So, you’ve decided to red team your system. Now you can sit back and wait for the insights to roll in, right? Wrong. When you’re running a red team, you need to be just as savvy as the red team (if not more so). Here are five interconnected caveats and guidelines you should consider before unleashing your team’s relentless cunning.
- Red teamers are human. They can be wrong, and they can be just as spectacularly wrong as anyone else. Understand their biases and question their results just as you would question any results. If you have the time and the money, run more than one red team and compare their results.
- Not every red teamer is an angel. Although it’s unlikely, a red teamer can steal information, plant false fears, and directly undermine your system. Carefully research your red team (see number five, below). Consider assigning a trusted, knowledgeable advisor to “shoulder surf” the red team now and then during the engagement. And always be cautious. Remember that even if your red teamers work full-time for your company, they might be working for someone else a year from now.
- Red teamers can break things. Even when red teamers have no malicious intent, they can unintentionally damage your systems. If you want to red team a critical system, consider how to frame the red team’s rules of engagement to limit your risk, and always put it in writing. (Actually you should always do this, even when you believe you’re not red teaming a critical system.)
- The red team is not your adversary (or adversaries). Your red team can try to mimic your adversary, but your red team and your adversaries are different people, often with different cultures and usually with different perspectives and preferences. (See RTJ Red Teaming Law #20.) Factor this into your assessment of the red team’s results, and weigh it carefully when you feed the results into your risk management process.
- Red teams vary in quality. The best red teams don’t just think about how to challenge things, they also think about red teaming. They have experience and have learned from that experience. See “Step three—identify the right red team” at Sandia’s IDART™ “Red Teaming for Program Managers” page for a good set of questions to ask your prospective red team.
And finally, learn about red teaming yourself. In order to run a red team effectively, you need to know what red teaming is, how it works, and what its strengths and weaknesses are. Simply hiring or launching a red team and walking away until its work is done is at best a possible waste of your money and at worst a foolish risk. Of course, no set of guidelines can guarantee a successful red teaming engagement, but you can arm yourself with solid research and the right questions. Now, “Go Forth and Red Team.”