Monday, September 29, 2014

Summary of Findings: Red Teaming (3.5 out of 5 stars)

Summary of Findings: Red Teaming (3.5 out of 5 stars)

Note: This post represents the synthesis of the thoughts, procedures and experiences of others as represented in the 5 articles read in advance (see previous posts) and the discussion among the students and instructor during the Advanced Analytic Techniques class at Mercyhurst University in September 2014  regarding Red Teaming specifically. This technique was evaluated based on its overall validity, simplicity, flexibility and its ability to effectively use unstructured data.

Description:
Read Teaming is an alternative analysis technique that challenges assumptions to better understand adversarial perspectives and identify vulnerabilities within the organization’s plans, operations, and capabilities. Depending on application, Red Teaming can be a forecasting method or analytic force multiplier. The technique’s peer review process identifies unexpected scenarios and identifies potential strategic surprises or unintended consequences of a course of action. Red Teaming provides a structured platform for communicating internal critical analyses from a team assigned to the opposing force and examines how an adversary may evaluate organization’s capabilities in an operational context.

Strengths:
1.  Helps to identify different outcomes of highly complex scenarios
2. Encourages “Out of the box” thinking that may not have been produced before
3. Trains both red and blue teams to think like adversaries and how they would act.  Participants usually attest to learning more about the situation of interest
4. Commonly used methodology in military, national security, private, and law enforcement sectors

Weaknesses:
1. Little to no empirical evidence that proves Red Teaming improves forecasting accuracy
2.  Without a clearly physical conflict, it is difficult to distinguish Red Team analysis from Devil’s Advocacy
3.  Difficult to quantify the outcomes red team analysis produces
4. Red team needs to have a team of highly trained members in the adversary's tactics and ideology
5. Both teams must take the exercise seriously in order for the outcome to be valid

Step by Step:  
Note: There is no agreed upon step by step action to complete a red teaming exercise. This step by step process was identified as a common one across different Red Team scenarios:
  1. A group of individuals must be assembled to complete a red teaming exercise.
  2. The group begins by splitting up into two groups- a red team (opposing force) and a blue team (friendly force).
  3. The two different groups independently examine the different threats, projections, or emulations.  
  4. The groups explain the points of view from enemies, partners, and allies.
  5. The groups then identify strategies for how to address the threats
  6. In the end, the group can use this exercise as a modifier or a method to bolster forecasting abilities.

Exercise:
Details of the exercise:
  • Divide the group into two teams
  • Be sure that the teams are separate from each other so they cannot hear each other
  • The objective for each group is to finish the activity with a positive score
  • The activity is played over 10 rounds with each round lasting 30 seconds
  • During each round each team picks either red or blue
  • A score is then given to the teams depending on their responses
    • Scenario 1: Team 1: Red, Team 2: Red
      • Team 1: +3, Team 2: +3
    • Scenario 2: Team 1: Red, Team 2: Blue
      • Team 1: -6, Team 2: +6
    • Scenario 3: Team 1: Blue, Team 2: Red
      • Team 1: +6, Team 2: -6
    • Scenario 4: Team 1: Blue, Team 2: Blue
      • Team 1: -3, Team 2: -3
  • After Round 5 an inter-group meeting between a member of each team takes place. During this meeting, strategies and plans are discussed
  • Rounds 9 & 10 scores are doubled
  • Total the scores of both teams. The team with the greatest POSITIVE score is the winner

What did we learn from the Red Teaming Exercise

  • Due to the constraints of the exercise, teams felt limited in their decision making
  • Teams felt there was not a possibility to finish with a positive score, so they instead made sure the opposing team did not finish with a positive score
  • Participants of the exercise claimed they attempted to think like their opponent when  making their decisions
  • Participants claimed that the lack of an incentive limited the exercise

Saturday, September 27, 2014

ɹƎ∀p ┴Ǝ∀WINפ: The Case for Broader Application of Red Teaming within Homeland Security


Summary:
Colonel A. Bentley Nettles 2010 thesis at the Naval Postgraduate School in Monterey, California provides a framework for educating all Department of Homeland Security (DHS) leaders on red team fundamentals by focusing on implementing decision support red teams as part of its force structure, implementing joint enterprise red teams between security agencies and partners, and implementing red team integration into DHS technology approval processes.

Colonel Nettles describes red teaming as intentionally creating a virus within an organization to protect, nurture, and develop an antidote for strategic surprises. Broader application of red teams creates antibodies within security infrastructure when supported by leadership. Colonel Nettles argues that red teams do this by applying creative thinking, challenging organizations assumptions, providing alternative analysis to organization plans, and providing decision makers with alternative perspectives on the current operating environment.

Colonel Nettles states that the overall goal of red teaming is to challenge one’s own assumptions in order to better understand the adversary’s perspectives and to identify one’s own vulnerabilities. Red teaming is a peer review process of a concept or proposed course of action used to look for unexpected scenarios or to identify unexpected consequences to a particular approach. Red teaming enables the United States to examine how enemies view the United States to better understand how the enemies evaluate strengths and weaknesses.

The “function” of a red team is the provision of an independent capability to fully explore alternatives in plans, operations, concepts, organizations, and capabilities in the context of the operational environment and from the perspectives of partners, adversaries, and others. The “outputs” of a red team are alternative perspectives from a trained team, an anthropological tool kit for cultural considerations of adversaries and coalition partners, a platform for communication and negotiation for internal critical analysis without being disruptive, a theoretical analysis of complex situations, and insight into how adversaries and stakeholders think.

At the strategic level, an effective red team assists decision making by pinpointing key decision points for the team, identifying planning shortfalls, highlighting differences between plans and doctrine, and identifying unintended effects of future courses of action.

Colonel Nettles uses a case study approach to defend his advocacy of red teams to support DHS mission to prevent terrorism, manage borders, enforce immigration laws, safeguard cyberspace, and ensure resilience to disasters. The case study focuses on one aspect of Transportation Security Administration (TSA) responsibilities, commercial airline security, which refers to procedures as well as infrastructure designed to avoid security problems aboard aircraft. The airport checkpoints themselves are just a few layers of the security approach used by TSA to secure the traveling public and the aerial transportation system. The case study asks why the layers of security implemented by TSA failed to stop the terrorist from boarding. Colonel Nettles visualizes 20 layers of security in Figure 2. 

Source: http://tinyurl.com/mx9mqbw
The case study focuses on Umar Farouk Abdulmutallab, the “Christmas day bomber”, in which Umar successfully boarded a plane from Amsterdam destined to Detroit on Christmas day in 2009 with an explosive device hidden on his body, which failed to detonate properly on final descent to Detroit. Colonel Nettles argues that there was so much information and intelligence available to the United States indicating Umar’s impending attack and that the government failed to connect, integrate, and understand the information it had, signifying systemic failure brought about from human error. Despite TSA’s 20 layers of security efforts, Umar broke through the defense.

Colonel Nettles asserts that utilizing Red Team concepts to create a decision support system would assess the implied assumptions in the TSA security system. A decision support Red Team would address how to shift the approach to aviation security from a defensive one to an offensive one and how to identify terrorist groups likely to try to smuggle explosives aboard transportation systems.

The present TSA Red Team program was created in response to the 1988 bombing of Pan Am Flight 103. The program is assigned to conduct covert airport security penetration testing for identifying localized and systemic vulnerabilities. Colonel Nettles argues that the program is insufficient and focus needs to be shifted to challenge assumptions made in developing new security initiatives by involving a Red Team in the concept development of new security approaches and technologies.

Colonel Nettles provides three primary conclusions:
1. Failure of imagination remains a factor within homeland security institutions five years after it was identified as an issue by the 9/11 commission.
2. Bureaucracies are not facilitators of creative original thought thus the culture of the government works against out of the box thinking, which is a necessary component to fighting terrorism.
3. Five years after the 9/11 Commission, the United States still needs to redefine homeland security approaches into a flexible, adaptive system.

Where do Red Teams fit into this? Colonel Nettles provides the following recommendations:
1. Homeland security leaders need to be trained to ask the following four questions of projects that are presented to them in a structured manner through the framework offered by Red Teams:
a. What if…? This question is useful in anticipating what the enemy may do.
b. What are the objectives of…? Answering this question forces staff to consider other perspectives.
c. What are we missing…? Answering this question helps identify gaps and vulnerabilities within agency operations, plans, and conceptual designs; in addition to identifying disconnects between agencies that need to be filled to avoid exploitation.
d. What is working and what isn’t? This is a pre-requisite to creating a learning organization.
2. Implement decision support Red Teams as part of organizational structure utilized by DHS agency heads and divisions within the organizations in order to develop an independent capability for alternatively analyzing issues.
3. Implement joint enterprise Red Teams between its own agencies and facilitate joint enterprise Red Teams between DHS and other security agencies, entities, and partners.
4. Implement Red Team integration into technology approval processes. The RAND corporation determined that terrorists respond to defensive technologies by altering operational practices, making technological substitutes, avoiding the defensive technology, or attacking the defensive technology. Red Teaming is a means of penetration testing.

Critique:
The stated goal of the research was to determine if more effective, broader utilization of decision support red teams and concepts from red teaming can positively affect decision making within DHS to foster a learning organization. The case study highlights where red teaming could theoretically be useful in the development of concepts, plans, and strategic initiatives in pursuit of homeland security. The recommendations from the study rely on evidence from challenges posed to decision making with DHS and symptoms of defective decision making.

Before considering if decision support red teams should be proliferated throughout security organizations as recommended in the article, more evidence indicating that the output of red teaming increases the effectiveness of organizations in the domain under study is needed. 

Source: