Call in the Tiger Team


Let me start out this article with a simple disclaimer... This article is by no means an all inclusive authority of information in regards to the concept of 'Red Teaming'. This is only a digestive conclusion of my own thoughts and ideas on the subject. Most of the information included in my digest comes from one of the best yet books that I have read, Red Team: How to Succeed By Thinking Like the Enemy By Mikah Zenko. If my digest interests you in any way I would highly recommend reading this book! - Lets Get Started

Answering the question - Who, What, When, Where and Why.

The first established and routine usage of red teaming comes from the Roman Catholic church. The promotor fidei (Promoter of the Faith) or advocatus diaboli (Devils Advocate) [1] came about as a position within the Vatican with the specific function to vet, counter, or prosecute the nominees for saint-hood, this was needed for many reasons; but long story short the church had no way of validating or verifying the legitimacy of proclaimed saints... (yep not doing a religious piece...)

What is Red Teaming? Red Teaming is the practice and structured process of using simulations, vulnerability probes, and alternative analysis in order to assess and understand the interests, intentions and capabilities of a target institution or competitor. Adopted during the cold war and Standardized (I say with the acceptance of the United States Military) in the early 2000's. Red Teaming has been adopted by many fields and used as a foundation for many approaches or techniques, It is however largely under-explored and underutilized by corporations, military commands, cyber-security firms and other institutions that may face threats, complex decisions or strategic surprises. By employing a red team an institution can get a fresh alternative perspective on internal operations. It could assist in the process of finding operational opportunities, test assumptions, and ultimately improve the performance of the organization.

So how does one 'Red Team'? Unlike most practices, the art of red teaming cannot be distilled or digested down into an all inclusive guide or how to manual. Nor can it be presided over by a set of best practices in the proper sense of the term -

When you hear the term best practices, run for your lives. The Titanic was built on best practices. It was faithfully operated in accordance with best practices.

- Retired US Army Colonel Gregory Fontenot, Director of the University of Foreign Military and cultural Studies (Red Team University), 2011

Red teaming is not a one size fits all approach, there are no rules or best practices. Largely a few simple guidelines properly applied to the appropriate human resource, could have a great impact on the decision makers perception of an idea or problem.

  1. The Boss Must Buy In
  2. Outside and Objective while Inside and Aware
  3. Fearless Skeptics with finesse
  4. Have a Big Bag of Tricks
  5. Be Willing To Hear Bad News and Act On It
  6. Red Team Just Enough, No More

so lets take a look at these 'guidelines' ...

1. The Boss Must Buy In: This makes good sense; if your just a chicken little running around spouting crazies you cant really expect to affect real change. Instead it would be better for a practitioner of red teaming to consult and report to an authoritative figure that is willing to listen.

2. Outside and Objective while Inside and Aware: Okay so lets think about what a red teamer has to do... In essentially any situation a red teamer would need to balance competing principals - avoid becoming institutionally captured, while still contributing to the organizations core mission, Being semi-independent and objective while being sensitive to the organizations operating environment and resources. With this concept in mind the structuring of a red team is very important. Three concepts should likely be addressed while structuring a red team.

Where - red teams should be properly placed in the organizations hierarchy in order to have appropriate access to information and personnel.

Why - red teams should also have a mandated scope of effort. Who, What, For how long, How flexible, as well as to what end (The finish line). Without this important piece a red team would basically be working blind as they could not be able to assess the target and define what structured analytical techniques should be used or to properly assess achievable goals or mitigations of the target.

After this scope has been identified and documented it should be circulated to the target group or personnel. If this scope cannot be defined or otherwise not agreed upon then the red team exercise should probably not be engaged and performed.

How - It would not be in anyone best interest for a red team composed of U.S. Navy Seals to complete a physical penetration test on your local grocery store! This would be a golden example of improper scoping... what would the red team come back and tell the store owner that the store owner could realistically achieve or fix? The red team would need to do their homework on the target, understand the normal operating environment, what regulations the target must adhere to, what resources the target has available and what timelines if any the target manages or has dictated to them. Alternatively a red team depending on its applications or scope may be implied to operating in a 'Black Box' Method [2], which would essentially give them no access to the previously mentioned information and instead force the red team to use Open Source Intelligence (OSINT) gathering techniques in order to complete their objectives.

A red team engagement should also be timed and executed while still having access to target personnel in order to directly affect change; Checking the hull integrity of a sunken ship would in no way help the ships crew to repair the weak spots before the ship sunk!

A red team should also only apply as much force or effort during an engagement so to no damage or cause fratricide to the target. Moving on ...

3. Fearless skeptics with finesse: staffing a red team is just as important as its structure. Red Teamers typically are not the normal everyday staffers, they tend to be odd balls or wierdos; Not to say the must be but usually that is the case. This is because they are skeptical of authority and stray away from Existence Bias. Existence Bias is when someone believes something is right or good just because it exists. Red Teamers do not do this, instead they wonder why that thing exists? is it required for 'X' to function? is it a plot to destroy me? I wonder what does it tastes like? and so on... So as stated previously staffing is important so there are some considerations to take into account when choosing red team staffers. 1. Personality: red teamers are quick on their feet, adaptive, self-motivated, and willing to learn. The best red teamers are like actors in the sense they can act and become a surrogate enemy simulating attacks, or simply approach a problem from an alternative perspective in order to provide alternative analysis. 2. Experience: red teaming is an art and like other artists most are widely read in history, nobody wants to do the same thing over again! Most red teamers have held several positions within their field of expertise, as well as being able to write and brief exceptionally well. They typically have a specialty within their field but remain or tend toward overall generalist. Another important quality of a red teamer would be that they have been exposed to large systemic failures; as this would assist them with envisioning future failures in time to work around them. 3. Communication Skills: red teamers to to write and communicate extremely well, they also need to be able to work with others just as effectively, enjoys not being the smartest person in the room, and has some bureaucratic savvy.

Red Teamers are like therapists - You have have a therapist that gives you a bunch of drugs, or one that will sit down and help you solve a problem.

4. Have a big bag of Ticks: simple concept, a red teamer should never approach two problems in the same way. There should always be something up their sleeve that their targets have not thought of...

5. Be Willing to Hear Bad News and Act On It: This is related to the first guideline. The findings of a red team cant just sit on a shelf. Red Team exercises are initiated in order to expose alternative perspectives, they should be read and circulated among decision makers. Organizations that do not a red teams findings are just prostituting the exercise and are probably only interested in checking the box on some regulatory audit form somewhere. and last but not least

6. Red Team Just Enough but No More: no one likes being tested, testing a target to often will likely demoralize the target staff. further more red team exercises take resources and effort, to many would cause operational damage to an organization and sap its resources.

 

In conclusion there is not a 'right' way to do red teaming, and it seems that the over arching best practice of red teaming would be to remain flexible in the applications of red teaming best practices.

I have never learned anything from any man who agreed with me

- Dudley Field Malone

On a closing note I would like to convey the common misconceptions and misuses of red teaming.

  • Adhoc Approaches
  • Mistaking findings for Policy
  • Freelance Red Teaming
  • Shooting the Messenger
  • Inform NOT Decide

adhoc approaches: there are several theories and approaches to red teaming but most of them have great flaws fundamentally. take for instance the 10th man theory - no matter how solid your plan always have the last man be the contrarian. sounds pretty solid right? It is not... this is due to the improper staffing of the 'contrarian' it is unlikely in one of these scenarios that the 10th man would be properly qualified to objectively bring around and present true alternative analysis. Mistaking findings for Policy: pretty straight forward... the findings or results of a red team are not stone gospel truth and should not be accepted in the sense of policy; the findings are at point blank an alternative or competitive analysis on the target scope, They should be circulated among decision makers and used in the process of creating said policy... Freelance Red Teaming: this one is very simple too, if a red team exercise is not properly scoped the likely hood of causing undue panic or damage to the target organization is very very high! Shooting the Messenger: Sometimes the target organization of a red teaming exercise has parties or groups involved that simply do not agree with or are not willing to hear the findings of the red team exercise... This would mean that the findings although circulated among decision makers would not be properly digested by them nor weighed in any real fashion to apply solution to the problem the red team exercise was initiated to analyze. This would ultimately end in a failed engagement. Inform NOT Decide: at risk of sounding redundant... the findings and deliverables of a red team exercise should be applied and used purely as an alternative and out of the box analysis. Findings are usually not the answer to the problem but instead fuel for decision makers to use in order to answer the problem. Red Teams are a supporting role.

 

 

Credits and Thanks

Wikipedia - Good breakdown article