As with most terminology used in information technology, such as DMZ (or Demilitarized Zone), the term Red team was originally adopted from its use by the US military, which is still heavily used today in the ongoing force transformation of the Department of Defense.
A red team is an independent group that challenges an organization to improve its effectiveness. The United States intelligence community (military and civilian) has red teams that explore alternative futures and write articles as if they were foreign world leaders.
Penetration testers assess organization security, often unbeknownst to client staff. This provides a more realistic picture of the security readiness than exercises, role playing, or announced assessments. The red team may trigger active controls and countermeasures within a given operational environment.
In war gaming, the opposing force (or OPFOR) in a simulated military conflict may be referred to as a red cell (a very narrow form of red teaming) and may also engage in red team activity. The key theme is that the aggressor is composed of various threat actors, equipment and techniques that are at least partially unknown by the defenders. The red cell challenges the operations planning by playing the role of a thinking enemy. In United States war-gaming simulations, the U.S. force is always the blue team and the opposing force is always the red team.
Red teaming can be used at multiple levels within a company, not just red team/blue team exercises between penetration testers/ethical hackers and those defending or monitoring enterprise assets. These include:
- Strategic level to challenge assumptions and visions across the executive level;
- Operational level to challenge the company's enterprise risk management (ERM) program; and
- Tactical level to challenge the Information Technology group's capability to identify and defend against such an attack or an outsourced managed security service provider's capability to see it.
Red teams emulate an adversary or competitor as a surrogate where the red team plays the "opposing force," using the adversary's presumed tactics and equipage (actual or virtual). The objective of the surrogate adversary is to sharpen skills, expose vulnerabilities that adversaries might exploit, and in general increase understanding of the options and responses available to adversaries and competitors.
We define red teams broadly as not only playing the adversary that a blue team defends against, but also playing devil's advocate and related roles. While differing in some respects, red team activities challenge a company’s norms. Thus at its core, red teaming has everything to do about the culture of a company rather than simply just employing the tactics, techniques, and tools of an adversary in operational exercises, such as penetration testing and incident response/incident handling exercises.
Red teaming can both complement and inform risk management efforts in any organization and vertical. Aggressive red teams challenge emerging operational concepts in ethical hacking/penetration testing in order to discover weaknesses before real adversaries do. In many aspects, one could argue that red teams temper the complacency that is created as a result of a company not having yet been compromised that is so prevalent across industry borders. It is because of this that I wholeheartedly endorse the idea that organizations inculcate effective red team use throughout all industry sectors and markets.
Today we face a much more tenacious, well-funded, and more heavily motivated adversary. I would argue that red teaming is especially more important now than it was ten to twelve years ago when we faced a completely different threat. Today's adversary is a much tougher target to study, despite the growing number of TTPs (tactics, techniques, and procedures), Advanced Persistent Threat (APT) indicators, and IOCs (indicators of compromise) being collected and analyzed on a near daily basis. Red teaming deepens the understanding of options available to adaptive adversaries, whether its hacktivists or nation-state threats, and complements and informs the information security management system (ISMS) of a company’s IT risk management program.
In summary, red teams are an effective and necessary component of every risk management program that can help hedge against the surprise of a particularly catastrophic event, such as theft of intellectual property, payment card data, or other types of information security breaches by providing a wider and deeper understanding of potential adversary options and behavior that can expose potential vulnerabilities in an organization's strategy, posture, plans, programs, and concepts.
Over the coming months, I will be blogging on different red team engagements, operational planning exercises, and outcomes. These will affectionately be coined as "Red teams, a diary from the garden of Red Versus Blue."
About Alissa Knight
Alissa Knight is the Senior Partner at Brier & Thorn, a global risk management consultancy specializing in penetration testing, incident response, and risk management. Alissa has been working in risk management for over 15 years as a senior penetration tester, incident handler and forensic analyst, and is a BSI certified ISO 27001 Lead Auditor.