Professional Documents
Culture Documents
Redteaming
Ashortintroduction(1.0)
June2009
availableathttp://redteamjournal.com/resources/
Dr.MarkMateski
Redteaming
Makinggooddecisions 9
• Awiderangeoffactors—individual,organizational,
cultural,situational,andadversarial—contributetopoor
decisions.
• Overtheyears,psychologists,intelligenceanalysts,and
consultantshaveproposedavarietyofmethodsand
approachestocountertheeffectsofthesefactors.
• Mostofthesemethodsandapproachesaimtobroaden
theanalystordecisionmaker’s“mindset”byconsidering
moreoptionsandassessingthemmoreobjectively—
Handel’schargeonthenexttwoslidesistypical.
1
Redteaming
Avoidingrigidity
Clearly,themajorityoffailurestoanticipatestrategic
surprisecanbecorrelatedwithconceptualrigidityanda
highincidenceofperceptualcontinuity.Thereforeanalysts
(andtoalesserextent,politicalandmilitaryleaders)should
beencouragedtoconsideralternativeinterpretationsof
dataandnewevidence,andcontinuouslytoreevaluate
theirconceptwhileavoidingdogmaticadherencetogiven
concepts.”
Handel,p.270.
2
Redteaming
Counteringsurprise
ThesearchforwaystopromotemoreopenͲminded
attitudesisbasictoalmostallproposalsforthe
improvementofintelligencework;tothisend,analysts
mustbeencouragedtopresenttheirviewsopenly,tobe
critical,tofightfortheiropinionsifnecessary,andtoresist
groupandpoliticalpressures.Thisisperhapsthemost
rudimentaryconditionnecessaryfortheupgradingof
intelligencework—yetitisalsoanidealdemandthatcan
neverbefullyattainedwithinahumanenvironment.”
Handel,p.270.
3
Redteaming
Alternativeanalysisandredteaming 9
• Alternativeanalysis representsafamilyofmethods
designedtohelpanalystsanddecisionmakersavoidthe
pitfallsofpoordecisionmaking.
• Redteamingisonemethodofalternativeanalysis.
• AsInoteinsubsequentslides,callsformoreorbetter
alternativeanalysistendtofollowperceivedintelligence
failures.
4
Redteaming
Alternativeanalysisdefined
…alternativeanalysisseekstohelpanalystsandpolicyͲ
makersstretchtheirthinkingthroughstructuredtechniques
thatchallengeunderlyingassumptionsandbroadenthe
rangeofpossibleoutcomesconsidered.
Fishbein andTreverton.
5
Redteaming
Alternativeanalysisdefined
Alternativeanalysis (AA)seekstoimposeanexplicitselfͲ
reviewbyusingspecifictechniquestorevealunconscious
analyticalassumptionsortochallengeweakevidenceor
logicandtoconsideralternativehypothesesoroutcomes
evenintheabsenceofconvincingevidence.Simplyput,
intelligenceanalystsarenowobligedtoquestionexplicitly
andrigorouslytheassumptionsthatunderlietheir
conclusionsandguardagainstconventionalwisdom
maskingafundamentalchangeinthedynamicsofanissue.”
George,p.318.
6
Redteaming
Alternativeanalysisdefined
[AccordingtoGeorge,the]mostpowerful[alternative
analysis]techniquesinclude:
• KeyAssumptionsChecks
• Devil’sAdvocacy
• TeamA/TeamB
• RedCellexercises
• Contingency‘WhatIf’Analysis
• HighͲImpact/LowͲProbabilityAnalysis
• ScenarioDevelopment.”
George,p.318.
7
Redteaming
Alternativeanalysisapplied
Properlyapplied,[alternativeanalysis]servesasahedge
againstthenaturaltendenciesofanalysts—likeallhuman
beings—toperceiveinformationselectivelythroughthelens
ofpreconceptions,tosearchtoonarrowlyforfactsthat
wouldconfirmratherthandiscreditexistinghypotheses,
andtobeundulyinfluencedbyprematureconsensuswithin
analyticgroupscloseathand.
Fishbein andTreverton.
8
Redteaming
Alternativeanalysisintherealworld
Toensureagainsterrorinestablishedanalyticjudgments,
theCIAisvigorouslypromotingAlternativeAnalysisformats,
includingformsofchallengeanalysis(e.g.,Devil’sAdvocacy)
andstructuredanalysis(e.g.,AnalysisofCompeting
Hypotheses).Inacomplementaryeffort,theCIAis
promotingmorerigorousanalysisofalternativesinfirst
reachingjudgmentsoncomplexandfluidissues—thatis,
thesystematicgenerationandcriticalreviewofalternative
hypotheses...”
Davis,p.157.
9
Redteaming
Expertcommissions 9
Inthelastdecadeorso,anumberofexpertpanelscharged
withassessingintelligencefailurehavepointed—directlyor
indirectly—toalternativeanalysisasonemeansof
improvingtheprocessesofintelligenceanalysisand
decisionmaking.Thesecommissionsinclude
• theJeremiahpanel(1998),
• theRumsfeldCommission(1998),
• the9/11Commission(2004),and
• theWMDCommission(2005).
10
Redteaming
TheJeremiahpanel
[Followingthesurprisetestsofnuclearweaponsbyboth
IndiaandPakistanin1998]DirectorofCentralIntelligence
(DCI)GeorgeTenetaskedretiredAdmiralDavidJeremiahto
reviewtherecordtoseewhathadledtothisfailuretowarn
theadministration.Whilethereportremainsclassified,
AdmiralJeremiahnotedathisJune1998pressconference
thathis‘bottomlineisthatboththeintelligenceandthe
policycommunitieshadanunderlyingmindsetgoinginto
theseteststhattheBJP[Bharatiya Janata Party—thenewly
governingIndianparty]wouldbehaveaswebehave.’”
George,p.317.
11
Redteaming
TheJeremiahpanel
Goingfurther,AdmiralJeremiahproposedthatCIAanalysts
bemoreaggressiveinthinkingthroughhowtheotherside
mightbehave:‘youcouldarguethatyouneedtohavea
contrarianviewthatmightbepartofourwarningprocess,
oughttoincludesomedivergentthinkerswholookatthe
sameevidenceandcometoadifferentconclusionandthen
youtestthatdifferentsetofconclusionsagainstother
evidencetoseeifitcouldbevalid.’”
George,p.317.
12
Redteaming
TheRumsfeldCommission
Almostsimultaneously[withtheJeremiahpanel],the1998
CommissiontoAssesstheBallisticMissileThreattothe
UnitedStates[headedbyDonaldRumsfeld]issuedasimilar
assessment.Itfound‘analystsunwillingtomakeestimates
thatextendbeyondthehardevidencetheyhadinhand,
whicheffectivelyprecludeddevelopingandtesting
alternativehypothesesaboutactualforeignprogramstaking
place.’”
George,p.317.
13
Redteaming
The9/11Commission
[WritingtoDonaldRumsfeldandreferringtoaplottocrash]
anexplosivesͲladenplanintoCIAheadquarters,”
[Wolfowitz]“wonderedwhysolittlethoughthadbeen
devotedtothedangerofsuicidepilots,seeinga‘failureof
imagination’andamindͲsetthatdismissedpossibilities.”
9/11CommissionReport,p.336.
14
Redteaming
The9/11Commission
Itisthereforecrucialtofindawayofroutinizing,even
bureaucratizing,theexerciseofimagination.Doingso
requiresmorethanfindinganexpertwhocanimagine
findinganexpertwhocanimaginethataircraftcouldbe
usedasweapons.”
9/11CommissionReport,p.344
15
Redteaming
TheWMDCommission
Thewidelyrecognizedneedforalternativeanalysisdrives
manytoproposeorganizationalsolutions,suchas‘red
teams’andotherformalmechanisms
….Anysuchorgans,
thecreationofwhichweencourage,mustdomorethan
just‘alternativeanalysis,’though.TheCommunityshould
instituteaformalsystemforcompetitive—andeven
explicitlycontrarian—analysis.
WMDCommissionReport,p.170.
16
Redteaming
TheWMDCommission
Perhapsmostimportant,however,istheviewthatthe
IntelligenceCommunityshouldnotrelyuponspecialized
‘redteamoffices,’orevenindividual‘redteamexercises’to
ensurethereissufficientindependentanalysis.Rather,such
independentanalysismustbecomeahabitualanalytic
practiceforallanalysts.
WMDCommissionReport,p.170.
17
Redteaming
Redteaminginlegislation 9
Thereportsemergingfromexpertpanelshaveinformed
Congressandledtolegislationdirectingthegovernmentto
undertakeredteaming.Twoexamplesinclude
• theIntelligenceReformandTerrorismPreventionActof
2004and
• theFY2006HomelandSecurityAuthorizationAct.
18
Redteaming
2004IntelligenceReformAct
Sec.1017.ALTERNATIVEANALYSISOFINTELLIGENCEBYTHE
INTELLIGENCECOMMUNITY
a) INGENERAL—Notlaterthan180daysaftertheeffective
dateofthisAct,theDirectorofNationalIntelligence
shallestablishaprocessandassignanindividualor
entitytheresponsibilityforensuringthat,as
appropriate,elementsoftheintelligencecommunity
conductalternativeanalysis(commonlyreferredtoas
‘redͲteamanalysis’) oftheinformationandconclusions
inintelligenceproducts.”
IntelligenceReformandTerrorismPreventionAct.
19
Redteaming
HomelandSecurityAuthorizationAct
TheActrequiresDHStoapplyredteamanalysistoterrorist
useofnuclearweaponsandbiologicalagents.Asterrorists
seektoexploitnewvulnerabilities,itisimperativethat
appropriatetoolsbeappliedtomeetthosethreats.TheAct
willbroadentheintelligenceprocess,therebystrengthening
preemptivecapabilities.”
FY2006HomelandSecurityAuthorizationAct,Sec.214[p.9].
20
Redteaming
Avarietyofdefinitions 9
Foreveryredteamthatexists,aslightlydifferentdefinition
ofredteamingalsoexists.Thatsaid,mostdefinitions
emphasizeacommonsetofprinciples.Ireviewnine
representativedefinitionsandthenidentifytheprinciples.
21
Redteaming
DefinitionA
[Aredteamis]agroupofsubjectͲmatterexperts(SME),
withvarious,appropriateairandspacedisciplinary
backgrounds,thatprovidesanindependentpeerreviewof
productsandprocesses,actsasadevil'sadvocate,and
knowledgeablyroleͲplaystheenemyandoutsideagencies,
usinganiterative,interactiveprocessduringoperations
planning.”
MaloneandSchaupp.
22
Redteaming
DefinitionB
Theredteamisagroupofsubjectmatterexperts(SMEs)of
variousappropriatedisciplinarybackgroundswhoprovide
anindependentpeerreviewofplansandprocesses;actas
theadversary’sadvocate;andknowledgeablyroleͲplaythe
adversary,usingacontrolled,realistic,interactiveprocess
duringoperationsplanning,training,andexercising.”
HomelandSecurityExerciseandEvaluationProgram
23
Redteaming
DefinitionC
[Redteamingisan]authorized,adversaryͲbasedassessment
fordefensivepurposes
….AdversaryͲbasedmeans
accountingforthemotivation,goals,knowledge,skills,
tools,andmeansofoneormoreadversaries”
SandiaLabs’InformationDesignAssuranceRedTeam(IDART)
24
Redteaming
DefinitionD
[Redteaming]canmeanroleͲplayingtheadversary,
conductingavulnerabilityassessment,orusinganalytical
techniquestoimproveintelligenceestimates.Whilethese
definitionsseemunrelated,theyhaveincommonthegoal
ofimprovingdecisionmaking.
Longbine,abstract.
25
Redteaming
DefinitionE
Definedloosely,redteamingisthepracticeofviewinga
problemfromanadversaryorcompetitor’sperspective.The
goalofmostredteamsistoenhancedecisionmaking,
eitherbyspecifyingtheadversary’spreferencesand
strategiesorbysimplyactingasadevil’sadvocate.”
RedTeamJournal
26
Redteaming
DefinitionF
Ourusageofthetermredteamincludesnotonly‘playing’
adversariesorcompetitors,butalsoservingasdevil's
advocates,offeringalternativeinterpretations(teamB)and
otherwisechallengingestablishedthinkingwithinan
enterprise.”
DSBRedTeamingTaskForceFinalReport,p.1.
27
Redteaming
DefinitionG
Thetermredteamingiscommonlyusedtodepictprocesses
designedtobringadevil’sadvocateperspectivebyexposing
flawsandgapsinourideas,strategies,concepts,andother
newproposals.”
Sandoz,p.1
28
Redteaming
DefinitionH
‘RedͲteaming’isseekingtogetinsidetheheadsof
adversaries,notaskingwhatwewoulddoifwewerethem
butcreativelytryingtoaskwhattheymightdogiventheir
owngoals,culture,organization,andthelike.”
Treverton,p.17n.
29
Redteaming
DefinitionI
ThetermredteamcomesfromAmericanmilitarywar
gaming,wheretheblueteamwastraditionallytheUnited
Statesand,duringtheColdWar,theredteamwasthe
SovietUnion.Inthiscontext,redteamingisdefinedas
teamsofexecutives‘playing’the‘enemy’tounderstand
whatthecompetitivecontext(andcompetitormoves)will
beinsomepotentialfuture.”
Beck,p.21.
30
Redteaming
Commondefinitionalelements 9
• Arguablythemostcommonprincipleemphasizedin
thesedefinitionsisthatredteamsviewproblemsfrom
anadversary’sperspectiveoracontrarianpointofview.
• Asecondprincipleworthnotingisthatredteamsassist
decisionmakers.Theytypicallydonotactapartfroma
clientordecisionmaker’sspecificneed,whetherthis
needisto“optimizesystems”or“[improve]decision
making.”
31
Redteaming
Applicationsofredteaming
Businesses,civiliangovernmentagencies,andthemilitary
useredteamingtotestconcepts,hypotheses,andoperaͲ
tional plansinacontrolledmannerusingunderstood
tactics,techniques,andprocedures(TTPs)orsituations.For
example,businessesuseredteamstosimulatethe
competition;governmentorganizationsuseredteamsas
‘hackers’totestthesecurityofinformationstoredon
computersortransmittedthroughnetworks;themilitary
usesredteamstoaddressandanticipateenemycoursesof
action.”
AmbroseandAhern,p.136.
32
Redteaming
Applicationsofredteaming
Redteamingisatermthatdescribesavarietyofexercise
activities.Themostbasiclevelofredteamingistoconduct
peerreviewofplansandpoliciestodetectvulnerabilitiesor
perhapstosimplyofferalternativeviewsofscenarios.
Anotherdefinition[orapplication]ofredteamingisan
interactiveprocessconductedduringcrisisactionplanning
toassessplanningdecisions,assumptions,processes,and
productsfromtheperspectiveoffriendly,enemy,and
outsideorganizations.”
Meehan.
33
Redteaming
Applicationsofredteaming
…‘redteams’canbeusedtohelpensurethatinformation
systemswillmeetsecuritychallenges.‘Redteam’activities
canrangefromthreatorattackexercisestocriticalreviews
ofsecurityprocedures.”
Anderson,etal,p.72.
34
Redteaming
Applicationsofredteaming
Thevalueofredteamingistwofold.First,itisarguablythe
besttoolforraisingsecurityawarenessinanorganization.
Mostredteamsdiscoverknownsecurityholesforwhich
knownfixes,configurations,orpatcheshavenotbeen
appliedorwherecompensatingsecurityproceduresarenot
ineffectornotbeingenforced
….Second,redteamingis
usefulforensuringthatcorrectsecurityconfigurationsare
maintainedforthesystem.”
NationalResearchCouncil,p.72.
35
Redteaming
Applicationsofredteaming 9
• Atleastinprinciple,redteamingcansupportdecision
makinginalmostanycontext:security,shortͲ orlongͲ
termstrategy,engineeringdesign,andevenpersonal
decisions.
• Assuggestedbythedefinitions,redteamsmayengagein
planning,audits,exercises,orstudiesandanalysis.
• Differentorganizationstendtodefinethescopeofred
teamingdifferentlydependingonthenatureofthe
organization’smission.
36
Redteaming
Sandia’sIDART Ex
• Sandia’sInformationDesign
AssuranceRedTeam(IDART)
“providesindependent
assessmentsofcriticalinformation
systemsthatareperformedfrom
anadversarypointͲofͲview
…”
• Sandia’sredteamhashosteda
varietyofconferencesandtraining
coursesinthepastfewyears.
SandiaLabs’InformationDesignAssuranceRedTeam(IDART)
37
Redteaming
U.S.Army’sUFMCS Ex
• In2005theU.S.Armylaunchedits
UniversityofForeignMilitaryand
CulturalStudies(UFMCS).
• Thepurposeoftheinitiativeisto
“[provide]theArmyaforceͲwide
RedTeamingcapabilityattheunit
ofactionthroughunitof
employmentoperationallevels”
andtrainArmyofficersto“lookat
problemsfromtheperspectivesof
theadversary
…”
U.S.ArmyTrainingandDoctrineCommand
38
Redteaming
Categoriesofredteaming 9
• Inthenexttwoslides,Icharacterizethepurposeand
functionsofvarioustypesofredteaming.Ifollowthese
slideswithalistingofeightredteamingtypesdeveloped
bySandiaLabs.
• Giventhevarietyofpossibleapplicationsandsettings,it
isunlikelythatanycategorizationcancapturethefull
varietyofpossibleredteamingactivities.Infact,variety
indicatespossibleinnovation,specialization,and
adaptation.
• Thatsaid,categoriesandtypesfacilitatediscussionand
comparison.
39
Redteaming
Passive 9
Purpose Functions Examples
Understand • HelpBLUEbetter • Variousintelligence,
understandRED,BLUE,and military,andcommercial
howREDandBLUEview planningefforts(implicit).
• eachother.
ClarifyBLUEassumptions
andexposebiases.
• AnticipatepossibleRED • Threat,risk,or
Anticipate coursesofaction. vulnerabilityassessments
• Avoidsurprise. (implicitandexplicit).
• Themilitarydecision
• BettershapeBLUE’s
makingprocess.
coursesofaction.
Mateski,“TowardaRedTeamingTaxonomy,2.0,”RedTeamJournal.
40
Redteaming
Active 9
Purpose Functions Examples
Test • ProbeorpenetrateBLUE • Penetrationtesting
systemsorsecurity. (physicalandIT).
• Somemilitaryexercises
• Identifyandexplore
andexperiments.
vulnerabilities.
• ExploreandtestREDCOAs
andBLUEcountermeasures
interactively.
Train • TeachBLUEhowRED • NationalTrainingCenter
thinksandoperations. oppositionforce(OPFOR),
TopGun,andsoon.
• PrepareBLUEtorespond
• TOPOFFexercises.
topossibleREDcoursesof
action.
Mateski,“TowardaRedTeamingTaxonomy,2.0,”RedTeamJournal.
41
Redteaming
TheIDART/RT4PMtypes 9
AspartoftheirRT4PMcourse,Sandiahasidentifiedeight
typesofredteaming:
• designassuranceredteaming,
• redteamhypothesistesting,
• redteamgaming,
• behavioralredteaming,
• redteambenchmarking,
• operationalredteaming,
• analyticalredteaming,and
• penetrationtesting.
SandiaLabs’InformationDesignAssuranceRedTeam(IDART),RT4PM.
42
Redteaming
Thecontinuingneedforredteaming
Whetheryourunacorporationoracountry,thestakesare
high,andbusinessasusualisnolongergoodenough.More
thanever,youneedtoknowwhatyourcompetitorsand
opponentsarethinking.Youneedtoovercomeyour
organization’sbiasesandgeneratecreative,resourceful
strategiesthatwork.Youneedtoanticipatethenextcrisis,
preventitifpossible,andrespondswiftlyandeffectivelyif
not.”
Mateski,“ACallforaRedTeamingSurge,”RedTeamJournal.
43
Redteaming
Sources 9
• Ambrose,Fred,andBethAhern.“UnconventionalRedTeaming.”In
AnticipatingRareEvents:CanActsofTerror,UseofWeaponsofMass
DestructionorOtherHighProfileActsBeAnticipated? 2008.
• Anderson,RobertH.,etal.SecuringtheU.S.DefenseInformation
Infrastructure. SantaMonica,CA:RAND,1999.
• Beck,JohnC.“RespondingtoGlobalCrisesUsingtheChangeCycle.”In
ThunderbirdonGlobalBusinessStrategy,byThunderbird,TheAmerican
GraduateSchoolofInternationalManagement,384.NewYork:John
Wiley&Sons,2000.
• Davis,Jack.“WhyBadThingsHappentoGoodAnalysts.”InAnalyzing
Intelligence:Origins,Obstacles,andInnovations,byRogerZ.Georgeand
JamesB.Bruce.Washington,DC:GeorgetownUniversityPress,2008.
44
Redteaming
Sources 9
• FinalReport. DefenseScienceBoardTaskForceontheRoleandStatusof
DoD RedTeamingActivities,U.S.Dept.ofDefense,2003.
• Fishbein,Warren,andGregoryTrevorton.Rethinking“Alternative
Analysis”toAddressTransnationalThreats. OccasionalPapers:Volume3,
Number2,TheShermanKentCenterforIntelligenceAnalysis,2004.
• FY2006HomelandSecurityAuthorizationAct,Sec.214.
• George,RogerZ.“FixingtheProblemofAnalyticalMindsets.”In
IntelligenceandtheNationalSecurityStrategist,byRogerZ.Georgeand
RobertD.Kline.Lanham,MD:Rowman &Littlefield,2006.
• Handel,MichaelI.War,Strategy,andIntelligence. London:FrankCass,
1989.
45
Redteaming
Sources 9
• IntelligenceReformandTerrorismPreventionActof2004.PublicLaw
108ͲͲ458. December2004.
• Longbine,DavidF.RedTeaming:PastandPresent. Monograph.,Fort
Leavenworth,KS:SchoolofAdvancedMilitaryStudies,UnitedStates
ArmyCommandandGeneralStaffCollege,2008.
• Malone,TimothyG.,andReaganE.Schaupp.“The‘RedTeam’:Forginga
WellͲConceivedContingencyPlan.”AerospacePowerJournal,June2002.
• Mateski,Mark.RedTeamJournal. November11,2008.
http://redteamjournal.com/2008/11/aͲcallͲforͲaͲredͲteamingͲsurge/
(accessedJune2009).
• —.RedTeamJournal. September2004.
http://redteamjournal.com/2008/09/towardͲaͲredͲteamingͲtaxonomyͲ
20/(accessedJune2009).
46
Redteaming
Sources 9
• Meehan,MichaelK.“RedTeamingforLawEnforcement.”ThePolice
Chief,February2007.
• NationalResearchCouncil.NetworkͲCentricNavalForces:ATransition
StrategyforEnhancingOperationalCapabilities. Washington,DC:The
NationalAcademiesPress,2000.
• SandiaLabs’InformationDesignAssuranceRedTeam(IDART). 2009.
http://idart.sandia.gov/(accessedJune2009).
• —.2009.http://idart.sandia.gov/methodology/RT4PM.html(accessed
June2009).
• Sandoz,John.RedTeaming:AMeanstoMilitaryTransformation. IDA
Paper,Alexandria,VA:InstituteforDefenseAnalyses,2001.
47
Redteaming
Sources 9
• The9/11CommissionReport:FinalReportoftheNationalCommissionon
TerroristAttacksUpontheUnitedStates. NewYork:W.W.Norton&Co.,
2004.
• TheCommissionontheIntelligenceCapabilitiesoftheUnitedStates
RegardingWeaponsofMassDestruction:ReporttothePresidentofthe
UnitedStates.FinalReport. U.S.Government,2005.
• Treverton,GregoryF.TheNextStepsinReshapingIntelligence. RAND
OccasionalPaper,SantaMonica,CA:RANDCorporation,2005.
• U.S.Army,TrainingandDoctrineCommand. 2005.
http://www.tradoc.army.mil/pao/tnsarchives/July05/070205.htm
(accessedJune2009).
48