Summary
Red Team
analysis is useful in a scenario where an offensive and a defensive force can
be clearly demarcated. Many security
specialists who produce a defensive system are often the same individuals who
test the systems they just produced.
This approach “results in simple and incomplete tests, because system
designers are naturally biased towards proving that their system works,” (pp.
1).
The Defense
Advanced Research Projects Agency funds studies in order to encourage
systematic testing, especially when the testing procedures involve Red Team vs.
Blue Team exercises. In Red Team
analysis, rules of engagement are established.
Sometimes, analysis is done in phases.
First, the Blue Team makes an offensive action. Then, the Red Team responds while the Blue
Team is frozen. In other analysis or
testing scenarios, the Red and Blue teams make simultaneous actions and
developments.
This study
used Red Team analysis to test the security of a new software from a denial of
services attack. First, rules of
engagement were established. For
example, the Red Team could only attack the software through means in which the
software would normally be used.
Administrators of the study considered the Red Team successful only if
the Blue Team did not notice any intrusions or odd behavior. Normally, denial of service attacks require
coordinate from hundreds, or sometimes thousands, of several bot machines. This study reduced the scope tremendously,
actually making it easier for the Red Team to be successful.
After testing
at least seven different tactics hackers could use to perpetrate a denial of
service attack, the analysis showed that while the software was effective in
protecting against attacks it was designed to handle, it had “significant
vulnerabilities,” (pp. 14). As a result,
both the Red Team and Blue Team learned a considerable amount of the security
of the software and of various denial of services attacks (pp. 14).
Critique
Red Team analysis
is a valuable tool for greater understanding of the issue from both a
protagonist and antagonist point of view.
Judging from this study, it appears that Red Team analysis is more
enlightening when members of either team can have no stake on the success or
failure of the other team.
One of the
biggest strengths of Red Team analysis also appears to be a weakness. Red Team analysis provides a simplified
scenario in which theories, tactics, or analysis can be tested or
simulated. However, the simplification
can create blind spots once those theories, tactics, or analysis is applied in
the real world. There may be instances
that occur that were forbidden by the rules of engagement in the test scenario.
Source
Mirkovic, J.,
Reiher, P., Papadopoulos, C., Hussain, A., Shepard, M., Berg, M., & Jung,
R. (n.d.). Testing A Collaborative DDoS Defense In A Red Team/Blue Team
Exercise (pp. 1–14). California: University of Southern California.
Retrieved from http://www.isi.edu/~mirkovic/publications/redteam.pdf
Posts
Kyle,
ReplyDeleteI found the notion that Red Team analysis provides more insight when members of either team can have no stake on the success or failure of the other team fascinating. What is something someone in charge of implementing the technique can do to increase the likelihood that this practice is followed?
Kyle, the study you examined appears to look at using Red Teaming as a way of discovering vulnerabilities or weaknesses in a current system. What are your thoughts on the effectiveness of this methodology as a forecasting tool?
ReplyDeleteRicardo - I think establishing clear rules of engagement of essential. The opposite teams should be physically isolated from one another. The environment should be completely conflictual, so I would discourage 'diplomacy' sessions.
ReplyDeleteHarrison - While it is true that the method involves testing vulnerabilities, those tests generate estimates as to the most effective DoS attacks. In that sense, it appears to be an effective forecasting tool at least in the cyber security world.