Most people remember the famous ‘All I Really Need to Know I Learned in Kindergarten’ collection of poignant essays published by Robert Fulghum back in 1986. Though I did have many meaningful experiences in kindergarten, it’s my army krav maga training that I find directly applies to so much of my day-to-day life working in cyber security training.
Foundations of Cyber Security Training
I have a deep founded respect for the traditional martial arts. The long grueling years of discipline that are required for mastery are awe-inspiring and produce martial arts masters with almost super-human physical and mental abilities. But most of us don’t have the time or tenacity required to master these ancient arts. That’s why the first principle of krav maga is to start with our natural reflexes and build from there. This is the fastest way to build a self-defense foundation, no matter who you are. During my military service I sometimes had as little as 12 hours to train a group. It’s not enough, but that was the constraint I had to operate under, so I had to make the best possible use of a very limited about of time. All the CISOs out there will agree that they wish they had endless hours to dedicate to cyber security training, but the tough reality is they too must operate under very strict time and budget constraints.
Make effective use of limited cyber security training sessions
Available Weapons
Highly trained martial artists, combat soldiers and security professionals always procure the very best weapons and equipment and train day in and day out to gain complete mastery of their tools. Krav maga is meant to help everybody react better to any threat situation that may occur. Therefore, we train on the use of everyday objects that can be used as weapons. My unit specialized in the grim mission of preparing students to react to a terrorist attack on campus. Therefore, we practiced using desks and chairs as available weapons. When held up they can both shield your head and chest and inflict wounds on an attacker. Though there is a huge market in civilian pepper spray ad other self-defense weapons, without the proper training, most people will not be able to use they effectively in an attack situation. In cyber security training, like krav maga, it is vital to train SOC team members on the tools that are deployed in their SOC. Artificial simulations that don’t accurately replicate the available weapons and tools, will be of little use, and may even become a hindrance, in a real cyber breach situation.
Cyber security training must use weapons (tools) available in the SOC.
Crisis Communication
Very high-stress situations can completely shut down our ability to clearly communicate. One of the simplest lessons in krav maga is to yell useful information. A generic scream or ‘help!’ is actually very unlikely to elicit an effective response from others. The fact is, it just freaks people out, and the only thing you have effectively communicated is panic. Instead, yell words that instruct others how to act. “Terrorist!”, “Bomb!”, “Knife!”, “Police!” will be much more effective than the generic ‘help!’, which I must admit just makes me think someone squeamish has come across a mouse or cockroach. Likewise, cyber security training sessions should always include practicing required crisis communication. This includes updating executive management, communication amongst SOC team members simultaneously and across time and shifts.
On Your Feet
Krav maga is learned on your feet, by doing. There is very little formal classroom instruction. This was a painful reality in my grueling 4-month training course, but in the end, it prepared us well to do our jobs. Fortunately, cyber security training can be done in pleasantly air-conditioned ergonomic workstations, but nevertheless, the only way to learn is by doing. There is only so much textbooks and PowerPoint presentations can do to prepare SOC teams for the complexities and pressure of the cyber security battlefield. SOC professionals have traditionally relied heavily on on-the-job training, but today more and more SOC teams are using simulation training to give them the realistic experience they need to be truly prepared for any scenario.
Realistic simulation training
In the Middle of the Night
The thing about malicious attackers is, they tend to be very inconsiderate of their targets. They seek out ways to catch targets off guard, when their defenses are down. This means we have to always be prepared to defend ourselves. It’s one thing to show your prowess in the ring or dojo, when you are primed to perform at your peak, but what if an attacker surprises you when you least expect it? Once we reached a moderate level of proficiency, our instructors took our krav maga training out of the gym and into real life, during meals in the cafeteria, walking to the bus stop outside our base and in the middle of the night. If your skills fall apart or disappear when caught off guard in a real world situation, your training isn’t worth much.
Cyber security training should begin incorporating this ’middle of the night’ principal. In addition, traditional classroom training, and even realistic training sessions in a cyber range, SOC teams should ideally have cyber security training parsed into their day-to-day operations. Inline training scenarios, that can be launched at anytime, completely at random or by the SOC training manager, keep SOC analysts on their toes. Additionally, inline ‘in the middle of the night’ micro training sessions allow SOC team members to make good use of relatively quiet times when workflow is light to train and improve skills.
Make unexpected scenarios a part of cyber security training program.
Maximum Damage (Response), Minimum Time
This is my unit’s motto and it has stuck with me for all the years since I was discharged. In a nutshell, do the most effective thing as fast as possible. It’s not elegant, but it is proven to be an important principle in responding to violent attackers. Krav maga doctrine puts a high value on speed on ending an incident as quickly as possible. This is a direct response to the fact that the longer an attacker is active, the worse the damage will be. Like krav maga, cybersecurity training should obsess about speed. Faster response, shorter MTTR, more alerts handles per shift, speed, speed, speed. The faster your SOC team, the safer your organization, Period. If speed is your goal it must be consistently measured and relentlessly improved. Whatever type of cyber security training your SOC uses, it should always include key metrics for speed and effectiveness, so you can rest assured you are focused on the maximum response, in the minimum time.