We’ve added a second session of the “one-time only” “Dragon and Knight” course on 16 Dec. to accommodate those who couldn’t attend the first one.

Analytical Red Team Exercises for Irregular Conflict

Irregular conflict–terrorism, insurgency, and criminal warfare (“criminal insurgency” and transnational organized crime)–is a complex challenge to many states. Ranging from street gangs–“local insurgencies” to drug/crime wars or “criminal insurgencies” through transnational criminal or extremist networks challenging regions–these threats require intelligence and analysis to understand and forecast potentials and craft interagency, intergovernmental solutions. Adaptive, analytical red teaming is a process of refining tradecraft for indications and warning (for a range of scenarios along the spectrum of current intelligence, early warning through strategic foresight). Specifically, analytical red teaming places a team of analysts against an active red team simulating a criminal opposing force, or forces. This short paper will describe the process and briefly recap the experience of two adaptive, analytical red team exercises (Operation Talavera and Operation Chimera) conducted by the Los Angeles Terrorism Early Warning (TEW) Group. Lessons learned and suggestions for refining the process, as well as conducting future red team exercises for irregular threats, will be discussed.

Red Teaming

Public safety and security agencies are faced with a wide array of evolving and converging threats. Understanding, anticipating, and identifying specific threats or attacks requires well-developed skills, experience, and analytical prowess. Red teaming, or the use of “red cells” that simulate an adversary’s mindset, operational preferences, capabilities, and tactical style (modus operandi), can be integrated within the analytical framework to enhance skills for identifying threats (i.e., indications and warning), and conducting assessments (i.e., operational net assessment).
      Red teaming involves a range of approaches to create insight into threats and adversaries. These approaches originally focused on detecting physical vulnerabilities and have been expanded to methods that facilitate understanding of an adversary’s capabilities and intentions. Potential attack vectors, including tactics, techniques, and procedures (TTPs) likely to be faced, and an understanding of the “event horizon” that may be encountered, including specific attack sequences or “kill chains” likely to be employed, are also included in this approach. Adaptive red teaming combines iterative analytical and physical approaches to understand potential adversary courses of action. Analytical red teaming involves methods of getting into an adversary’s unique “mindset.” That is, analytical red teaming looks to gain insight into the adversary’s goals, leadership styles, key decision points in their operations, organizational dynamics, and targeting preferences.1 When will they attack, what targets will they select, what tactics will they employ? In addition, from this foundational set of questions, what indicators can we observe to disclose their current operational state and the progress of their activities?
      Adaptive, analytical red teaming can be employed both as an analytical tool and as a means of training and enhancing analytical teams. This paper describes the use of an adaptive, analytical red team during two counterterrorism exercises conducted in Los Angeles County by the Los Angeles Terrorism Early Warning (TEW) Group. These exercises were Operation Talavara (2004) and Operation Chimera (2005). The Terrorism Early Warning Group (TEW) concept emerged in Los Angeles in 1996 as a way to bridge the gaps in traditional intelligence and security structures. The TEW embraced a networked approach to intelligence fusion and directed its efforts toward intelligence support to regional law enforcement, fire, and health agencies involved in the prevention and response to terrorist acts.2 The TEW operated from 1996 to 2009 and has been succeeded by other fusion center efforts; nevertheless the experience gained by the TEW, including experience with adaptive, analytical red team exercises, remains valuable.

Operation Talavera

Operation Talavera consisted of 24 exercises focused on a threat scenario in Los Angeles County. These exercises ranged from orientation seminars and tabletop discussions to functional exercises. One of these exercises was a Terrorism Early Warning Group Functional Exercise that sought to build capacity to perform indications and warning for a pending terrorist attack involving a specific threat scenario. The analysts utilized Intelligence Preparation for Operations (IPO) and the “Transaction Analysis Cycle” as a tool for conducting operations.3
      The Operation Talavera TEW Functional Exercise was held on 14 July 2004. A total of 26 players or simulators and five controllers were involved.4 Among this group was a red cell simulating the terrorist opposing force. The red cell was assembled from skilled practitioners with a mix of applicable skills.5
      This exercise was a full immersion and totally “prevention” oriented exercise. The goal of the exercise was to enhance the participants’ proficiency in developing indications and warning (I&W) and conducting iterative operational net assessments of the precursors to a developing attack. The exercise emphasized all-source intelligence collection and fusion in support of multiple allied law enforcement agencies working informants, tips, and leads. Additionally, because the TEW was uniquely structured around a multi-disciplinary unified command organization composed of personnel from fire, law, and health agencies, information was also collected through non-law enforcement channels, adding to the depth and robustness of the analysis.
      During the exercise, the TEW and its members performed exceptionally well. Within a short period of time, the TEW was able to establish a threat picture based on less-than-obvious indications of a developing threat. The TEW was further able to rapidly identify possible target sites and, based on an assessment of potential threat elements, develop indications and warning (I&W) criteria, recommend random anti-terrorism measures—including the simulated increase in surveillance of potential target sites—and conduct a rapid operational net assessment. Additionally, the TEW cadre generated and disseminated multiple alerts and advisories, ensuring actionable intelligence was provided to field units, Departmental Operations Centers (DOC) and emergency managers across the operational area.
      The Operation Talavera TEW Functional Exercise was the first known preventive, predictive exercise in the United States designed to recognize signs of a pending terrorist attack using indications and warning (I&W) analysis in the civil environment. It was also the first functional exercise of the TEW. In this exercise, participants demonstrated the capability to formulate a targeted intelligence collection plan utilizing pre-attack indicators. In addition, the group was able to produce and refine a baseline mission folder (to guide response and facilitate development of incident action plans) for the given threat scenario and conduct preliminary and refined net assessments.
      Finally, the analytical cadre was able to conduct a threat analysis of the opposing force (OPFOR) and alternative potential threat elements (PTEs), enabling them to simulate dissemination of alerts and advisories, identify specific at risk targets, and prepare and conduct an operational intelligence briefing.
      The cadre of analysts benefited from the real-time interaction with red team simulators that were able to adapt the flow of exercise injects based upon realistic operational considerations. Rather than playing against a static threat scenario, the analysts and red cell were able to develop a realistic analytical operational tempo.
      Operation Talavera demonstrated the value of a red team approach to counterterrorist analysts’ training, exercising, and operational planning. As a result of this successful application of a red team exercise, it was decided that the approach would be integrated into the TEW’s ongoing skills development and analytical processes.

Operation Chimera

In 2005, the Los Angeles County exercise program implemented Operation Chimera, to build upon and incorporate lessons learned and after-action report/improvement plan recommendations from the previous year’s Operation Talavera. The goal was to enhance capability to respond to and recover from a given threat scenario. Operation Chimera consisted of 37 progressive exercises based on the threat scenario (a different scenario from the one employed in Operation Talavera). The Operation Chimera Terrorism Early Warning (TEW) Group Functional Exercise was conducted on 30 August 2005 in Los Angeles.
      The Operation Chimera scenario involved a threat envelope culminating in the threat event. The TEW functional exercise component was four hours in duration. The focus in this scenario was to manage the dynamic intelligence analysis and assessment process during the “trans-threat” period. That is, the goal was effective information management and threat assessment during an unfolding scenario–an attack in progress. Participants included the TEW cadre drawn from the same agencies that played in the Operation Talavera TEW Functional exercise the year prior. A four-member red cell participated to enhance situational realism and challenge the analytical team.
      Throughout the exercise the TEW was able to recognize, validate, and appropriately disseminate the various pieces of intelligence generated during the course of the exercise. This included ruling out disinformation and unrelated injects. Significant improvements in information management capabilities within the TEW since the previous year’s Operation Talavera exercise were also observed, demonstrating the value of iterative exercises as a means of enhancing both individual analytical skills and team performance. The Operation Chimera analytical exercise provided participants with an opportunity to evaluate current prevention, deterrence and response concepts, plans, and capabilities for responding to a terrorist incident. In addition, it focused on interagency emergency management coordination, critical decisions and the integration of assets necessary to minimize casualties following an incident.
      In preparation for playing in this exercise, the TEW was provided with simulated intelligence injects regarding the scenario weeks (simulating months) prior to the exercise. This replicated realistic threat developments and provided an opportunity for both a “warm start” and to experience the transition of information flows during a threat period into an evolving attack (the “trans-attack” phase). As a result of the pre-exercise “intelligence preparation,” the TEW was poised for and monitored the possibility of an al-Qaeda-inspired event in the continental United States. In addition, the exercise exploited real-time, actual event data to help refine skills in discerning background versus scenario-related events.
      During the Operation Chimera functional exercise, the TEW continued to monitor intelligence related to the possibility of a terrorist threat, including information related to potential Chechen and/or al-Qaeda involvement and the purchased use of surrogates (gang members). Based on all information received, the TEW determined that a terrorist incident was imminent and requested the simulated activation of the County Emergency Operations Center (CEOC) and issued simulated alerts to law enforcement and other agencies.
      The Operation Chimera TEW Functional Exercise built upon the experiences in Operation Talavera the year before. It was the second known preventive, predictive exercise in the United States, and perhaps the first designed to disrupt or deter a terrorist attack. Indeed during exercise play, the analytical cadre could have disrupted the simulated attack, but the adaptive red cell (together with exercise control) adapted the scenario and modified injects to drive play toward an actual attack so the cadre could develop skills for a supporting response.
      In this exercise, participants demonstrated the capability to formulate a targeted intelligence collection plan to gather and assess pre-attack indicators. In addition, the cadre produced and refined a baseline mission folder for the threat scenario, conducted preliminary and revised operational net assessments, and conducted a threat analysis of the opposing force (OPFOR) and alternative potential threat elements (PTEs). They also disseminated simulated alerts and advisories and identified specific at-risk targets. In addition to preparing and conducting an operational intelligence briefing, they also exercised the ability to provide expert analysis and assessment to emergency operations personnel involved in the mission planning and future operations planning processes.

Lessons Learned

The application of an adaptive, analytical red teaming into the training and exercise process for an interdisciplinary threat assessment team was successful in these two exercises. Analysts who participated in the process refined and enhanced their individual skills and the team as a whole benefited from the process. The use of a skilled red cell to stimulate analytical rigor was also valuable. Using a red cell in the exercise process enhanced the ability of exercise controllers to moderate play by providing realistic threat dynamics and a viable operational tempo. Both exercises incorporated information based on actual intelligence and detailed case debriefs of historical terrorist attacks and actual terrorist group dynamics and strategic preferences.
      Preparation for both exercises required considerable effort. Detailed assessments of the actual operating environment, potential adversaries (terrorists, gangs, and organized crime that could likely pose a threat), realistic assessment of illicit flows that could support a terrorist logistical supply chain, and knowledge of the actual response and intelligence infrastructure were also required. In addition, an understanding of the current skill level and state of analytical practice was required to not only make the play realistic and achievable but to also drive the team to perform at higher levels. This was the first time this group of players had played against an analytical red team thus players were skeptical of the value of active competitive exercise play. Before play some questioned the potential value of the adaptive red team. After the exercise was completed the initially skeptical players commented on the value of competing against a realistic adversary.
      Finally, since realistic adaptive, analytical red team exercising involves rigorous analytical practice, the analytical team needs comprehensive training in a wide range of analytical approaches and methods in order to derive optimal benefit from immersive exercise play against a skilled adversary (this is equally true in actual analytical practice). These exercises demonstrated the value of red teaming as a means of enhancing analytical skills for indications and warning and operational net assessment. From this experience, it appears that this methodology may also be valuable in supporting strategic forecasting and as a means of developing alternative analysis scenarios to assess future threat potentials. This methodology appears to have particular promise for enhancing analytical practice to discern the various operational dynamics of a range of threat actors needed to counter irregular threats, including terrorism, insurgency, organized crime, and gangs.

John P. Sullivan is a career police officer. He currently serves as a lieutenant with the Los Angeles Sheriff’s Department. He is also an Adjunct Researcher at the Vortex Foundation; Senior Research Fellow at the Center for Advanced Studies on Terrorism; Senior Fellow at the Stephenson Disaster Management Institute, Louisiana State University; and Senior Fellow at Small Wars Journal-El Centro. Mr. Sullivan is co-editor of Countering Terrorism and WMD: Creating a Global Counter-Terrorism Network (Routledge, 2006), and Global Biosecurity: Threats and Responses (Routledge, 2010). He is co-author of Mexico’s Criminal Insurgency: A Small Wars Journal-El Centro Anthology (iUniverse, 2012). His current research focus is the impact of transnational organized crime on sovereignty in Mexico and other countries. Mr. Sullivan holds a bachelor of arts in government from the College of William and Mary and a master of arts in urban affairs and policy analysis from the New School for Social Research (Milano School).

Share on LinkedInTweet about this on TwitterShare on StumbleUponShare on FacebookShare on RedditShare on Google+
  1. John P. Sullivan and Adam Elkus, “Adaptive Red Teaming: Protecting Across the Spectrum,” Red Team Journal Occasional Paper 01, July 2010. []
  2. John P. Sullivan and James J. Wirtz, “Terrorism Early Warning and Counterterrorism Intelligence,” International Journal of Intelligence and CounterIntelligence, 2008, 21(1):13-25. []
  3. See John P. Sullivan, “Terrorism Early Warning and Co-Production of Counterterrorism Intelligence,” paper presented to Canadian Association for Security and Intelligence Studies, CASIS 20th Anniversary International Conference, Montreal, Quebec, Canada, 21 October 2005 (available at http://www.projectwhitehorse.com/pdfs/6.%20CASIS_Sullivan_paper1.pdf) for a discussion of TEW tools including Intelligence Preparation for Operations (IPO). []
  4. Participating agencies included the Los Angeles Terrorism Early Warning Group, Los Angeles County Sheriff’s Department, Los Angeles Police Department, Los Angeles Airport Police, Los Angeles County Fire Department, Los Angeles County Office of Emergency Management, Los Angeles County Department of Public Health, and the Federal Bureau of Investigation. []
  5. These skills included intelligence analysis, counterterrorism, mission planning, area studies specialists, emergency operations, and counterinsurgency/irregular warfare in military and civil environments. []