I got beaten up at Black Hat in the name of cybersecurity

For two hours, I endured chokeholds and getting rolled by cybersecurity experts in Las Vegas.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
Reporter Alfred Ng tries to escape from a chokehold in a Brazilian jiujitsu match.

That's me trying to get out of a chokehold from Box's former top security executive. 

Ryan Naraine / @ryanaraine

I spent the last night of Black Hat getting beaten up by security experts.

One security executive, based in Mountain View, California, had me in multiple chokeholds and twisted my shoulder further than it should have gone. I thanked him and shook his hand for the fight.  

I'm sure plenty of cybersecurity experts want to beat me up for my stories, but this was a different kind of match.

I was at the annual Black Hat Brazilian Jiu-Jitsu Smackdown, a tradition at the Las Vegas cybersecurity conference. On Thursday night, while many cybersecurity experts hit the casino floor, grabbed a drink or simply returned to their hotel rooms, about 50 made a stop at Syndicate MMA for a little sparring.

Even for a conference that features eggs fried on top of hacked modems and bike rides out to Red Rock Canyon, this event ranks among the more outlandish activities. Jeremiah Grossman, CEO of security company BitDiscovery, threw the first one in 2010, because he was practicing the martial art and noticed other security professionals shared his interest. The smackdown has since grown as more security experts get into Brazilian jiujitsu, Grossman said.

What do martial arts have to do with cybersecurity? Participants draw a parallel between the fighters on the mat sparring and hackers looking to breach a system, facing off against security pros trying to stop them. It's a cat-and-mouse game played every day in the real world, as evidenced by the myriad of public breaches, including high-profile hacks of Yahoo, Home Depot and Equifax.

And while jiujitsu is physically demanding, the mental game is just as important.

"This is human chess. You don't have to be physically strong to overpower a superior, stronger, bigger enemy," Grossman said. "It's the same strategy in security. How does a lonely hacker defeat somebody, like a Bank of America type? What are the little tricks used to beat a superior enemy?"

In cybersecurity, exercises feature "red teams" tasked with hacking their own companies to search for vulnerabilities and "blue teams" assigned to protect the corporate system. It's a form of digital sparring in which both sides are supposed to learn about flaws and make improvements based on that knowledge.

On the mat at Syndicate MMA, it was a similar scene. Former UFC champions Frank Mir and Forrest Griffin break down the moves, and then you and your partner are supposed to try them on each other several times, taking turns getting thrown into a headlock. The idea: You allow yourself to get attacked so you can learn how to get out of it.

Mir also gave me some advice about how to keep my password safe from hackers.

Coming to grips

I don't know anything about Brazilian jiujitsu. The last fight I got into was in the sixth grade, and I left with a bloody nose and absolutely zero tips about cybersecurity.

At the MMA gym, about four dozen people spread out across a mat, trying moves the onetime UFC champs had just explained. The mats were padded so that someone could be slammed onto them without too much pain. The 18,000-square-foot gym had more than enough space to roll around and practice chokeholds and grapples.

When I showed up, I told Grossman that I had no idea what I was doing and he walked me toward Christopher Hoff, the senior vice president of cybersecurity defense at Bank of America, who has a black belt in Brazilian jiujitsu. Hoff was already showing two other people a guillotine hold. I paired up with the people Hoff was teaching. I had a hard time learning and keeping up, but I started to pick it up when I was attacked.

Watch this: Plenty of Android phones came with vulnerabilities pre-installed

Being put in the guillotine hold allowed me to see how I could be choked, how I couldn't get out of it, and how I should do the move the next time.

At one point, Griffin, a UFC hall of famer who fought as a light heavyweight, is showing us a move called the Spiral Ride. I really couldn't figure it out. Then Griffin put me it in it and it clicked.

I was reverse-engineering getting my ass kicked.

"They're learning problem-solving skills, where the problem is someone is trying to choke them, and they have to learn the proper defenses and counters," Mir, who reigned as a heavyweight, said. "Not that I have a lot of experience on the computer, but I would assume it has to be the same world. You have to understand certain programs and sometimes you run into things that are brand new."

Mir has a point. Just think of the number of variants of ransomware that have popped up even after similar versions were stopped.

Fight night

The last hour was dedicated to sparring, when you were supposed to take everything you learned and use it.

I saw that Grossman was looking for a partner to fight with, so I asked him if he wanted a go at me. Grossman also has a black belt in Brazilian jiujitsu, while I just had an hour lesson. He sized me up and said, "I'm gonna put you with my daughter."

For her, it appeared more like a chore than a sparring session. Grossman even lowered the bar for me: all I had to do was to stop his 16-year-old kid from getting behind me to win. I lost in 15 seconds.

She told me she had been training for about 12 years.

I also sparred with my training partner, Jason Hengels, the founder of Exposure Security and former vice president of security at Box and security leader at Visa. Like me, Hengels was a complete beginner, but he had a bit of a size advantage against me.

We sparred for two rounds, and I was holding my own until he overshot a turn and twisted my shoulder by accident. Thankfully I'm flexible enough to recover quickly. While Hengels was a beginner at martial arts, he wasn't at cybersecurity, and saw the parallels.

"In the infosec world, we do penetration testing, we do red team/blue team exercises," Hengels said. "That's what you might go through in a real attack scenario, while this is like what you might go through in a real fight."