Introduction
Computing (hacking specifically) and martial arts are the two biggest passions in my life. I have always wanted to combine these two areas of study in a coherent way, and that’s a big hope for what Chenb0x Development is and can grow to be.
This is an outline of what we believe to be a guide for educating yourself in the Information security space as it compares to the belt ranking system of a lot of major martial arts systems. In this outline, I will be referencing the American Kenpo belt ranking system specifically. Keep in mind that this is just an outline, and detailed information security concepts will be discussed in future posts, categorized in the belt system format.
A quick note: the American Kenpo belt system was adapted from the Okinawan system. More colors (Yellow, Orange, Purple, Blue) were added to denote a more stepped progression through the training.
White belt (Rokkyu)
White belt is known even by non-practitioners as the beginning rank in many martial arts. It is a rank that focuses on improving the student’s balance and basic motor skills for use in self defense situations. It is also a rank where the student learns some of the history of the style they have chosen and what to expect in future training. In order to progress to the next rank, a student needs to demonstrate an improvement in short techniques that are given to them to practice.
In regards to hacking and information security I would argue that this progression would simply be the ability to understand basic hacking concepts while in conversation with peers and mentors.
Green belt (Gokkyu)
At this rank, the student starts learning techniques that can actually be considered dangerous in a real situation. Takedowns (sweeps, throws, etc.) as well as tailored strikes to soft targets are studied at this level. The transition from White to Green requires a noticeable improvement in balance and conditioning. A Green Belt should be able to take a little bit if a hit.
A hacking equivalent would be basic network port exploitation or basic attacks on web applications as an example. At this level, a practicing hacker could understand how to use a script or tool, without understanding exactly how the tool is put together or functions internally. Essentially, this is the script kiddie level, but students who progress beyond this level will start to understand the “why” behind the scripts or tools they use. Here, a hacker should have an improvement in their security posture, meaning a better handle on their privacy and defense measures; or “OpSec”.
Green/Brown belt (Yonkyu)
This is an intermediary rank between Green Belt and Brown Belt. We can also say that this is an intermediary rank between a beginner and an advanced student. This stage is more about refining the basics in preparation for more advanced techniques. Further, there is a transition from “being taught” techniques to “training” and building skill. To clarify, being taught how to kick is different from training your kick to perfection. This stage is about that transition.
As a hacker, this would be a stage where you transition from using tools to writing tools, but to what extent is up for debate. The more important aspect at this level is that a practitioner can look at a hacking technique, or read up on how a system was exploited and understand the concept behind the attack or defense. Even with new attack vectors, a person at this level can start to inherently pickup what is going on in the situation.
Brown belt – 3rd Degree (Sankyu)
Brown belt is a notorious “advanced rank”. If not a black belt, a brown belt student is almost universally known as a high ranking student. This, naturally, comes with a higher standard. Brown belts should have the ability to push themselves further than the earlier ranks. This stage, as well as the next two levels are all about refinement in preparation for black belt achievement.
A hacker “brown belt” may have a general knowledge of hacker concepts, but would tend to specialize towards techniques they find interesting, like deep traffic analysis, wireless hacking, social engineering, etc. I wouldn’t necessarily advice to specialize at this level, but it seems to be a tendency in both martial arts and hacking. Students at this rank love to train in what they find successful and comfortable.
Brown belt – 2nd Degree (Nikkyu)
Refinement. Refinement. Refinement. Still in preparation for black belt, this rank is about sharpening the edges of your “weapon”. Students at this rank may splice their techniques to come up with something “new” only to learn that It’s not new, and that experimenting with different techniques is just part of the journey.
As hackers, maybe we combine a social engineering technique with a networking attack vector. The combination is just how we learn to use our arsenal in harmony.
Brown belt – 1st Degree (Ikkyu)
Most students think that this is it! The last step to learning all they need to know to be a good martial artist/hacker. At least, that’s what the foolish believe. The ones who transition from Brown to black belt begin to understand that martial arts and hacking is a way of life. It’s all about the journey; not the destination.
If there is missing foundational knowledge, now is the time to fill those gaps. A black belt martial artist and a black belt hacker need a good foundation to move forward. This is the rank to really dial in those skills.
Black belt – 1st Degree (Shodan)
Up to this point, the training can be compared to the making of a sword. Fold the metal. Hammer it down. Fold the metal. Hammer it down. Sharpen. Repeat. This is the culmination of training up to this point. Repetitive practice. Finally, at black belt, the student is a well-forged sword that is ready to wield. This is why the black belt is just the beginning. Now, with the brand new “weapon”, the real training begins.
Black belt for information security would also cover any cutting edge technique for which there is no standardization. As an example, new vulnerabilities and the exploits for them won’t be found in a pentesting distribution or manual. These techniques would be considered “black belt” material because of the mindset needed to discover such things.
It is important to note here that, as a black belt martial artist or a black belt hacker, a person at this level is seen as a role model. If the foundation previously mentioned is weak, it will show in the practitioner’s form in both disciplines Unfortunately, there are schools who have weak black belts, but in time, those weaknesses cannot hide. The same is true in hacking. We see this with stagnation or letting the technology outpace the ability or willingness to learn. Hopefully, the student does not stagnate or quit, but rather uses his/her training in new and creative ways for the advancement of the community and culture. As martial artists and as hackers, we have subscribed to being the “forever student”. There is always much to learn.
At Chenb0x, we would like to approach the study of information security from this perspective. By using the belt system, we feel that we can organize the study in a form that is simple, concise, and coherent.