player attempts to insert limbs into the privileged space on the bottom (defensive) player who is on the ground, but upright on all fours like a crawling turtle.

All of those positions require dominating this “privileged access.” In fact, a new Jiu Jitsu student may develop faster simply by focusing on keeping their opponent out of their “privileged access” while simultaneously attempting to get into theirs.

Now let’s list out common categories of techniques, to further confirm how important this space is:

  • Chokes (strangles) may appear at first glance to not require control of this privileged space on your opponent’s body; however, this is only true if your opponent is untrained. For example, in the rear naked choke (the iconic Jiu Jitsu submission), if the attacking opponent does not control the space between the defending opponent’s arm pits and hips, then the defending opponent can turn hips and begin to escape. This space is typically controlled by the attacking opponent’s feet, referred to as “hooks.”
  • Chokes from guard (e.g. Cross Collar Chokes) involve the attacker controlling this privileged space with legs wrapped around the opponent’s torso.
  • Chokes from mount require the mount position to be held, which is the definition of this same control.
  • Triangle chokes require the attacker’s leg to occupy this privileged space on one side, and probably required dominating both sides in order to setup the technique.
  • Arm Bars (another Jiu Jitsu icon) require controlling this privileged space on both sides of your opponent to ensure your opponent does not slink out and away, turning the elbow’s angle, and nullifying the threat.
  • Kimura and Americana shoulder locks require isolating the arm, extended away from the torso, thereby exposing this privileged space for the offensive opponent to dominate while isolating the joints for the submission.
  • The venerable underhook is a clear example of how important it is to control this space on your opponent, and not let your opponent control this space on you, since its entire purpose is to put your arm in the privileged space on your opponent’s body.
  • Even leg locks require controlling the outside of the hip in order to secure the position.

The rest of Jiu Jitsu could probably be summarized as two opponents each seeking “root” access on each other. When analyzed in this minimalistic view, Guard Passes are simply attempts to occupy this privileged space on your opponent’s body. Guard Retention is really a set of techniques to keep this privileged space away from your opponent. An extreme example of this is the Running Man defense as illustrated by Chris Paines (this is an excellent seminar that may change the way you think about guard retention):

Is the running man a read-only, transient, chrooted jail?

In InfoSec, defenders spend a great deal of time identifying privileged access — the equivalent of the space between a Jiu Jitsu opponent’s arm pits and hips — and how they can keep their attackers out of it (guard retention). Attackers (pentesters especially), spend most of their time finding all the routes to that space (guard passing). This leaves the creators of maldoc phishes to play the role of modern loose guard passes, with their obfuscation and execution techniques the equivalent of leg and arm pummels (and, yes, probably the occasional cartwheel) while defenders’ YARA rules and detonation sandboxes are the pummeling of their legs into various guards (De La Riva, Z-Guard, K-Guard, X-Guard, Single Leg X, etc.).

What about the untrained opponent who gives up a rear naked choke without requiring the attacking opponent to occupy and control this privileged space between arm pits and hips? Is there an InfoSec parallel? If you consider your opponent’s neck to be the objective and not the control point, then we have examples of this in the InfoSec world, such as the stories about ignorant or untrained defenders putting valuable resources in a place where an attacker can collect them without first controlling the environment, such as when PII is placed in unauthenticated nosql or cloud storage open to the public internet. The PII was the objective and there was no control necessary to achieve it.

Both InfoSec and Jiu Jitsu have a very simple concept of privileged access; how you reach it or defend your attacker reaching it, though, is probably quite complex, since both realms have countless hours of innovation and iteration on both the offensive and defensive sides, especially the longer you spend in each subject.

Go train.

Red Team Leader at Fortune 1. I left my clever profile in my other social network: https://www.linkedin.com/in/malcomvetter