Join us for our next Red Teaming 101 Webinar on 13 October.

Pre- and Post-Event Red Teaming

In December 2008, we posted a short article on Red Team Journal discussing a simple hierarchical model of surprise. We divided the elements of surprise into three levels: strategic (who, why); operational (how, what); and tactical (when, where). If you view the model as a pyramid, the strategic level is the base, the operation level is the middle, and the tactical level is the apex. As we observed at the time, ” … a red team will probably not anticipate elements of a higher level correctly if it misreads elements of a lower level. Conversely, a red team that correctly identifies elements of a lower level is more likely to anticipate elements of a higher level.”
      For example, if you understand the who and the why, you are more likely to be able to identify the how and the what. Most red teams will not (and probably should not) address the when and the where; the number of possibilities expands tree-like as you move from the strategic to the operational to the tactical, and the tactical is very difficult to anticipate without specific intelligence.
      What is interesting is how the model looks different pre- and post-event. Pre-event, the strategic is the usually the most easily discerned and the tactical the most opaque; post-event, the tactical is known, while the strategic may remain opaque. In fact, this latter case represents a particularly painful form of surprise: you know what’s happened but you don’t know who did it or why. Not knowing the who or the why, it becomes difficult to anticipate the next when and where.
      The advantage you hold post-event is that you’ve learned something about the adversary’s preferences at the operational and tactical levels. These new pieces of information can help you deduce the who and the why, and they probably reveal something about the next how, what, when, and where. The key point is that you’ve learned something, and if you decide to red team post-event, you should emphasize precisely what you learned.
      You should also consider the possibility that the adversary is playing a hypergame. Perhaps the adversary wants you to learn the wrong thing from the event and designed the event to lead you down a false path. Not knowing the who or the why, however, makes it very difficult to perceive possible hypergame variations.
      All of this suggests a post-event role for a red team. Post-event red teams can help you walk away with the right lessons and avoid misperceiving or misinterpreting emerging evidence. Based on what you’ve learned, post-event red teams can also help you recalibrate your surprise hierarchy and chart new, more likely paths through the hierarchy.
      Of course, nearly every red team is in a sense a post-event red team. Pre-event happenings nearly always exist, and the superior red team will know which ones to emphasize and which ones to discount. This is one reason it is so important to field a superior red team; inferior red teams tend to absorb the wrong lessons and heed the wrong warnings. If this sounds a lot like a mind game, it is, and the most dangerous adversaries know it. One of the red team’s most important jobs is to filter what you are “learning” from events and turn the adversary’s game against him.

Share on LinkedInTweet about this on TwitterShare on StumbleUponShare on FacebookShare on RedditShare on Google+