## From Mainframes to Threat Hunting: 33 Years of IT, and Why We Must “Train How We Fight”
It’s a number that sometimes surprises even me: 33 years. That’s how long I’ve been immersed in the ever-evolving world of information technology. From the hum of mainframes and the command-line interface of DOS, through the dial-up modem shrieks and the early days of networked PCs, to today’s cloud-native environments and the relentless, often invisible, battle in cyberspace. My journey has spanned technological revolutions, but one principle has always resonated, and today, in Defensive Cyber focused on threat hunting, it’s more critical than ever: **We must “train how we fight.”**
### A Journey Through the Digital Wilderness
My IT career began in an era vastly different from today. Cybersecurity, as a distinct discipline, barely existed outside of highly specialized government and defense sectors. We worried about physical security, accidental data deletion, and perhaps the occasional floppy disk virus. The internet as we know it was a nascent concept, email was a novelty, and “the cloud” was just something in the sky.
My path wound through system administration, network engineering, IT management, and various other roles, each providing a deeper understanding of how technology functions, how it breaks, and most importantly, how humans interact with it. This diverse background, built layer by layer over decades, instilled in me a fundamental truth: technology is a double-edged sword. It empowers, connects, and innovates, but it also creates vulnerabilities, expands attack surfaces, and offers new avenues for malicious actors.
### The Shift to Defensive Cyber: Hunting in the Shadows
Today, my focus is squarely on the defensive side of the cyber battlefield, specifically as a threat hunter. This isn’t a passive role. It’s not about waiting for an alert to tell me something is wrong. Threat hunting is about proactive, iterative searching through networks, endpoints, and logs to detect and isolate advanced threats that evade existing security solutions. It’s about asking “what if?” and then relentlessly pursuing the answer, often in the digital equivalent of a needle-in-a-haystack search.
It requires an adversarial mindset – thinking like the attacker, understanding their tactics, techniques, and procedures (TTPs), and then looking for the faint digital footprints they leave behind. It’s an intellectual chess match played out in real-time, with high stakes.
### “Train How We Fight”: The Imperative for Cyber Preparedness
This brings me to the core philosophy that underpins everything we do in cybersecurity, especially in defensive operations: **”Train how we fight.”** This isn’t just a military axiom; it’s a vital principle for any domain where the stakes are high, the adversary is dynamic, and the consequences of failure are severe.
In cybersecurity, “training how we fight” means moving beyond theoretical knowledge and abstract concepts. It means:
1. **Realistic Simulations:** Forget PowerPoint presentations. We need to be in cyber ranges, simulating real-world attack scenarios against our own infrastructure (or test environments). This allows us to practice incident response, test detection capabilities, and refine our threat hunting techniques under pressure.
2. **Red Team/Blue Team Engagements:** This is the ultimate sparring session. A “red team” acts as the adversary, attempting to breach defenses using the latest TTPs. The “blue team” (our defenders, including threat hunters) works to detect, respond, and remediate. These exercises are invaluable for exposing blind spots, validating security controls, and building critical muscle memory.
3. **Tabletop Exercises (TTX):** While not hands-on keyboard, TTXs simulate major incidents, forcing teams to walk through their response plans, identify communication gaps, and clarify roles and responsibilities. They are crucial for preparing the strategic and operational layers of an organization for a crisis.
4. **Continuous Learning and Adaptation:** The threat landscape is constantly evolving. New vulnerabilities emerge daily, and adversaries develop new tools and techniques. “Training how we fight” means dedicating ourselves to continuous learning, sharing intelligence, and adapting our strategies as quickly as the threat actors do.
5. **Post-Mortem Analysis:** Every incident, every close call, every successful hunt is an opportunity to learn. Just as a military unit debriefs after an engagement, cyber teams must rigorously analyze what happened, what worked, what didn’t, and how to improve for the next “fight.”
My 33 years in IT have taught me that technology will always evolve, but human ingenuity, curiosity, and the willingness to learn and adapt remain constant. In the realm of cybersecurity, where the battle is continuous and the adversary is intelligent, “training how we fight” isn’t an option – it’s an absolute necessity. It ensures that when the real fight comes, we are not just prepared, but truly ready. We are not just defending; we are hunting, adapting, and winning.