Note: This post represents the synthesis of the thoughts, procedures and experiences of others as represented in the 16 articles read in advance of (see previous posts) and the discussion among the students and instructor during the Advanced Analytic Techniques class at Mercyhurst College on 8 April 2010 regarding Red Teaming specifically. This technique was evaluated based on its overall validity, simplicity, flexibility and its ability to effectively use unstructured data.
Red Teaming is a broad range technique that covers both methods and modifiers depending on its utility and depth. Congress mandates the use of Red Teaming in National Security fields as referenced in the Intelligence Reform and Terrorism Prevention Act of 2004 SEC 1017, "Not later than 180 days after the effective date of this Act, the Director of National Intelligence shall establish a process and assign an individual or entity the responsibility for ensuring that, as appropriate, elements of the intelligence community conduct alternative analysis (commonly referred to as ‘‘red-team analysis’’) of the information and conclusions in intelligence products." (http://www.nctc.gov/docs/pl108_458.pdf) However, its use extends to law enforcement and competitive intelligence fields as well.
Based on current research and articles, there is no universal definition. It can cover ideas as simple as playing devil's advocate, and as complex as a full scale war simulations conducted at the National Training Center at Fort Irwin Military Reservation for the United States Military.
- Applicable to National Security, Law Enforcement, and Business sectors.
- Reduces risk by a means of internal auditing
- Precludes mirror-imaging
- Mitigates surprise
- Avoids predictable patterns
- Helps overcome bias
- Improves adaptability and flexibility
- Helps players view system as a whole,as well as individual components
- Identifies decision maker choices for strategic players
- Helps prevent bad investments- time, effort, money, resources
- Improves the quality of questions asked about particular situations
- Provides "awareness training" and improves safeguards of a system, particularly in an IT or computer networking situation
- Challenges taboos and assumptions
- Revealing the consequences of different perspectives; in-particular the perspectives of those with different goals and risk profiles
Strength is dependent upon the team compiled; composition, goals, management support, relationship with Blue Team, rules of engagement, and available information.
- There is not one agreed upon definition
- Full extent of an opponent's actions may not be considered
- Red team may not take their responsibilities seriously
- Could lose its independence and be “captured” by the bureaucracy
- Red Teamers may not be allowed to act outside of Blue Team norms
- Suggestions of Red Team may not be incorporated into the organizational structure without proper follow-up
- Members of the Red Team may not be able to access the same knowledge as the real attackers
- Red Team may not accurately represent real opponent's decision making process
- Determine the objective or desired result.
- Communicate with stake holders involved in the exercise including management / decision makers on the scope, scale and type of exercise.
- Based on the exercise, create a Red team composed of Subject Matter Experts, external to the Blue team’s sources.
- Preparation by the Red Team. Team members should learn everything they can about what has gone before in the crisis at hand, the blue team's plan and what the enemy and other adversaries may be thinking. (Perhaps by creating a checklist of the information that the team needs to know.)
- Meeting between the Red Team and Blue planners to explain critical points of the Red Team’s purpose, in order to alleviate friction.
- Red team creats a plan / Course of Action (CoA).
- An exercise / simulation is conducted (Ex: A War Game).
- Exercise is evaluated and improvements identified.
- The required and desired improvements are incorporated.
- Exercise and evaluate again till the desired objective is reached.
Our class played a game with 4 players comprising the Blue Team, 8 players comprising the Red Team, and 2 referees to enforce the rules. It was similar to "Capture the Flag" in that the Blue Team's goal was to defend an object and the Red Team's goal was to capture the object. We conducted the exercise within the confines of our department's building. The rules of the game were as follows: both teams must remain within the building; before the game began, both teams were required to create a plan of attack and could not deviate from that plan once play began; the teams could divide their members and start from any of the four entrances to the building; once play began, each player on each team must move at least 5 steps but no more than 10 steps (a step is defined a heel-to-toe); players must move in straight lines or at 90 degree angles; if two players come within arms' length of each other they are both eliminated, unless they reveal a safety card which protects the owner from elimination one time only.
Here is how the game played out: the Blue Team, having only four members, took their position surrounding the object and worked their way outwards trying to cover each entrance to the building, but that strategy proved ineffective given the Red Team's strategy to overwhelm one entrance and use the other three as decoys. Therefore, the Blue Team only had one player to defend against five Red Team players. Obviously, once the Red Team eliminated the lone Blue Team defender, they easily won the game.
In our debrief, it was obvious that the Red Team would be victorious given their advantage in the amount of players they had. It was possible for the Blue Team to prolong the game, but eventually they would be overwhelmed by the Red Team. However, an interesting aspect came up: just because the Red Team won, does that mean that they do not need to alter their strategy for the future? It's a question that we believe should be asked when performing Red Teaming exercises.