Red Dawn: The emergence of a red teaming capability in the Canadian Forces

Summary:

From his research, Mather Lauder defines red teaming as "an organizational process support activity undertaken by a flexible, adaptable, independent, and expert team that aims to create a collaborative learning relationship by challenging assumptions, concepts, plans, operations, organizations, 

and capabilities through the eyes of adversaries in the context of a complex security 

environment."  Red teaming consists of two main teams, a red and a blue team.  The blue team plays the role of the parent organization and attempts to stop or hinder the red team, the adversary, from achieving their goals.

Red teaming can be traced back to 2,200 BC China where generals and statesmen played a Wei-chi, a board game where the players attempted to capture the most space on the board.  The outcomes of these games influenced the development of early Chinese military tactics.  Officers of the German Fifth Panzer Army used similar techniques, using live reports from the battlefield to develop strategies.  Red teaming is not just a military and national security methodology, but also used by the private sector.  For example, IBM uses "highly specialized" employees to adapt the roles of their competitors to help test the organizations assumptions and help identify unexpected outcomes, alternative approaches, and vulnerabilities within the companies current strategies.

Lauder identifies that red teaming can be used in all three strategic levels where the military often uses it more at the operational and strategic levels.  Red teaming helps the organization "mitigate complacency, group-think, and mirror imaging."  Besides these important gains, it helps the players of the scenario become more familiar with not only the adversary, the competitor or the hostile force, but also with the capabilities and the vulnerabilities of their own organization.  The blue team, in order to succeed, must analyze their adversary to determine their capabilities, as well as themselves to identify vulnerabilities to determine likely courses of action by the red team.

Lauder identifies that there have been very few studies identifying the effectiveness and efficacy of the red team methodology.  Most of the research at the time (2009) was on best practices of red teaming and highly descriptive on how to apply the approach to certain industries or in certain situations.  Lauder proposes six questions for further study,

• What are the qualities and characteristics of good and effective red teamers and 

how are red teamers selected?

• What type of training is required for red teamers?

• Is there a particular red team composition that is more effective than others?

• What kind of learning environment is most effective? 

• Does the role of the red team differ in certain environments (i.e. does the role differ 

across settings and levels)?

• What type of interaction is necessary (between red and blue) to encourage 

learning?

From his research and analysis, Lauder believes the most important piece of the red teaming methodology is having expertly trained red team members.  They must understand the the tactics, methods, and ideology of the adversary they are portraying.  Just like the role playing methodology, they must see and act as the role ( in this case, group or organization) in order for the blue team to learn from this scenario.  

Critique:

I found Lauder's article to be very informative about the red teaming methodology.  While this research was conducted for the Canadian Armed Forces, he does an excellent job of pulling in research on the private sector and combining that information with how the military and national security professionals use the methodology.  

My concern with this research is his concluding statement where Lauder recommends the adaptation of red teaming into all levels of the military after stating that there is little to no evidence of the effectiveness of red teaming.  He event states that there is some evidence that points towards red teaming actually creating a learning barrier due to the concentration on short-term gain by the participants during the exercise.  Recommending a methodology because it sounds logical is, in my opinion, wrong, especially when the author is recommending a military adopt it where lives may be at stake.   

Source:

Lauder, Mathew. (2009).  Red dawn: The emergence of a red teaming capability in the Canadian Forces.  Canadian Army Journal. Vol. 12.1.  

Red Teaming for Law Enforcement

Summary

In this article, Capt. Michael Meehan presents the process of, the benefits of, and the limitations of conducting a red teaming exercise. Meehan states that red teams can be used in national security, the business world, or in law enforcement, and that its effectiveness is dependent on its execution.

At its most basic level, Meehan describes red teaming as a peer review of plans and polices to detect vulnerabilities that an adversary might possess. He also states that red teams are to evaluate a target or tactic of an adversary, not the likelihood that the target will be attacked. Through the exercise, red teams are to determine what to attack and how through the exercise.

Meehan presents to two types of red teaming

• Analytical

a.      The team portrays an adversary, but there is no field play

b.      Participants analyze potential attack plans to identify indicators of an attack

c.       Participants then assess whether their current plans would successfully repel an attack by the adversary

•      Physical

a.      Participants portray actual adversarial moves

b.      Participants embody the adversary and act accordingly

c.       As the red team acts out a plot, a blue team interacts accordingly to counter the attack as they see fit

Meehan continues by listing the potential benefits and impediments of performing a red team exercise:

•  Benefits

o   Offers a remedy for group complacency

o   Red teams can highlight the deviations from doctrine and reveal unexamined opportunities for an adversary

o   It determines how well an organization understands its own plans and policies

• Impediments

o   Quality of the exercise is dependent  the scenario construction, the quality of group members, and the conditions the exercise is performed under

o   Is dependent on group members interpretation of lessons learned

o   Failure results when members do not take the exercise seriously

o   An over-scripted exercise limits creativity and removes the realism of the scenario

To close the article, Meehan states that a limitation of red teaming is that an exercise cannot produce every possible outcome; however, that should not be a deterrent from performing a red team exercise.  Red team provides the opportunity for realistic training that will not only expand participants’ knowledge of their adversaries, but of also themselves.

Critique:

Meehan makes a great case for using red teaming in one's respective organization; however, he does not touch on how to properly administer a red teaming exercise. No guidelines were presented with regards to time frame, number of team members, or how to administer the scenario. It is likely that Meehan has had success leading red team exercises, but no specifics were shared on how to replicate his success. Additionally, Meehan did not go into specifics on the interactions between red and blue teams during the course of exercises. 

Finally, Meehan states, "[red teaming] is also not well suited to developing solutions to problems so much as for raising issues and exploring potential responses," which raises a few questions as to whether red teaming is an effective analysis tool. From this article, I gather that red teaming alone cannot support analysis, as it does not produce an estimate on the likelihood of events occurring. For red teaming to be useful, team members must utilize additional methodologies to assess the likelihood of the potential attacks generated during the exercise. 

Source:

Meehan, Michael. (2007). Red teaming for law enforcement. The Police Chief Magazine, 71(2).

Don’t box in the red team

Don’t box in the red team

Lt. Col. Brendan S. Mulvaney

Summary:

Lt. Col. Brendan S. Mulvaney’s 2012 article concludes that red teams should assist professionals, not replace them. Red teams help military organizations by challenging their policies, training exercises and operations. Teams may also focus on physical intrusions, projections, or emulations and help explain points of view from enemies, partners, and allies.

According to Mulvaney, red teaming is in danger because it is unhelpfully described as a tool best used to understand an operating environment and its human terrain. Mulvaney believes this understanding could cause termination of red teams. Instead, red teams need to challenge blue teams and serve commanders.

Mulvaney’s two reasons why red teams will no longer remain the operating leaders are as follows:

Until the military makes operating-environment red teaming a full time academic and experiential expertise, officers and members cannot become skillful in a specific area to provide expert-level advice on cultural issues. If a member does not have expert knowledge, then the tools in the Red Team Handbook will not be able to describe the operating-environment. In addition, the tools presented in the Red Team Handbook are only analytic tools, therefore, organizations should teach the experts these tools. Analytic tools that prove to be effective in helping members will “inevitably be incorporated into the organization’s intelligence and planning functions at some point in the not-too-distant future.”

Even though more and more people are using analytic techniques to face problems, groupthink and other standardized processes still lead to complications. Therefore, red teams need to move beyond the operating-environment and provide “alternative analysis and independent review of their organizations.” For example, NATO is using Alta (alternative analysis) to emphasize the review process of red teaming.

Although, red teamers are able to determine logic flows, errors, and uncover biases, these skills do not make them cultural experts, or qualify them as a shadow staff. Instead, red teams should provide insight to tactics, techniques, and procedures. They can interact with other red teams across agencies and organizations to evaluate plans and policies and learn new trends in the service. In addition, Mulvaney notes, “red teams need to work within the staff primaries and with the chief of staff to provide the commander the opportunity to hear the alternative and him to decide whether to explore it.” Red teams need to focus on challenging organizations and providing alternative options for commanders to hear.

Critique:

While Mulvaney does a notable job explaining red teams and how they should be functioning within organizations, I wish he further explored the concept and interaction of blue teams. Subsequently, I do agree that organizations should make red teaming a full time academic and experiential expertise. Learning to interact with different organizations while providing additional analytic processes is extremely important to the intelligence community as a whole.

Source:

Mulvaney, B. S. (2012, November). Don’t box in the red team. Armed Forces Journal, 150(4), 22–33. http://www.armedforcesjournal.com/dont-box-in-the-red-team/

Testing A Collaborative DDoS Defense In A Red Team/Blue Team Exercise

Summary

Red Team analysis is useful in a scenario where an offensive and a defensive force can be clearly demarcated.  Many security specialists who produce a defensive system are often the same individuals who test the systems they just produced.  This approach “results in simple and incomplete tests, because system designers are naturally biased towards proving that their system works,” (pp. 1).

The Defense Advanced Research Projects Agency funds studies in order to encourage systematic testing, especially when the testing procedures involve Red Team vs. Blue Team exercises.  In Red Team analysis, rules of engagement are established.  Sometimes, analysis is done in phases.  First, the Blue Team makes an offensive action.  Then, the Red Team responds while the Blue Team is frozen.  In other analysis or testing scenarios, the Red and Blue teams make simultaneous actions and developments.

This study used Red Team analysis to test the security of a new software from a denial of services attack.  First, rules of engagement were established.  For example, the Red Team could only attack the software through means in which the software would normally be used.  Administrators of the study considered the Red Team successful only if the Blue Team did not notice any intrusions or odd behavior.  Normally, denial of service attacks require coordinate from hundreds, or sometimes thousands, of several bot machines.  This study reduced the scope tremendously, actually making it easier for the Red Team to be successful. 

After testing at least seven different tactics hackers could use to perpetrate a denial of service attack, the analysis showed that while the software was effective in protecting against attacks it was designed to handle, it had “significant vulnerabilities,” (pp. 14).  As a result, both the Red Team and Blue Team learned a considerable amount of the security of the software and of various denial of services attacks (pp. 14).

Critique

Red Team analysis is a valuable tool for greater understanding of the issue from both a protagonist and antagonist point of view.  Judging from this study, it appears that Red Team analysis is more enlightening when members of either team can have no stake on the success or failure of the other team.

One of the biggest strengths of Red Team analysis also appears to be a weakness.  Red Team analysis provides a simplified scenario in which theories, tactics, or analysis can be tested or simulated.  However, the simplification can create blind spots once those theories, tactics, or analysis is applied in the real world.  There may be instances that occur that were forbidden by the rules of engagement in the test scenario.

Source

Mirkovic, J., Reiher, P., Papadopoulos, C., Hussain, A., Shepard, M., Berg, M., & Jung, R. (n.d.). Testing A Collaborative DDoS Defense In A Red Team/Blue Team Exercise (pp. 1–14). California: University of Southern California. Retrieved from http://www.isi.edu/~mirkovic/publications/redteam.pdf

Summary of Findings: SWOT (2 out of 5 stars)

Note: This post represents the synthesis of the thoughts, procedures and experiences of others as represented in the 5 articles read in advance (see previous posts) and the discussion among the students and instructor during the Advanced Analytic Techniques class at Mercyhurst University in September 2014  regarding SWOT specifically. This technique was evaluated based on its overall validity, simplicity, flexibility and its ability to effectively use unstructured data.

Description:

SWOT (Strengths, Weakness, Opportunities, and Threats) analysis is an analytic modifier used to categorize internal and external forces in order to simplify strategy discussions and development.  Internal forces are divided into strengths and weaknesses, while external forces are categorized into threats and opportunities.  SWOT analysis is both an operational and intelligence tool.  While operational personnel are primarily concerned with the organization’s strengths and weaknesses (the internal forces), intelligence personnel are focused on the opportunities and threats (the external forces).

Strengths:

1. Overrides “silos” within organizations by serving as a platform to externalize ideas previously entrenched within a division or unit in a structured way for preliminary analysis.

2. Provides a snapshot of the organization’s competitive traits and relates them to external forces.

3. Prioritizes courses of action likely to yield the most success to the organization by integrating the organization’s perception of strengths and weaknesses with estimates of external opportunities and threats pulled from the research collected in the structured process.

4. Indirectly adds value to strategic planning by integrating intelligence and operational variables into categories for further discussion and analysis.   

5. Ability to combine the output of a SWOT with other techniques such as STEEP and competitor analysis for any application that look at internal and external capabilities, resources, and forces to determine future decisions likely to produce success for the organization.

Weaknesses:

1. The simplicity of this modifier may create an unactionable product

2. Management may not utilize the SWOT information provided

3. The validity of this modifier is questioned  

4. Companies list an excessive number of strengths and weaknesses when completing SWOT   

5. No straightforward methodology for identifying strengths and weaknesses

6. Strengths and weaknesses are not listed in a hierarchy

7. SWOT examines a company at the moment the analysis is completed and does not monitor changes over time

Step by Step:  

Note: There is no agreed upon step by step action to complete a SWOT analysis. This step by step process was identified as a common one across different articles:

1. A group of individuals must be assembled to complete a SWOT analysis.
2. The group begins by examining itself internally by listing 9-12 strengths and weaknesses of their company, group, or whomever they represent. When listing strengths and weaknesses, it is important to list only those the company directly causes.
3. The group continues by then listing external opportunities and threats that will directly impact the success of the group.
4. The group then identifies strategies for how its strengths can be used to address the present opportunities and threats
5. The group then identifies strategies for how its weaknesses can be mitigated while addressing the present opportunities and threats

Exercise:

Classmates were tasked with helping a leisure center identify new strategies based off the results of a SWOT analysis.  The participants were given a list of fourteen statements (for list of statements, please use hyperlink provided below) about the leisure center as well as the external environment.  Individually, the participants used the fourteen statements to identify the strengths and weaknesses of the leisure center and the external opportunities and threats facing the company.

The participants came together as a group and combined their responses into one SWOT product.  For example, the group identified that the leisure center had a highly respectful staff and had been awarded a grant for quality assurance.  Weakness of the center included a poor food court and a lack of certain equipment, such as whirlpools.  External opportunities included higher life expectancy in the area as well as a scuba vendor looking for a new venue.  The local area has been experiencing a declining birth rate over the last ten years, which poses a threat to the center.

After completing the SWOT analysis, the class looked to leverage the center’s strenghts and weaknesses to either take advantage of certain opportunities in the market or mitigate external threats.  The class determined the overall strategy should be to target the older population as the company had been awarded a grant for special ramps and changing rooms for the disabled and people, in general, have higher life expectancies.  In total, four strategies were developed by the group. 
  
Documents used as part of this exercise included...
Market Teacher SWOT Exercise
SWOT Template

Evaluating SWOT's Value In Creating Actionable, Strategic Intelligence

Summary:  
Michael Finnegan’s 2010 thesis surveyed 101 executives (78 completions) from multiple countries and industries in an effort to evaluate SWOT’s viability for creating actionable intelligence in the formulation of strategic plans. The methodology defines an executive as a working professional in upper management or anyone involved in strategic planning. In this study, strategic planning refers to areas within business operations that look at all internal and external events and resources to determine what future decisions will likely yield the most success to the organization. Surveying from this population enabled analysis of primary sources to reach four particular findings.

1. Businesses rarely use SWOT with the structure and formality reflected in the academic literature supporting the use of the technique. Processes such as researching SWOT variables in depth before conducting an analysis and ranking the outcomes of the technique are missing from the procedures followed by surveyed by the organizations of surveyed executives. Executive cited initial exposure to SWOT in college.
2. SWOT’s greatest contribution to designing a strategic plan is enabling a greater extent of diversity of perspectives within and outside of the organization to come together, which Finnegan identifies as an indirect contribution to strategic planning. SWOT informally overcomes “silos” within organizations, serving as a catalyst to externalize ideas previously entrenched within a division or unit.
3. Surveyed executives believe a SWOT should be completed quarterly to produce timely and relevant analysis, yet they acknowledged that SWOT is not performed as often as it should be to reach their goals, the reasons why it is not performed more often are not clear from the results but likely barriers include scarcity of time, money, comfort, and convenience. Executives typically conduct SWOT only once a year.
4. No evidence of a direct contribution to strategic planning is evident from either the quantitative or the qualitative interpretations of the survey results; therefore, executives should pair SWOT with other techniques as a starting point for additional analysis. Findings indicate that the output of SWOT should not be the sole basis of an effective strategic plan. Other popular techniques cited by executives include competitor profiling, scenario planning, and financial analysis. However, no literature presently confirms that pairing a specific technique with SWOT creates actionable analysis or adds direct value to the creation of strategic plans.

Finnegan does not suggest that executives should abandon SWOT as an analytic technique. Implications of the four findings relate to finding effective pairings with other techniques to validate strategies and providing evidence affirming that the way SWOT is taught needs to be reassessed for effectiveness. 

A pervasive mindset found in the results of the survey is an application of the technique consisting of filling in the quadrants of SWOT and concluding that the filled in quadrants are the final output of the analysis. Finnegan found that such procedures are neither reactive nor proactive, they simply breakdown a present situation visually. One solution identified in the thesis is incorporating case studies and applied projects when SWOT is taught at institutions of higher learning. 

Further research is required to identify the best pairings of techniques to add direct value to the creation of strategic plans. Other gaps in SWOT literature include best practices for the best time and place to perform SWOT, SWOT’s relative value as a communication tool and brainstorming platform, and further surveys corroborating the findings and expanding on the questions used in the study to measure the evolution of SWOT’s application.

Critique:
Another avenue of approach for evaluating SWOT’s value in strategic planning is examining the interrelationships between the vast amount of variables SWOT factors into an easier to digest profile, and to what extent the future decisions advocated in the strategic plan actually yielded measurable success for the organization via an experimental stock market game. Various groups with the same internal resources and ability to make sense of external events could be directed to play a stock market game under various conditions (i.e. group 1 crafts an investment evaluation strategic plan to buy or short stocks with or without options trading using solely intuition, group 2 uses swot, group 3 uses swot paired with another technique, etc).

Source-
Evaluating SWOT's Value In Creating Actionable Strategic Intelligence