Structured Defense: Martial Arts as a Blueprint for Cybersecurity Training

All right, welcome everybody to my talk today. Structured defense using martial arts as a blueprint for cyber security training. Before we get too far into this, where are all my martial artists at? Raise your hand. Kickboxing, boxing, Brazilian jiu-jitsu, kung fu, karate, doesn't matter. Judo, yeah, we got some in here. Awesome. Good to hear. Some of this is going to be familiar to some of y'all. Some of this is not. And that is okay. It's not the words that matter. It's the framework. Right? So, as we go through, don't get stuck on the words, right? Get stuck on the concepts. A quick who am I? I don't need to read all this. Y'all can read, which is

great. Uh, what's important is you're going to see a cross-section between IT operations and cyber security and martial arts experience. And occasionally I start to wonder, can I bring those two worlds together in some way, shape or form. And over the years as I go down this IT operations path and continue in security, I have noticed some things when going through training. Throw your hands up if you have experienced any one of the three things that you see on the board. It's a hot mess out there sometimes, right? So, fragmented training, you get some pieces of what you need to do your job, but you don't get other pieces or unknown goals or progression. How do you know you're

trained? How do you know you're not trained? What do you have left to learn? What do you have left to do? Right? And then getting thrown to the wolves. This seems unfortunately to be some of the most common that I've experienced over time, which is you get thrown into a role and say, "Hey, congratulations. Figure it out." And you get to move from there. Uh, if anybody's been in that position like I have, not a fun time. Not a fun time, right? So, what do we do? We have these observations and we try to make it better by having somebody sit down maybe oneon-one or have somebody twoon-one, whatever the case may be, a some sort of structured timed plan

perhaps, right? And I started thinking to myself at that point, we need to find a solution for this or at least a concept of a solution, right? We need something that has some sort of rigid core, some requirements that you must have to do a particular job or perform well in a particular position. But it can't be so rigid that you cannot move to step two after until you complete step one, right? It needs to be flexible in that same vein. So what does that mean? So, we need a set of requirements that allow us to perform a job, but we also need the framework to be flexible enough to allow us to make changes and

shift over time. Now, in the martial arts, you will find people of various skill levels, athletic ability, age, any of those things. And because of that, we can train people the same, but how we train them can be different. As an example, I have trained somebody with Tourette's syndrome in the martial arts, which was an interesting facet of trying to figure things out. I have trained somebody who was 5 foot zero. I have trained somebody who is 6'8. Right? It's completely different mindset and completely different tactics and procedures and techniques that we have to teach in different ways. So when we talk about flexible framework, it's making it flexible for the individual, right? Because also within the martial

arts, you have people that come in at varying skill levels. Some people are black belts in other martial arts. Some people have never stepped foot into any sort of martial arts training whatsoever. Some people's concept of martial arts training is what you see from Bruce Lee movies, The Matrix, or lately John Wick, right? And if you know anything about movies, most of those things aren't particularly accurate. Now, in addition to those things, it has to be scalable and adaptive. What do I mean by that? You have to adapt to the individual. Perhaps the individual learns more visually. Perhaps they're more a kinesthetic learner. Most of the time you're going to find people are various facets of one or more of those

things. They may be visual. They may be auditory. They may love to read as well and getting things that way. Or they may love to hear and do or read and do or vice versa. So it needs to be adaptable in some way, shape or form. And it needs to be scalable between one person, 10 people, 25 people, whatever the case may be, right? Scale it up and down. We need something to work off of. The martial arts, interestingly, provides this type of framework already. In the martial arts, you will have your basics. You will then start to move with those basics, and then you'll start moving into patterns of movement. And eventually throughout the years as you

become versed in a martial art, you will start to become more spontaneous. It's less about scripted movements like you see in the movies for example, right? Any sort of choreograph movements, but rather spontaneous movements that happen before you even think about it or as some people like to say becomes second nature or instinct at that point. So I said, "Okay, great. I have an idea. Let's try to use the martial arts framework as a blueprint, as a way to train people in cyber security. Now, the cool thing about this being a flexible framework, even if you're not directly in cyber security and you're adjacent, this can still work, right? This can still work out for you.

But why do we want to do it this way? Why why this way instead of a bunch of other ways, right? There's a million other ways to train people. Why this way? Here's some benefits. Pretty straightforward. easy to organize meaning I can set up guidelines of how do I know this person has completed this thing? How do I know I have taught this person this thing? How do I know this person has demonstrated they know a thing? Whatever it might be easy to see and show progress, right? Because if you have a checklist of things or a list of items that you want to show somebody or you want to train somebody in, it's very

easy to see where you're at in that list, uh it can be very difficult if somebody trains another individual and then they come back say three weeks later and say, "Okay, uh have I trained you on this? Do I have I shown you this already? I don't recall. I don't remember." Right? But instead of that, we have some sort of organization involved so we can actually see and show progress. And it's easy to see the gaps in the training. Now, what's cool about this is when you have some sort of organization, you don't have to be the sole trainer. You no longer have to be that one-on-one trainer, right? You can get somebody that knows the material better than you.

You can get somebody that knows the material equally as good as you or as well. But the point is that we now can move away from this one-on-one training and instead start moving into training with other people consistently and regularly. Right? In a martial arts situation, it's not just the head instructor that's teaching you, right? Oftent times you have senior students, people that have been doing this a long time teaching you, and you have other people teaching you that have just been there longer than you, right? Uh there's an old adage that somebody told me once about how do you know when you can teach somebody and how far ahead do you have to be? And the answer to that question

is just one step. Just one step ahead of the person and you can start teaching them. You don't need to be a master at it for 10 years before you teach them how to do something basic. You don't have to be in the middle of it on a regular basis. Even if it's a procedure that you are aware of or very well verssed in or a concept you're versed in or a set of things to do, right? All of this can now be done and it's easy to see everything you want to do from start to finish, right? See the gaps, make it organized, and then of course showing progress because that's important because how do we know we are done

if we don't have a goal? We have no goals, right? No goals means you don't know when you're done. You don't know when you're progressing and you don't know where you're at. You don't know you don't have feedback to work off of, right? So, some benefits. Great stuff. So, I'm going to give you we're going to walk through two examples, right? One of these is becoming a sock analyst and one of these examples is training a sock analyst. They're going to be on the same slide. So, we're not going to go through eight slides and then h just kidding. We're going to do it again eight slides. So, uh, be fortunate there in that process. But I want you to consider

not even a sock analyst position, right? We're just using this as an example. Think about in your own organizations or your own personal life, whether it be training adults, teens or children, whether it's sock analysis, whether it's, I don't know, digital forensics, incident response, uh, red teaming, anything of that nature. See where that takes you. think about that because again the words themselves are not important. The concepts are the important part of this. So let's dive into this and see where it takes us. Now to start of course with everything you have basics tying this back to a martial arts concept you're going to find out very quickly that means how the world do you even stand right? How do you stand

up? How are you ready if an engagement has to happen? Or if you're not going to a martial arts class just solely for self-defense or self-preservation, how am I supposed to stand anyway just so I can do everything else I need to do in this class or in the following classes? Right? So, you need a mindset. Every time you're in a different place, you need a mindset. In this particular case, if you're becoming a sock analyst or any position for that matter, again, concepts, not words, you need a beginner's mindset. What does that mean? You can get super philosophical and say, "Oh, your cup must be empty or, you know, don't fill your cup, right?" And

all that fun stuff. And that's great. Uh, but really what that's meaning is if you're be trying to become a sock analyst in the cyber security field, you need to be as curious as humanly possible. Your questions 99 out of a hundred times should be why? Why are we doing this? Why does this work the way it works? Now, a good instructor will have that same beginner's mindset, but they're going to have a little bit more knowledge and they're going to know to temper that with what you need to know now, not what you need to know further ahead. For example, for those of you that are versed in mathematics, are you going to teach a four-year-old addition?

Maybe at some point. Are you going to teach a four-year-old linear algebra? Probably not, right? But again, as with mathematics, things boil down to the basics, right? So, same two goes for this. In martial arts, it's the same way. We could teach people two, threehour classes on how to throw one punch, but that's pretty boring. Let's be honest. And it doesn't help facilitate the person's learning, right? So, the person learning should be asking why. And the person teaching should be asking how can I give them the answer but not give them everything at once right how do we how do we make sure that we don't um how do we want to say this just blow their

minds effectively right now some items that you see on the screen there about becoming a sock analyst there are some ideas that's not necessarily the beall end all of course once again concepts not words and I'll probably say this about a dozen more times throughout our time here. But the idea is you want to get them the foundations. How do they stand in their position? How do they stay in their position? What is the foundations, the absolute base foundations that they need? And you could take this as deep as you want. It's like, oh, you're a new position for a sock analyst or an IT analyst. Well, you don't have a keyboard, so we should probably get you

that, right? You could go as deep as that. probably not the greatest way to go about it, but certainly available. But more importantly, it's what are the foundational things that the person needs to know when entering your organization or when they are coming into a new position within your organization, right? Maybe somebody who's transferring into a different role in your organization already understands your internal policies, employee policies, security policies, whatever the case may be, right? Some people will have no idea, right? That's what new employee orientation is supposed to be for. Here's the baseline of everything you need to stand in order to work in our organization, whatever that may look like. Again, kind of going back to this

flexibility piece, right? Anything you see on the screen doesn't necessarily mean they need it, right? Especially when you start thinking about senior cyber security or journey cyber security positions, they're going to have an understanding of the CIA triad, for example, right? they're going to understand what that means. They're going to understand how that applies to their position most likely or at least have a base idea of what that looks like. On the other hand, if you're training somebody, you have two jobs besides the mindset. You need to verify their skill set. Where are they at, right? And teach the missing pieces to make sure they can stand. Maybe they learned how to stand on one

foot and one foot only, right? Going back to a martial arts situation, not a super great idea. You ever tried to spar anybody with my martial arts friends here? You try to spar anybody on one foot only? No. It sucks. You ever been kicked in the leg so hard you want to stand on one leg only? Yeah. Not a good time either, right? So, you got to verify where they're at. Figure out how to get them to standing. How to get them to this baseline that everybody should be at. So, then we move on. We have all of these basics. Great. Now we need to actually start putting those basics in motion. What does that

mean? So in the martial arts world, first we will oftent times, especially in traditional martial arts, we will stand in one position and perform punches or kicks or blocks or anything of that nature. If you are more of the mixed martial arts, Brazilian jiu-jitsu, kickboxing, boxing, anything of those natures that are much more active and honestly better in that space, then that's going to be this is going to be the norm for you, right? But when we cut back to trying to build somebody up in a position, we are our mindset has to change a little bit. We have this new mindset and that still applies. You still want to ask why. You want to still you still

want to ask why are we doing this? as somebody who's learning to become something, whether it's sock analyst or pizza delivery, it doesn't even matter, right? You can substitute this for whatever you want, but you need to start understanding what tools you're supposed to use, right? So, we've learned how to stand, but how do we how do we defend, right, in a martial arts situation or perhaps you're a blue team defender, how do we defend our network? How do we defend our organization? What tools do we have in order to do so? what things can we utilize in order to make that happen and then it's time to start understanding using this example the sock environment how does this work

what's our SLA perhaps what's our metrics that we have to meet or look at and how do we work through those or how do we work uh to improve those right and then what are our procedures what's our playbook what do we do in certain situations do we just say oh that's okay that's a low risk we don't care or is that that's a low risk we'll document it and let somebody know and then call call it good from there or is it something much different where it's hey this is a high-risisk situation we have an hour to get everything we need and get it up and running and figure out a plan of action

right so again if you're learning keep that why and that beginner mentality but start learning structure and posture you need to learn what it takes in order to do that particular position again using sock analyst as an example If you're training somebody in this space, it's a little different. Okay, now we start to diverge a little bit, right? We we have them drill the basics. In a martial arts world, drilling basics is a good chunk of class time. We're talking maybe out of two hours, one hour maybe drilling basics or 30 to 45 minutes depending, right? The same thing goes if you're training somebody up in the space. You want to make sure they know what those basics are. How do you

create a ticket? How do you write a report for something? How do you um I don't know, it could be something as basic as what's your what's your choice for looking up DNS, right? How do you what do you want to do? You want to use dig? You want to use something like DNS recon? You just want to go online on a website, you know, whatever the case may be right? When you're training somebody in this space, this is a very fragile time in real life in the martial arts and in real life in general and when you're training somebody, right? This is a fragile time for somebody because they're going to find out very quickly,

even if they've been in a position for a while and transferred to a different organization, how much they simply do not know about your organization. So, you have to be okay with imperfection. You have to be okay with things not being completed, all the eyes dotted, all the tees crossed, right? You have to make sure you have to be okay with that. But you also have to acknowledge when those stumbles happen. But you also have to acknowledge the successes too because both of these are going to be very important for making sure that that person knows where they've gone right, where they've gone wrong, what they need to correct, and what they're doing well. Right? All of this ties back into the

organization piece and trying to figure out where do I stand? And by knowing where they stand and doing that as a trainer, you can help them figure out and they will be more emboldened to ask questions, ask that why. They'll be more emboldened to come to you when they've made a mistake, but they'll also be emboldened to come to you with those successes saying, "That felt pretty good. I did that right and I know I did that right." Okay? But you have to continuously acknowledge that continuous feedback loop. Who's heard that term? throw your hand up. You heard a continuous feedback loop, right? Customer service sees it. Itil was a big thing for it, right? So, you hear that

all the time. That's this is what that is in practice on a very small scale between one and one, right? So, now we're shrinking it down. We're tying the knot, so to speak, instead of loosening it. Okay. So, now we have the basics. We know how to stand. We know how to do things when we move a little bit. That's great. Now, we move to kata. Now, kata, Japanese term for uh if you really want a direct translation, it's not going to work so well, but think of it as a series or a sequence of movement, right? This is where we're starting to put stuff into practice a little bit. This is where we're starting to let this

person uh get their wings, so to speak. And you can see that on the slide, let them fly, right? We'll get to that in a moment. But the mindset as somebody who's learning to become a sock analyst or whatever position, right, is repetition. You need the repetition right now. This is important because the repetition and the drills, that's all there to make things second nature for you, right? That is designed on purpose. We want that to be second nature because if you have a procedure that you've memorized, how much faster will you be in trying to do a thing than if you have to literally look at a document every single time you do that thing? It's

terrible. I don't want to do that. Does anybody else want to do that? No. It's not a fun time. Terrible. Terrible. So, repetition important for the memorization, right? That's going to help us. And they are now working. If you're learning, you're working on putting these basics together, right? So, maybe you've learned how to research a domain and maybe you've learned how to research an IP address. Okay, great. What do you do with that? It's time to start putting them together, right? It's time to start taking these things and checking out what does this mean to me? If you're analyzing an email, perhaps maybe you understand how to look up an IP address and a DNS and a domain,

right, in a domain, but maybe there's some headers that you're not familiar with, right? That's okay because you're learning and performing that repeatable process. How do I analyze an email or questions you should be asking if you're learning how do I do this thing? What are the steps to accomplish the thing that I'm working toward? Now, if you're training somebody in this space, this is kind of a weird space at this point, right? Because you're going to start letting go of the steering wheel, so to speak, or or take the training wheels off, whatever adage you choose to use, right? You're going to let them fly a little bit. And guess what's going to happen? If you've seen

nature documentaries, what happens when birds leave the nest? Yeah, they straight up hit the ground. It's not a good time for them, but that is necessary for them. They must fail in order to succeed. The same goes true if you are training somebody. They must fail in order to succeed. Now, we tend to have this connotation that mistakes are bad and failures are terrible and there's nothing we can do about that and our goal is to avoid it. Ah, but I wish to tell you I disagree and I say mistakes and failures are instead what help us learn. What do you learn if you do something perfect all the time? nothing, right? Absolutely nothing. You

learn that you've done the thing, great. Okay? However, if you've fallen, if you've failed, if you've made mistakes over and over, different ones, same ones, every time you're learning what not to do, right? There are two sides to every coin. And if you haven't figured out that I like to use different adages like that, you will today. There are two sides to every coin. There's the coin that did everything perfect, but on the flip side of that, everything's failed. Right? I've done everything wrong. But with everything wrong, you instead have done and learned what not to do for the next time. It's great. You're going to allow their style to show. Meaning, when you look at them and they

do things a little bit differently than you do, but they still hit the target, that's okay. Perfectly fine. Another adage I like to use is, "Does it matter how the arrow hits the target as long as it hits the target?" Most of the time, that answer is no. and allow them to fix their own mistakes. Right? Very important. Speeding up a little bit faster because you're getting the idea here. One-step sparring. In the martial arts world, this is one person throws one punch or one kick and the other person blocks and strikes back. Right? Super simple, meant to be safe and effective and get people up to the point where they can move around. Right? So, the mind sh the

mindset's now shifting away as a learner to from muscle memory, right? and you're now beginning to problem solve and work in exercises and maybe actually take on things solo at this point, right? Or you could do guided partner work. Either one is fine, but you're kind of hovering in this point between um not quite mastery, but you're definitely not a beginner anymore, right? And if you're training somebody, take a step back. Again, you're letting them fly and they are going to make mistakes, and that's okay. But you also want to give them challenges to help them figure out are they where they need to be? And again, you can come back and say, "Oh, the gaps

in the training." Right? And then we move into freestyle sparring. This is where most martial artists end up being where you're constantly moving back and forth, throwing different things. Different people throw things different ways. They do things in different ways. And that's all okay. If you're training somebody, you are now hands off, right? You are letting them fly. And that is okay. Again they are going to make mistakes throughout this process but at the same time this is now the time to start giving them the duty to train other people. They should be at a point where they can do basic things very very well and also be able to train others on how to do those basic things

very very well because again how many steps ahead do you have to be in order to train somebody on something? Just one. Just one. Some other use cases that you might find um gauging training plans is great because you have organized documentation, right? Great. And you can use this as a blueprint for your documentation. Where are your gaps in your documentation? Right? Mix and match your learning. Maybe you take some of the pieces I mentioned. Maybe you take some of the basics and some of the moving basics and some of the kata and some of the sparring concepts that I mentioned before and put them together, right? And you could do that by doing something

like offering belts as milestones. Right? Now, in the martial arts, traditional martial arts we have here in America, there are belt levels, right? And even abroad, there are belt levels, too. But way back when at the origin of martial arts, there were no belt levels. The belt level was you had a belt and you had a belt that was really dirty because you train so much. Okay, two belts, white and black. That's how you get your white and black belts, right? So, you have these colored belts. So, offer that. Consider that. Gify it a little bit. Make them want to get to that next level. There's the QR code that we were talking about for every other speaker ever,

right? My LinkedIn is up there. Feel free to throw a message up there. I do not post on there very often to be fair, but I will respond if I see a message. Okay? So, feel free. And we do have a couple minutes for any questions if there are any. Anybody have anything? Any >> All right. So, I I've seen some very very bad martial laws. I've seen, you know, one of my friends went into a judo instructor and he tried to throw my friend for probably about an hour who had got nowhere as a black belt. You know, I've seen other cases where students are teaching people in the class and are teaching stuff to look at

it and go thing. I I just in the professional sense I mean mistakes are not just bad costly and stuff like they're they might be serious. >> Uh yeah, just like instructors in the human world things can be dangerous if not done properly, right? So in a professional sense right or professional organization the goal there is how do you maintain the person's safety meaning how do you maintain the person's ability to do the thing they need to do and how much do you guide them and that's a give and take and a balance that's going to be unique to each individual. Some people are going to be okay getting thrown around for an hour and not care.

Other people you throw them one time and they're like nope I'm out. No more of that. I'm done. Gravity hurts. No thank you. Right? So the goal for that is to try to find that balance between say you and another individual or even two individuals if you're supervising a team and figuring out what that looks like and that's going to be different per pe per the person and the organization at large. once put together a training program for interns um on a team that I was not on uh but I had an education background so they have me to do it and my first step was to talk to everyone in that team to figure out what they

thought was important and I think if you're putting together any kind of structured training it's important to remember that you don't yet know the full breadth of what someone's going to need often your own role is a little bit specialize and so when you're kind of building out that idea of what they need, it's a really good idea to talk to other people, make an actual list. >> Absolutely. Absolutely agree. In the martial arts world, why are they doing this? Do they want to do martial arts for self-defense? Do they want to do it because they just want to stay fit? Do they want to do it for the social aspect? All of those are applicable and

all of those are valid, but without talking to the person, as you've mentioned, we'll never know that. That's absolutely true. I agree. Yes. So, when you think large scale and and in the examples I had is training one-on-one, right? And that's fair. But in in traditional martial arts or even even other things like MMA and kickboxing or boxing, right, it's usually one coach to many people all teaching the same thing. And then what'll happen is you will find your your outliers, so to speak, right? People who have experience, people who catch Kong quickly, people who know what they're doing. And then you will start to shift them to different students or different senior individuals that can

teach them and help broaden them in those spaces. So to answer that question directly, how do you move from that individual to individual and make it scalable? Make sure you have people other than you that can teach these things, right? Find those champions, find those people that are able to be a uh to be a coach to those individuals. And that's how you can build a team that way. I think it could start as one-on-one training. Uh, I'm very much a fan of in-person training because you catch you seem to catch a lot more. If you've ever been through just mandated training on anything, it it could be pretty rough, right? Um, so by doing

this in person, you can instead get that one-on-one coaching mentality, understand where they're coming from, understand what they're doing, and understand what their skill level is. Much more than having a machine talk to them for 30 minutes, as an example. Uh, does it have to end there, begin with in person? Not necessarily. And you can use a mix for sure, but in the beginning, it is very valuable in my opinion to use one-on-one or twoon-one training, some sort of coach and mentor mentality. Any others? >> Good. All right. All right. Appreciate it. Thank you all for your time.