It might just be us, but it seems as if red teaming is getting some additional attention lately. As proof, we offer these recent articles:
Next level red teaming: Working behind enemy lines
Stealing, scamming, bluffing: El Reg rides along with pen-testing ‘red team hackers’
(And if you don’t follow our Twitter feed, consider doing so. We post links to articles like this regularly there.)
Red teamers can be annoying. Sometimes the annoyance is justified, sometimes not. After all, who likes to be told that they overlooked a key assumption or failed to implement a sensible practice. It’s not surprising that many people resist even the idea of red teaming.
As red teamers, we often lament the shortsightedness of this resistance. What we don’t discuss very often is the uncomfortable fact that we often aggravate and perpetuate it. Yes, we can be self-satisfied and snobbish. And why not? We spend our days thinking about important things other people ignore, neglect, and overlook. Even when we’re not snobbish and condescending (honest!), we have to work twice as hard not to be perceived as such. That’s just the nature of the game. Read on …
You never really understand a person until you consider things from his point of view . . . until you climb in his skin and walk around in it.”
– Atticus Finch to Scout in Harper Lee’s To Kill a Mockingbird.
This is the heart of adversarial red teaming, right?—to consider a problem from the adversary’s perspective. Kind of . . . what Atticus advocates is something more, something elusive, and something many red teamers unthinkingly overlook: genuine empathy. Read on …
At times during this election season I felt as if I were living in a house of mirrors. With leaks, allegations, and counter-allegations sprouting like weeds, I wondered how, as a citizen, I could discern anything close to the truth. As red teamers, we often face a similar dilemma. Sometimes we just don’t know enough to draw actionable conclusions from the available information. Sometimes all the normative decision making approaches in our toolkit can’t compensate for the degree of uncertainty we face. Sometimes we’re forced to rely on our intuition—knowingly—while seeking new and better information. Sometimes we find opportunity in the ambiguity and uncertainty, but typically the very worst thing we can do is assert certainty where none can reasonably exist. As a Robert Heinlein character says in the short story “Space Jockey,” “What good is seven-place accuracy with bum data?”
You might be surprised to learn that I don’t believe red teaming always works. You might be even more surprised that I believe red teaming can sometimes do more harm than good. Here are seven red flags that might indicate that you need to review and perhaps reconsider how your red team goes about its business. Read on …
Pentesting can be an enormously valuable service, but we must be aware enough when hiring or employing a pentester to balance both the advantages and disadvantages of the practice. Yes, it can reveal holes in our security, but it can also promote an illusion of security. Further, while it can help validate our current security efforts, it can, if handled poorly, itself become a potential source of misperception and even vulnerability. Before opening our systems and operations to pentesters, we should consider the following caveats, cautions, and questions: Read on …
To understand the Russian approach to strategy and conflict, we must first understand something about the concept of reflexive control. Initially developed and championed by Vladimir Lefebvre, it’s a uniquely Russian view on stratagem and deception that repackages and reframes much of what we usually associate with Sun Tzu. If we expect deception and stratagem from China but not from Russia, we’ve set yourself up to be surprised. We’d be foolish to assume that the Russians are not currently employing reflexive control against the West.
By definition, reflexive control is “a means of conveying to a partner or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.” In other words, when employing the theory of reflexive control, you paint a picture of the world, that, if successful, your opponent accepts. This false picture compels your opponent to act in your favor. A close term in the U.S. lexicon is “perception management,” although the tone of reflexive control is arguably broader and more Machiavellian. Read on …
I just added two new quotes to our red teaming quotes page (with a bit of additional commentary on each there). The first is from Polybius, the second from Miyamoto Musashi.
It is to be ignorant and blind in the science of commanding armies to think that a general has anything more important to do than to apply himself to learn the inclinations and character of his adversary.
The way to win any battle according to military science is to know the rhythms of the specific opponents, and use rhythms that your opponents do not expect, producing formless rhythms from rhythms of wisdom.
I discovered both quotes in Barton Whaley’s outstanding book on deception, Practice to Deceive.
I just finished a draft chapter in my book, and I thought I’d add to my set of running thoughts with a new post. So far, it’s involved quite a bit of reading and integrating, and it helps me to push aside the stacks of books and think about exactly what it is I think I’m learning.
Now that I’ve said I’m sympathetic to Clausewitz’s portrayal of war as a complex system, I have to balance that by saying that I believe the traditional Eastern strategists possess a superior understanding of systems-in-action. What’s more, they aren’t bound by the more structured Greek modes of thought and the Western bias for direct action. Because of this, Eastern strategies and stratagems tend to be more artful than those we find in the writings of Clausewitz, Jomini, and, indeed, most modern Western strategists. Not surprisingly, the Western strategists who do exhibit Eastern shrewdness (Liddell Hart, Boyd) borrowed heavily from the East.
My issue with the traditional Eastern strategists is that they largely dismiss the potentially ravaging effects of uncertainty. They believe that their philosophy and methods eliminate uncertainty. By flowing with the system and nudging it when necessary, they deem to manage it. The question is whether they can. I’ll explore that question in my book.
I mentioned in the previous post, that my RTJ output has declined because I’ve been working on a book. Although I won’t be serializing it here on RTJ, I will from time to time share some things I’ve learned along the way.
So far, one of the biggest lightbulb moments for me has been my reassessment of Clausewitz. I’ve long been familiar with his main contributions as well as some of the more common criticisms of his work. It wasn’t until I started digging more deeply into the Eastern way of war, though, that I began to fully appreciate the value of the “Clausewitzian” perspective. Read on …