I spoke briefly yesterday with a gentleman who runs a successful pentesting company. For the most part, I get what he does, but I don’t think he got what I do, nor did he seem inclined to ask any questions to find out exactly what that might be. (At one point, he described my version of red teaming as “sitting around thinking,” which, of course, doesn’t make money!)
The misunderstanding just might be my fault. I realized today that I need a better method of describing how successful red teaming addresses the whole system even if the red team ultimately only “attacks” a portion of it. I’ve tried before (here and here), but until I get it right, I’m going to keep trying. Read on …
It might just be us, but it seems as if red teaming is getting some additional attention lately. As proof, we offer these recent articles:
Next level red teaming: Working behind enemy lines
Stealing, scamming, bluffing: El Reg rides along with pen-testing ‘red team hackers’
(And if you don’t follow our Twitter feed, consider doing so. We post links to articles like this regularly there.)
Red teamers can be annoying. Sometimes the annoyance is justified, sometimes not. After all, who likes to be told that they overlooked a key assumption or failed to implement a sensible practice. It’s not surprising that many people resist even the idea of red teaming.
As red teamers, we often lament the shortsightedness of this resistance. What we don’t discuss very often is the uncomfortable fact that we often aggravate and perpetuate it. Yes, we can be self-satisfied and snobbish. And why not? We spend our days thinking about important things other people ignore, neglect, and overlook. Even when we’re not snobbish and condescending (honest!), we have to work twice as hard not to be perceived as such. That’s just the nature of the game. Read on …
The pleasant little 1968 comedy Hot Millions starring Peter Ustinov and Maggie Smith features an interesting moment relevant to red teamers. (If you haven’t seen the movie but intend to, stop reading here.) Ustinov plays a compulsive embezzler. After serving time in gaol (that’s “jail” for us Yanks), he assumes a programmer’s identity and secures a job at a large company. He thereupon attempts, unsuccessfully, to circumvent the security of the company’s computerized accounting system. Temporarily frustrated, he is delighted to learn that a simple “bang” on the side of the computer’s casing with a mop bucket opens it, circumventing the security he’d tried so hard to foil. The punchline? Ustinov learns the secret by chance; the cleaning crew uses the trick to open the computer in order to warm their tea inside the computer’s casing.
The real world, of course, is rife with such irony, and superior red teamers have a nose for it. Perhaps not often (but often enough), the most splendid security system is vulnerable to an unexpected, comically simple exploit, all of which calls for the timely services of the superior red teamer’s nose. It reminds me of Red Teaming Law #17: “The superior red teamer learns how things work in the real world, not just how they work on a diagram or presentation slide. The most useful insights often come from the bottom of the org chart. The higher up the org you go, the broader the view but the more filtered the information.”
Postscript: There’s another Ustinov movie with a scene relevant to red teamers. I’ll post on that soon.
You never really understand a person until you consider things from his point of view . . . until you climb in his skin and walk around in it.”
– Atticus Finch to Scout in Harper Lee’s To Kill a Mockingbird.
This is the heart of adversarial red teaming, right?—to consider a problem from the adversary’s perspective. Kind of . . . what Atticus advocates is something more, something elusive, and something many red teamers unthinkingly overlook: genuine empathy. Read on …
While I’m now only teaching the two-day “Becoming Odysseus” red teaming course to organizations, I’ve decided to offer a one-time online course on the topic of Eastern and Western approaches to strategy—something that I believe all red teamers should understand. In the three-hour course, I’ll spend the first two hours discussing the differences between the traditional perspectives as well as some of the Western variations that attempt to merge East and West. Specific topics and thinkers I’ll address will include
- Traditional Chinese and Greek modes of thought;
- Clausewitz, Jomini, and the Western way of war;
- Liddell Hart, Boyd, and variations on the Western way;
- Sun Tzu and shi, hsing, ch’i, and cheng; and
- The Russian concept of reflexive control.
We’ll then play out red team exercises from the Eastern and Western perspectives. Not only should it be a lot of fun, it should also yield some practical takeaways.
Update: Yes, this was to be a one-time course, but a few people couldn’t attend the first session due to the date and time. As a result, we’ve added a second session on 16 Dec. Also, if you’re interested, here are a couple of thoughts from the first session. Register here. (Also, please note that the WebEx registration page sometimes fails to show all the necessary information on phones; it does work on tablets and desktops.)
Thanks to everyone who attended the online session of “Dragon and Knight” Tuesday. I’d like to share a couple of points that came up during the discussion. First, we concluded that the division between “Eastern” and “Western” modes of thinking is in practice often a false dichotomy. As Hall and Ames observe, these modes of thinking are not exclusive: causal, rational thinking is dominant in the West and recessive in the East, while analogical, correlative thinking is dominant in the East and recessive in the West. In other words, Westerners can think analogically and Easterners can think causally, even if those modes are recessive within each group. I find it interesting that superior red teamers tend to cross this cultural boundary with intuitive ease, at least when positing attacks. I’ve met few, however, who can shed their Western analytical biases when considering what those attacks mean.
Second, we noted that when artificially constraining our efforts to either Western or Eastern modes of thought, the Western mode tended to yield ideas focused on the physical elements of the notional exercise scenarios: things we could see; touch; measure; and, ultimately, add to a checklist. When we switched to an Eastern mode, we found ourselves thinking much more creatively, and the attack vectors we discussed emphasized targeting the opponent’s mind. This is probably not surprising to those who study the cultural roots of strategy. Of course, the real point of the exercises wasn’t to think exclusively in a single mode but to transcend the separate modes to reach a point at which we could draw from both to generate both the orthodox (cheng) and the unorthodox (ch’i).
At times during this election season I felt as if I were living in a house of mirrors. With leaks, allegations, and counter-allegations sprouting like weeds, I wondered how, as a citizen, I could discern anything close to the truth. As red teamers, we often face a similar dilemma. Sometimes we just don’t know enough to draw actionable conclusions from the available information. Sometimes all the normative decision making approaches in our toolkit can’t compensate for the degree of uncertainty we face. Sometimes we’re forced to rely on our intuition—knowingly—while seeking new and better information. Sometimes we find opportunity in the ambiguity and uncertainty, but typically the very worst thing we can do is assert certainty where none can reasonably exist. As a Robert Heinlein character says in the short story “Space Jockey,” “What good is seven-place accuracy with bum data?”
You might be surprised to learn that I don’t believe red teaming always works. You might be even more surprised that I believe red teaming can sometimes do more harm than good. Here are seven red flags that might indicate that you need to review and perhaps reconsider how your red team goes about its business. Read on …
Pentesting can be an enormously valuable service, but we must be aware enough when hiring or employing a pentester to balance both the advantages and disadvantages of the practice. Yes, it can reveal holes in our security, but it can also promote an illusion of security. Further, while it can help validate our current security efforts, it can, if handled poorly, itself become a potential source of misperception and even vulnerability. Before opening our systems and operations to pentesters, we should consider the following caveats, cautions, and questions: Read on …