Join us 2 March for our next Red Teaming 101 Webinar.

‘Thank You’ Cleaning Crew

cleaning_bucketThe pleasant little 1968 comedy Hot Millions starring Peter Ustinov and Maggie Smith features an interesting moment relevant to red teamers. (If you haven’t seen the movie but intend to, stop reading here.) Ustinov plays a compulsive embezzler. After serving time in gaol (that’s “jail” for us Yanks), he assumes a programmer’s identity and secures a job at a large company. He thereupon attempts, unsuccessfully, to circumvent the security of the company’s computerized accounting system. Temporarily frustrated, he is delighted to learn that a simple “bang” on the side of the computer’s casing with a mop bucket opens it, circumventing the security he’d tried so hard to foil. The punchline? Ustinov learns the secret by chance; the cleaning crew uses the trick to open the computer in order to warm their tea inside the computer’s casing.
      The real world, of course, is rife with such irony, and superior red teamers have a nose for it. Perhaps not often (but often enough), the most splendid security system is vulnerable to an unexpected, comically simple exploit, all of which calls for the timely services of the superior red teamer’s nose. It reminds me of Red Teaming Law #17: “The superior red teamer learns how things work in the real world, not just how they work on a diagram or presentation slide. The most useful insights often come from the bottom of the org chart. The higher up the org you go, the broader the view but the more filtered the information.”

Postscript: There’s another Ustinov movie with a scene relevant to red teamers. I’ll post on that soon.

The Need for Genuine Empathy in Modern Adversarial Red Teaming

You never really understand a person until you consider things from his point of view . . . until you climb in his skin and walk around in it.”

      – Atticus Finch to Scout in Harper Lee’s To Kill a Mockingbird.

      This is the heart of adversarial red teaming, right?—to consider a problem from the adversary’s perspective. Kind of . . . what Atticus advocates is something more, something elusive, and something many red teamers unthinkingly overlook: genuine empathy. Read on …

Dragon and Knight: Eastern and Western Strategy for Red Teamers (Updated)

dragon-and-knight-announcementWhile I’m now only teaching the two-day “Becoming Odysseus” red teaming course to organizations, I’ve decided to offer a one-time online course on the topic of Eastern and Western approaches to strategy—something that I believe all red teamers should understand. In the three-hour course, I’ll spend the first two hours discussing the differences between the traditional perspectives as well as some of the Western variations that attempt to merge East and West. Specific topics and thinkers I’ll address will include

  • Traditional Chinese and Greek modes of thought;
  • Clausewitz, Jomini, and the Western way of war;
  • Liddell Hart, Boyd, and variations on the Western way;
  • Sun Tzu and shi, hsing, ch’i, and cheng; and
  • The Russian concept of reflexive control.

We’ll then play out red team exercises from the Eastern and Western perspectives. Not only should it be a lot of fun, it should also yield some practical takeaways.

Update: Yes, this was to be a one-time course, but a few people couldn’t attend the first session due to the date and time. As a result, we’ve added a second session on 16 Dec. Also, if you’re interested, here are a couple of thoughts from the first session. Register here. (Also, please note that the WebEx registration page sometimes fails to show all the necessary information on phones; it does work on tablets and desktops.)

Thoughts from ‘Dragon and Knight’

dragon-and-knight-afterThanks to everyone who attended the online session of “Dragon and Knight” Tuesday. I’d like to share a couple of points that came up during the discussion. First, we concluded that the division between “Eastern” and “Western” modes of thinking is in practice often a false dichotomy. As Hall and Ames observe, these modes of thinking are not exclusive: causal, rational thinking is dominant in the West and recessive in the East, while analogical, correlative thinking is dominant in the East and recessive in the West.1 In other words, Westerners can think analogically and Easterners can think causally, even if those modes are recessive within each group. I find it interesting that superior red teamers tend to cross this cultural boundary with intuitive ease, at least when positing attacks. I’ve met few, however, who can shed their Western analytical biases when considering what those attacks mean.
      Second, we noted that when artificially constraining our efforts to either Western or Eastern modes of thought, the Western mode tended to yield ideas focused on the physical elements of the notional exercise scenarios: things we could see; touch; measure; and, ultimately, add to a checklist. When we switched to an Eastern mode, we found ourselves thinking much more creatively, and the attack vectors we discussed emphasized targeting the opponent’s mind. This is probably not surprising to those who study the cultural roots of strategy. Of course, the real point of the exercises wasn’t to think exclusively in a single mode but to transcend the separate modes to reach a point at which we could draw from both to generate both the orthodox (cheng) and the unorthodox (ch’i).

  1. David L. Hall and Roger T. Ames, Anticipating China: Thinking Through the Narrative of Chinese and Western Culture, 1995. []

‘Seven-Place Accuracy with Bum Data’

At times during this election season I felt as if I were living in a house of mirrors. With leaks, allegations, and counter-allegations sprouting like weeds, I wondered how, as a citizen, I could discern anything close to the truth. As red teamers, we often face a similar dilemma. Sometimes we just don’t know enough to draw actionable conclusions from the available information. Sometimes all the normative decision making approaches in our toolkit can’t compensate for the degree of uncertainty we face. Sometimes we’re forced to rely on our intuition—knowingly—while seeking new and better information. Sometimes we find opportunity in the ambiguity and uncertainty, but typically the very worst thing we can do is assert certainty where none can reasonably exist. As a Robert Heinlein character says in the short story “Space Jockey,” “What good is seven-place accuracy with bum data?”

Red Teaming: Seven Red Flags

rtj-flagsYou might be surprised to learn that I don’t believe red teaming always works. You might be even more surprised that I believe red teaming can sometimes do more harm than good. Here are seven red flags that might indicate that you need to review and perhaps reconsider how your red team goes about its business. Read on …

A Red Teamer’s Take on Pentesting

pentestingPentesting can be an enormously valuable service, but we must be aware enough when hiring or employing a pentester to balance both the advantages and disadvantages of the practice. Yes, it can reveal holes in our security, but it can also promote an illusion of security. Further, while it can help validate our current security efforts, it can, if handled poorly, itself become a potential source of misperception and even vulnerability. Before opening our systems and operations to pentesters, we should consider the following caveats, cautions, and questions: Read on …

Weighing Deception’s Paradox

As a red teamer, I value the Eastern perspective on deception and stratagem. I’m also aware that Edward Luttwak’s relevant caveats are worth considering. Extending Clausewitz, Luttwak observes that the path of deception is just that because, paradoxically, it is often the one that makes the least sense. Top use Luttwak’s example, I take a difficult road to surprise you because the road that makes the most (objective?) sense is also the road you expect me to take. Thus, as Luttwak says, “all that is done by way of paradoxical action as well as secrecy and deception must weaken the overall effort and perhaps greatly, but surprise yields its advantage whenever the enemy’s reaction is weakened to an even greater extent.”1 Read on …

  1. Edward Luttwak, Strategy, p. 7. []

Russia, Reflexive Control, and the Subtle Art of Red Teaming

To understand the Russian approach to strategy and conflict, we must first understand something about the concept of reflexive control. Initially developed and championed by Vladimir Lefebvre, it’s a uniquely Russian view on stratagem and deception that repackages and reframes much of what we usually associate with Sun Tzu. If we expect deception and stratagem from China but not from Russia, we’ve set yourself up to be surprised. We’d be foolish to assume that the Russians are not currently employing reflexive control against the West.
      By definition, reflexive control is “a means of conveying to a partner or an opponent specially prepared information to incline him to voluntarily make the predetermined decision desired by the initiator of the action.”1 In other words, when employing the theory of reflexive control, you paint a picture of the world, that, if successful, your opponent accepts. This false picture compels your opponent to act in your favor. A close term in the U.S. lexicon is “perception management,”2 although the tone of reflexive control is arguably broader and more Machiavellian. Read on …

  1. Timothy L. Thomas, “Russia’s Reflexive Control Theory and the Military,” Journal of Slavic Military Studies, 2004, vol. 17, p. 237. []
  2. Ibid., p. 237. []

The Superior Red Teamer

Earlier this year, an author asked me to summarize my thoughts regarding the superior red teamer. Only a small portion of my response will go into the book, so I thought I’d share the remainder of my thoughts with RTJ readers.
      I first pointed the author to a 2003 RTJ post titled “10 Principles of Good Red Teaming.” While the points in that piece talk about the red team, I apply them equally to the red teamer. In hindsight, I’d change item 8 in the post to emphasize perspectives rather than order—in other words, we need to understand the relevant perspectives before we jump into the specifics. I’d also add something specific about systems thinking (more on that below). These edits aside, though, I think the original list has aged well. Read on …