What Can Stifle a Red Team?

Red teaming is a variety of methodologies used to identify and eliminate security gaps in an organization at the strategic, tactical, or operational level. Red teams use structured analytic techniques to break through a “blue force’s” defenses. In a military context, a red team might be charged with penetrating a military unit’s established perimeter in a military exercise to discover weaknesses in the perimeter. Or, a red team might be used to provide an adversarial perspective on how to “poke holes” in a unit’s battle plans. At the policy or strategic level, red teams are typically charged with challenging assumptions, playing devil’s advocate, or using other methods to discover vulnerabilities in an organization’s policies and strategies.

Historically, red teaming has been performed with mixed results. The experience and personality of red team members plays an important role in effective red teaming. However, even with talented and experienced members, red teams sometimes fail to meet their objectives. Research has also shown that in addition to finding the right people to be on a red team, the organizational conditions in which a red team operates will have a big impact on the ability of the red team to add value to an organization.

The effectiveness of red teams is largely attributed to many organizational factors. These include the culture of the organization, top cover, healthy interface between the red team and organization, ensuring red teamers are qualified to properly perform their job, and knowing the proper usage of red teams.

Red teaming may not be used more frequently because organizations sometimes see red teams as a menace to the organization with little to no backing from senior leadership. In other words, organizations focus on what they might lose, rather than what they might gain from red team analysis. Addressing the following factors could help agencies see red team analysis as beneficial to the organization.

Organizational Culture

The culture of the organization can stifle progress for red teams, and essentially make their analysis ineffective. In order to successfully test for vulnerabilities, it is imperative that the organization being tested can embrace failure. In other words, it welcomes a red team’s ability to identify vulnerabilities in its operations, tactics, and policies. Paradoxically, all too often, the enterprises that should use red teaming will be the ones who oppose it. In America the Vulnerable, Joel Brenner discusses the irony in having a highly skilled red team sitting on the sidelines because they aren’t usually seen in a positive light;
“Not surprisingly, the gold standard for white-hat breaking and entering is set by the NSA’s Information Assurance Directorate, whose red teams are virtually impossible to keep out. But the ways they can get in can teach you volumes about how to tighten your security. Unfortunately, however, the NSA’s red teams require the consent of the system’s owner before they may lawfully test a network, even within the Department of Defense. This is like walking into a middle-school cafeteria and asking who wants to take a pop quiz. Not many hands go up.” (Brenner)

Although an unannounced red team test might be ideal so an organization can be analyzed in its normal operating state, there may be circumstances that require notification ahead of time to avoid possibly introducing vulnerabilities into the operating environment.

Top Cover

Another important component of successful red teams is top cover. This is essentially the backing needed from senior leadership in order for red teams to operate effectively. In the absence of top cover, red teams may experience stonewalling, dismissal of suggestions, and other issues that result from a lack of support. Two important components of top cover are independence from the organization and the welcoming of proposals.

Top Cover — Independence

An additional factor that can result in successful or unsuccessful red teaming is independence from the organization being red teamed. If a red team is not independent of the agency that they are red teaming, their findings may not be impartial, and therefore, their recommendations less effective. If red teamers are analyzing the organizations they belong to, their role may be diminished to merely providing different ideas rather truly challenging assumptions. However, too much independence from the organization could result in not being knowledgeable enough about the agency to effectively red team their policies.

Top Cover — Welcome Red Team Solutions

The other essential component of top cover is the organization’s ability to welcome and incorporate proposals from the red team. Even the most effective red teams will provide little to no value to an organization if that organization is not open to recommendations for improving its policies.

Interaction

Another element that increases the effectiveness of red teaming is healthy communication among red team members and members of the organization being tested. It is important to remember red teaming is not a zero sum competition. It is essentially a discovery process where the red team helps the organization realize where security policies can be improved upon. It is imperative to acknowledge that the goal of red teaming is about improving homeland security. If both the red team and organization can achieve that goal together, then both the red team and the organization win.

Find the Right Team Members

The members that make up the red team must be chosen with great scrutiny. Just because an individual has proven to be smart and hardworking, does not necessarily mean that individual can red team effectively enough to identify an organization’s security gaps. To be an effective red team member, it is important to have certain talents. One advantageous quality is the ability to be creative in thinking of alternative scenarios an agency’s policies might not address. In order to successfully identify an organization’s vulnerabilities, a red team must be able to test an organization against scenarios that that organization has yet to face.

When to Red Team

The last element that determines the effectiveness of a red team is knowing the proper application of red teaming. Some organizations only use red teams when they have experienced many troubles, and too much time and money has already gone into unsuccessfully trying to resolve these issues. These troubles could have been avoided, and less time and money spent if the organization had solicited red team services to begin with. On the other hand, there is such a thing as too much red teaming. If over utilized, red teaming could kill ideas early in the developmental stage. The organization using red teaming services may come to despise their presence rather than value their services if the organization is subject to endless opposing viewpoints throughout the entire planning process.

It is not enough for organizations to say they want to introduce mechanisms for identifying and eliminating security gaps. The organizational culture must adapt to accommodate a team who challenges the status quo in order to achieve desired results. This is easier said than done of course, but the first step is recognizing the need for organizational change. Organizations can and will benefit from working with, instead of against their red team.