Redteaming

Redteaming

Ashortintroduction(1.0)
June2009
availableathttp://redteamjournal.com/resources/

Dr.MarkMateski
 Redteaming
Makinggooddecisions 9
• Awiderangeoffactors——individual,organizational,
cultural,situational,andadversarial——contributetopoor
decisions.
• Overtheyears,psychologists,intelligenceanalysts,and
consultantshaveproposedavarietyofmethodsand
approachestocountertheeffectsofthesefactors.
• Mostofthesemethodsandapproachesaimtobroaden
theanalystordecisionmaker’’s““mindset””byconsidering
moreoptionsandassessingthemmoreobjectively——
Handel’’schargeonthenexttwoslidesistypical.

1
 Redteaming
Avoidingrigidity
Clearly,themajorityoffailurestoanticipatestrategic
surprisecanbecorrelatedwithconceptualrigidityanda
highincidenceofperceptualcontinuity.Thereforeanalysts
(andtoalesserextent,politicalandmilitaryleaders)should
beencouragedtoconsideralternativeinterpretationsof
dataandnewevidence,andcontinuouslytoreevaluate
theirconceptwhileavoidingdogmaticadherencetogiven
concepts.””

Handel,p.270.

2
 Redteaming
Counteringsurprise
ThesearchforwaystopromotemoreopenͲminded
attitudesisbasictoalmostallproposalsforthe
improvementofintelligencework;tothisend,analysts
mustbeencouragedtopresenttheirviewsopenly,tobe
critical,tofightfortheiropinionsifnecessary,andtoresist
groupandpoliticalpressures.Thisisperhapsthemost
rudimentaryconditionnecessaryfortheupgradingof
intelligencework——yetitisalsoanidealdemandthatcan
neverbefullyattainedwithinahumanenvironment.””

Handel,p.270.

3
 Redteaming
Alternativeanalysisandredteaming 9
• Alternativeanalysis representsafamilyofmethods
designedtohelpanalystsanddecisionmakersavoidthe
pitfallsofpoordecisionmaking.
• Redteamingisonemethodofalternativeanalysis.
• AsInoteinsubsequentslides,callsformoreorbetter
alternativeanalysistendtofollowperceivedintelligence
failures.

4
 Redteaming
Alternativeanalysisdefined
……alternativeanalysisseekstohelpanalystsandpolicyͲ
makersstretchtheirthinkingthroughstructuredtechniques
thatchallengeunderlyingassumptionsandbroadenthe
rangeofpossibleoutcomesconsidered.

Fishbein andTreverton.

5
 Redteaming
Alternativeanalysisdefined
Alternativeanalysis (AA)seekstoimposeanexplicitselfͲ
reviewbyusingspecifictechniquestorevealunconscious
analyticalassumptionsortochallengeweakevidenceor
logicandtoconsideralternativehypothesesoroutcomes
evenintheabsenceofconvincingevidence.Simplyput,
intelligenceanalystsarenowobligedtoquestionexplicitly
andrigorouslytheassumptionsthatunderlietheir
conclusionsandguardagainstconventionalwisdom
maskingafundamentalchangeinthedynamicsofanissue.””

George,p.318.

6
 Redteaming
Alternativeanalysisdefined
[AccordingtoGeorge,the]mostpowerful[alternative
analysis]techniquesinclude:
• KeyAssumptionsChecks
• Devil’’sAdvocacy
• TeamA/TeamB
• RedCellexercises
• Contingency‘‘WhatIf’’Analysis
• HighͲImpact/LowͲProbabilityAnalysis
• ScenarioDevelopment.””

George,p.318.

7
 Redteaming
Alternativeanalysisapplied
Properlyapplied,[alternativeanalysis]servesasahedge
againstthenaturaltendenciesofanalysts——likeallhuman
beings——toperceiveinformationselectivelythroughthelens
ofpreconceptions,tosearchtoonarrowlyforfactsthat
wouldconfirmratherthandiscreditexistinghypotheses,
andtobeundulyinfluencedbyprematureconsensuswithin
analyticgroupscloseathand.

Fishbein andTreverton.

8
 Redteaming
Alternativeanalysisintherealworld
Toensureagainsterrorinestablishedanalyticjudgments,
theCIAisvigorouslypromotingAlternativeAnalysisformats,
includingformsofchallengeanalysis(e.g.,Devil’’sAdvocacy)
andstructuredanalysis(e.g.,AnalysisofCompeting
Hypotheses).Inacomplementaryeffort,theCIAis
promotingmorerigorousanalysisofalternativesinfirst
reachingjudgmentsoncomplexandfluidissues——thatis,
thesystematicgenerationandcriticalreviewofalternative
hypotheses...””

Davis,p.157.

9
 Redteaming
Expertcommissions 9
Inthelastdecadeorso,anumberofexpertpanelscharged
withassessingintelligencefailurehavepointed——directlyor
indirectly——toalternativeanalysisasonemeansof
improvingtheprocessesofintelligenceanalysisand
decisionmaking.Thesecommissionsinclude
• theJeremiahpanel(1998),
• theRumsfeldCommission(1998),
• the9/11Commission(2004),and
• theWMDCommission(2005).

10
 Redteaming
TheJeremiahpanel
[Followingthesurprisetestsofnuclearweaponsbyboth
IndiaandPakistanin1998]DirectorofCentralIntelligence
(DCI)GeorgeTenetaskedretiredAdmiralDavidJeremiahto
reviewtherecordtoseewhathadledtothisfailuretowarn
theadministration.Whilethereportremainsclassified,
AdmiralJeremiahnotedathisJune1998pressconference
thathis‘‘bottomlineisthatboththeintelligenceandthe
policycommunitieshadanunderlyingmindsetgoinginto
theseteststhattheBJP[Bharatiya Janata Party——thenewly
governingIndianparty]wouldbehaveaswebehave.’’””

George,p.317.

11
 Redteaming
TheJeremiahpanel
Goingfurther,AdmiralJeremiahproposedthatCIAanalysts
bemoreaggressiveinthinkingthroughhowtheotherside
mightbehave:‘‘youcouldarguethatyouneedtohavea
contrarianviewthatmightbepartofourwarningprocess,
oughttoincludesomedivergentthinkerswholookatthe
sameevidenceandcometoadifferentconclusionandthen
youtestthatdifferentsetofconclusionsagainstother
evidencetoseeifitcouldbevalid.’’””

George,p.317.

12
 Redteaming
TheRumsfeldCommission
Almostsimultaneously[withtheJeremiahpanel],the1998
CommissiontoAssesstheBallisticMissileThreattothe
UnitedStates[headedbyDonaldRumsfeld]issuedasimilar
assessment.Itfound‘‘analystsunwillingtomakeestimates
thatextendbeyondthehardevidencetheyhadinhand,
whicheffectivelyprecludeddevelopingandtesting
alternativehypothesesaboutactualforeignprogramstaking
place.’’””

George,p.317.

13
 Redteaming
The9/11Commission
[WritingtoDonaldRumsfeldandreferringtoaplottocrash]
anexplosivesͲladenplanintoCIAheadquarters,””
[Wolfowitz]““wonderedwhysolittlethoughthadbeen
devotedtothedangerofsuicidepilots,seeinga‘‘failureof
imagination’’andamindͲsetthatdismissedpossibilities.””

9/11CommissionReport,p.336.

14
 Redteaming
The9/11Commission
Itisthereforecrucialtofindawayofroutinizing,even
bureaucratizing,theexerciseofimagination.Doingso
requiresmorethanfindinganexpertwhocanimagine
findinganexpertwhocanimaginethataircraftcouldbe
usedasweapons.””

9/11CommissionReport,p.344

15
 Redteaming
TheWMDCommission
Thewidelyrecognizedneedforalternativeanalysisdrives
manytoproposeorganizationalsolutions,suchas‘‘red
teams’’andotherformalmechanisms…….Anysuchorgans,
thecreationofwhichweencourage,mustdomorethan
just‘‘alternativeanalysis,’’though.TheCommunityshould
instituteaformalsystemforcompetitive——andeven
explicitlycontrarian——analysis.

WMDCommissionReport,p.170.

16
 Redteaming
TheWMDCommission
Perhapsmostimportant,however,istheviewthatthe
IntelligenceCommunityshouldnotrelyuponspecialized
‘‘redteamoffices,’’orevenindividual‘‘redteamexercises’’to
ensurethereissufficientindependentanalysis.Rather,such
independentanalysismustbecomeahabitualanalytic
practiceforallanalysts.

WMDCommissionReport,p.170.

17
 Redteaming
Redteaminginlegislation 9
Thereportsemergingfromexpertpanelshaveinformed
Congressandledtolegislationdirectingthegovernmentto
undertakeredteaming.Twoexamplesinclude
• theIntelligenceReformandTerrorismPreventionActof
2004and
• theFY2006HomelandSecurityAuthorizationAct.

18
 Redteaming
2004IntelligenceReformAct
Sec.1017.ALTERNATIVEANALYSISOFINTELLIGENCEBYTHE
INTELLIGENCECOMMUNITY
a) INGENERAL——Notlaterthan180daysaftertheeffective
dateofthisAct,theDirectorofNationalIntelligence
shallestablishaprocessandassignanindividualor
entitytheresponsibilityforensuringthat,as
appropriate,elementsoftheintelligencecommunity
conductalternativeanalysis(commonlyreferredtoas
‘‘redͲteamanalysis’’) oftheinformationandconclusions
inintelligenceproducts.””

IntelligenceReformandTerrorismPreventionAct.

19
 Redteaming
HomelandSecurityAuthorizationAct
TheActrequiresDHStoapplyredteamanalysistoterrorist
useofnuclearweaponsandbiologicalagents.Asterrorists
seektoexploitnewvulnerabilities,itisimperativethat
appropriatetoolsbeappliedtomeetthosethreats.TheAct
willbroadentheintelligenceprocess,therebystrengthening
preemptivecapabilities.””

FY2006HomelandSecurityAuthorizationAct,Sec.214[p.9].

20
 Redteaming
Avarietyofdefinitions 9
Foreveryredteamthatexists,aslightlydifferentdefinition
ofredteamingalsoexists.Thatsaid,mostdefinitions
emphasizeacommonsetofprinciples.Ireviewnine
representativedefinitionsandthenidentifytheprinciples.

21
 Redteaming
DefinitionA
[Aredteamis]agroupofsubjectͲmatterexperts(SME),
withvarious,appropriateairandspacedisciplinary
backgrounds,thatprovidesanindependentpeerreviewof
productsandprocesses,actsasadevil'sadvocate,and
knowledgeablyroleͲplaystheenemyandoutsideagencies,
usinganiterative,interactiveprocessduringoperations
planning.””

MaloneandSchaupp.

22
 Redteaming
DefinitionB
Theredteamisagroupofsubjectmatterexperts(SMEs)of
variousappropriatedisciplinarybackgroundswhoprovide
anindependentpeerreviewofplansandprocesses;actas
theadversary’’sadvocate;andknowledgeablyroleͲplaythe
adversary,usingacontrolled,realistic,interactiveprocess
duringoperationsplanning,training,andexercising.””

HomelandSecurityExerciseandEvaluationProgram

23
 Redteaming
DefinitionC
[Redteamingisan]authorized,adversaryͲbasedassessment
fordefensivepurposes…….AdversaryͲbasedmeans
accountingforthemotivation,goals,knowledge,skills,
tools,andmeansofoneormoreadversaries””

SandiaLabs’’InformationDesignAssuranceRedTeam(IDART)

24
 Redteaming
DefinitionD
[Redteaming]canmeanroleͲplayingtheadversary,
conductingavulnerabilityassessment,orusinganalytical
techniquestoimproveintelligenceestimates.Whilethese
definitionsseemunrelated,theyhaveincommonthegoal
ofimprovingdecisionmaking.

Longbine,abstract.

25
 Redteaming
DefinitionE
Definedloosely,redteamingisthepracticeofviewinga
problemfromanadversaryorcompetitor’’sperspective.The
goalofmostredteamsistoenhancedecisionmaking,
eitherbyspecifyingtheadversary’’spreferencesand
strategiesorbysimplyactingasadevil’’sadvocate.””

RedTeamJournal

26
 Redteaming
DefinitionF
Ourusageofthetermredteamincludesnotonly‘‘playing’’
adversariesorcompetitors,butalsoservingasdevil's
advocates,offeringalternativeinterpretations(teamB)and
otherwisechallengingestablishedthinkingwithinan
enterprise.””

DSBRedTeamingTaskForceFinalReport,p.1.

27
 Redteaming
DefinitionG
Thetermredteamingiscommonlyusedtodepictprocesses
designedtobringadevil’’sadvocateperspectivebyexposing
flawsandgapsinourideas,strategies,concepts,andother
newproposals.””

Sandoz,p.1

28
 Redteaming
DefinitionH
‘‘RedͲteaming’’isseekingtogetinsidetheheadsof
adversaries,notaskingwhatwewoulddoifwewerethem
butcreativelytryingtoaskwhattheymightdogiventheir
owngoals,culture,organization,andthelike.””

Treverton,p.17n.

29
 Redteaming
DefinitionI
ThetermredteamcomesfromAmericanmilitarywar
gaming,wheretheblueteamwastraditionallytheUnited
Statesand,duringtheColdWar,theredteamwasthe
SovietUnion.Inthiscontext,redteamingisdefinedas
teamsofexecutives‘‘playing’’the‘‘enemy’’tounderstand
whatthecompetitivecontext(andcompetitormoves)will
beinsomepotentialfuture.””

Beck,p.21.

30
 Redteaming
Commondefinitionalelements 9
• Arguablythemostcommonprincipleemphasizedin
thesedefinitionsisthatredteamsviewproblemsfrom
anadversary’’sperspectiveoracontrarianpointofview.
• Asecondprincipleworthnotingisthatredteamsassist
decisionmakers.Theytypicallydonotactapartfroma
clientordecisionmaker’’sspecificneed,whetherthis
needisto““optimizesystems””or““[improve]decision
making.””

31
 Redteaming
Applicationsofredteaming
Businesses,civiliangovernmentagencies,andthemilitary
useredteamingtotestconcepts,hypotheses,andoperaͲ
tional plansinacontrolledmannerusingunderstood
tactics,techniques,andprocedures(TTPs)orsituations.For
example,businessesuseredteamstosimulatethe
competition;governmentorganizationsuseredteamsas
‘‘hackers’’totestthesecurityofinformationstoredon
computersortransmittedthroughnetworks;themilitary
usesredteamstoaddressandanticipateenemycoursesof
action.””

AmbroseandAhern,p.136.

32
 Redteaming
Applicationsofredteaming
Redteamingisatermthatdescribesavarietyofexercise
activities.Themostbasiclevelofredteamingistoconduct
peerreviewofplansandpoliciestodetectvulnerabilitiesor
perhapstosimplyofferalternativeviewsofscenarios.
Anotherdefinition[orapplication]ofredteamingisan
interactiveprocessconductedduringcrisisactionplanning
toassessplanningdecisions,assumptions,processes,and
productsfromtheperspectiveoffriendly,enemy,and
outsideorganizations.””

Meehan.

33
 Redteaming
Applicationsofredteaming
……‘‘redteams’’canbeusedtohelpensurethatinformation
systemswillmeetsecuritychallenges.‘‘Redteam’’activities
canrangefromthreatorattackexercisestocriticalreviews
ofsecurityprocedures.””

Anderson,etal,p.72.

34
 Redteaming
Applicationsofredteaming
Thevalueofredteamingistwofold.First,itisarguablythe
besttoolforraisingsecurityawarenessinanorganization.
Mostredteamsdiscoverknownsecurityholesforwhich
knownfixes,configurations,orpatcheshavenotbeen
appliedorwherecompensatingsecurityproceduresarenot
ineffectornotbeingenforced…….Second,redteamingis
usefulforensuringthatcorrectsecurityconfigurationsare
maintainedforthesystem.””

NationalResearchCouncil,p.72.

35
 Redteaming
Applicationsofredteaming 9
• Atleastinprinciple,redteamingcansupportdecision
makinginalmostanycontext:security,shortͲ orlongͲ
termstrategy,engineeringdesign,andevenpersonal
decisions.
• Assuggestedbythedefinitions,redteamsmayengagein
planning,audits,exercises,orstudiesandanalysis.
• Differentorganizationstendtodefinethescopeofred
teamingdifferentlydependingonthenatureofthe
organization’’smission.

36
 Redteaming
Sandia’’sIDART Ex
• Sandia’’sInformationDesign
AssuranceRedTeam(IDART)
““providesindependent
assessmentsofcriticalinformation
systemsthatareperformedfrom
anadversarypointͲofͲview……””
• Sandia’’sredteamhashosteda
varietyofconferencesandtraining
coursesinthepastfewyears.

SandiaLabs’’InformationDesignAssuranceRedTeam(IDART)

37
 Redteaming
U.S.Army’’sUFMCS Ex
• In2005theU.S.Armylaunchedits
UniversityofForeignMilitaryand
CulturalStudies(UFMCS).
• Thepurposeoftheinitiativeisto
““[provide]theArmyaforceͲwide
RedTeamingcapabilityattheunit
ofactionthroughunitof
employmentoperationallevels””
andtrainArmyofficersto““lookat
problemsfromtheperspectivesof
theadversary……””

U.S.ArmyTrainingandDoctrineCommand

38
 Redteaming
Categoriesofredteaming 9
• Inthenexttwoslides,Icharacterizethepurposeand
functionsofvarioustypesofredteaming.Ifollowthese
slideswithalistingofeightredteamingtypesdeveloped
bySandiaLabs.
• Giventhevarietyofpossibleapplicationsandsettings,it
isunlikelythatanycategorizationcancapturethefull
varietyofpossibleredteamingactivities.Infact,variety
indicatespossibleinnovation,specialization,and
adaptation.
• Thatsaid,categoriesandtypesfacilitatediscussionand
comparison.

39
 Redteaming
Passive 9
Purpose Functions Examples
Understand • HelpBLUEbetter • Variousintelligence,
understandRED,BLUE,and military,andcommercial
howREDandBLUEview planningefforts(implicit).
• eachother.
ClarifyBLUEassumptions
andexposebiases.
• AnticipatepossibleRED • Threat,risk,or
Anticipate coursesofaction. vulnerabilityassessments
• Avoidsurprise. (implicitandexplicit).
• Themilitarydecision
• BettershapeBLUE’’s
makingprocess.
coursesofaction.

Mateski,““TowardaRedTeamingTaxonomy,2.0,””RedTeamJournal.

40
 Redteaming
Active 9
Purpose Functions Examples
Test • ProbeorpenetrateBLUE • Penetrationtesting
systemsorsecurity. (physicalandIT).
• Somemilitaryexercises
• Identifyandexplore
andexperiments.
vulnerabilities.
• ExploreandtestREDCOAs
andBLUEcountermeasures
interactively.
Train • TeachBLUEhowRED • NationalTrainingCenter
thinksandoperations. oppositionforce(OPFOR),
TopGun,andsoon.
• PrepareBLUEtorespond
• TOPOFFexercises.
topossibleREDcoursesof
action.

Mateski,““TowardaRedTeamingTaxonomy,2.0,””RedTeamJournal.

41
 Redteaming
TheIDART/RT4PMtypes 9
AspartoftheirRT4PMcourse,Sandiahasidentifiedeight
typesofredteaming:
• designassuranceredteaming,
• redteamhypothesistesting,
• redteamgaming,
• behavioralredteaming,
• redteambenchmarking,
• operationalredteaming,
• analyticalredteaming,and
• penetrationtesting.

SandiaLabs’’InformationDesignAssuranceRedTeam(IDART),RT4PM.

42
 Redteaming
Thecontinuingneedforredteaming
Whetheryourunacorporationoracountry,thestakesare
high,andbusinessasusualisnolongergoodenough.More
thanever,youneedtoknowwhatyourcompetitorsand
opponentsarethinking.Youneedtoovercomeyour
organization’’sbiasesandgeneratecreative,resourceful
strategiesthatwork.Youneedtoanticipatethenextcrisis,
preventitifpossible,andrespondswiftlyandeffectivelyif
not.””

Mateski,““ACallforaRedTeamingSurge,””RedTeamJournal.

43
 Redteaming
Sources 9
• Ambrose,Fred,andBethAhern.““UnconventionalRedTeaming.””In
AnticipatingRareEvents:CanActsofTerror,UseofWeaponsofMass
DestructionorOtherHighProfileActsBeAnticipated? 2008.
• Anderson,RobertH.,etal.SecuringtheU.S.DefenseInformation
Infrastructure. SantaMonica,CA:RAND,1999.
• Beck,JohnC.““RespondingtoGlobalCrisesUsingtheChangeCycle.””In
ThunderbirdonGlobalBusinessStrategy,byThunderbird,TheAmerican
GraduateSchoolofInternationalManagement,384.NewYork:John
Wiley&Sons,2000.
• Davis,Jack.““WhyBadThingsHappentoGoodAnalysts.””InAnalyzing
Intelligence:Origins,Obstacles,andInnovations,byRogerZ.Georgeand
JamesB.Bruce.Washington,DC:GeorgetownUniversityPress,2008.

44
 Redteaming
Sources 9
• FinalReport. DefenseScienceBoardTaskForceontheRoleandStatusof
DoD RedTeamingActivities,U.S.Dept.ofDefense,2003.
• Fishbein,Warren,andGregoryTrevorton.Rethinking““Alternative
Analysis””toAddressTransnationalThreats. OccasionalPapers:Volume3,
Number2,TheShermanKentCenterforIntelligenceAnalysis,2004.
• FY2006HomelandSecurityAuthorizationAct,Sec.214.
• George,RogerZ.““FixingtheProblemofAnalyticalMindsets.””In
IntelligenceandtheNationalSecurityStrategist,byRogerZ.Georgeand
RobertD.Kline.Lanham,MD:Rowman &Littlefield,2006.
• Handel,MichaelI.War,Strategy,andIntelligence. London:FrankCass,
1989.

45
 Redteaming
Sources 9
• IntelligenceReformandTerrorismPreventionActof2004.PublicLaw
108ͲͲ458. December2004.
• Longbine,DavidF.RedTeaming:PastandPresent. Monograph.,Fort
Leavenworth,KS:SchoolofAdvancedMilitaryStudies,UnitedStates
ArmyCommandandGeneralStaffCollege,2008.
• Malone,TimothyG.,andReaganE.Schaupp.““The‘‘RedTeam’’:Forginga
WellͲConceivedContingencyPlan.””AerospacePowerJournal,June2002.
• Mateski,Mark.RedTeamJournal. November11,2008.
http://redteamjournal.com/2008/11/aͲcallͲforͲaͲredͲteamingͲsurge/
(accessedJune2009).
• ——.RedTeamJournal. September2004.
http://redteamjournal.com/2008/09/towardͲaͲredͲteamingͲtaxonomyͲ
20/(accessedJune2009).

46
 Redteaming
Sources 9
• Meehan,MichaelK.““RedTeamingforLawEnforcement.””ThePolice
Chief,February2007.
• NationalResearchCouncil.NetworkͲCentricNavalForces:ATransition
StrategyforEnhancingOperationalCapabilities. Washington,DC:The
NationalAcademiesPress,2000.
• SandiaLabs’’InformationDesignAssuranceRedTeam(IDART). 2009.
http://idart.sandia.gov/(accessedJune2009).
• ——.2009.http://idart.sandia.gov/methodology/RT4PM.html(accessed
June2009).
• Sandoz,John.RedTeaming:AMeanstoMilitaryTransformation. IDA
Paper,Alexandria,VA:InstituteforDefenseAnalyses,2001.

47
 Redteaming
Sources 9
• The9/11CommissionReport:FinalReportoftheNationalCommissionon
TerroristAttacksUpontheUnitedStates. NewYork:W.W.Norton&Co.,
2004.
• TheCommissionontheIntelligenceCapabilitiesoftheUnitedStates
RegardingWeaponsofMassDestruction:ReporttothePresidentofthe
UnitedStates.FinalReport. U.S.Government,2005.
• Treverton,GregoryF.TheNextStepsinReshapingIntelligence. RAND
OccasionalPaper,SantaMonica,CA:RANDCorporation,2005.
• U.S.Army,TrainingandDoctrineCommand. 2005.
http://www.tradoc.army.mil/pao/tnsarchives/July05/070205.htm
(accessedJune2009).

48