The Laws of Red Teaming
Red teaming is governed by informal and wholly unscientific laws based largely on human nature. These laws are driven by paradox and, in some cases, a healthy dose of humor. We state some from a general perspective, some from the perspective of the customer or sponsor, and some from the perspective of the red team. Enjoy. We add to these as the mood strikes. (For an alternative list of rules, try the one at redteams.net.)
RTJ Red Teaming Law #1: The more powerful the stakeholders, the more at stake, the less interest in red teaming. Who wants to red team? A planning staff? Sure. A proposal team? Why not? An overextended nation sinking in a pit of debt? Nah.
RTJ Red Teaming Law #2: Skeptics make the best red teamers, especially when they’re skeptical of red teaming. Of course, a good red teamer is also skeptical of this law.
RTJ Red Teaming Law #3: You can never red team yourself. Kurt Gödel taught us that.
RTJ Red Teaming Law #4: Be cautious of the stakeholder who really, really wants to red team; a hidden agenda might be at play. Remember, the red team is the know-it-all no one likes.
RTJ Red Teaming Law #5: If you want some real red teaming, tell the red team you simply want to confirm that you have no vulnerabilities. Just don’t tell them you’re doing this to win a bet. Some lines shouldn’t be crossed.
RTJ Red Teaming Law #6: Keep your red team on a leash. You don’t want a red team you can leash. Ergo law #1.
RTJ Red Teaming Law #7: If you’re apprehensive about red teaming, it probably means you need it. When you cover your eyes, people can still see you; it only works when you’re a little kid.
RTJ Red Teaming Law #8: Risk is subjective. Oh, and goals are mercurial, perceptions are plastic, knowledge is gettable, time is exploitable … Review this law whenever you think you’ve mastered the practice of red teaming.
RTJ Red Teaming Law #9: Red teaming is not forecasting; red teaming is the art of challenging assumptions and exploring the possible…. although your forecaster will always benefit from talking to your red teamer.
RTJ Red Teaming Law #10: The inferior red teamer defers to reputation and status. The superior red teamer pokes arrogance in the eye (and laughs while doing it). Poke! LOL!
RTJ Red Teaming Law #12: What your customers won’t let you do often tells you more than what they will let you do. “Pay no attention to that man behind the curtain!”
RTJ Red Teaming Law #13: Exploit collective assumptions, especially when attacker and defender share the same ones. Why would anyone want to throw that ring into Mount Doom?
RTJ Red Teaming Law #14: If you have a secret, invest it; don’t cash it in at the first opportunity. The secret that pays dividends over time is usually the most valuable. [PDF version]
RTJ Red Teaming Law #15: The apprentice red teamer thinks like the attacker. The journeyman red teamer thinks like the attacker and the defender. The master red teamer thinks about the attacker and defender thinking about each other. Hire an apprentice to model an unsophisticated adversary. Hire a journeyman to model a sophisticated adversary. Hire a master to model the system. [PDF version]
RTJ Red Teaming Law #16: Deception is the gate to superior red teaming; self-deception (in your target) is the key to the gate. Remember, you’re vulnerable to self-deception too.
RTJ Red Teaming Law #17: The superior red teamer learns how things work in the real world, not just how they work on a diagram or presentation slide. The most useful insights often come from the bottom of the org chart. The higher up the org you go, the broader the view but the more filtered the information.
RTJ Red Teaming Law #18: Too much red teaming can be as harmful as too little. No one wants a relentless contrarian gumming up every phase of a project. (See “Red Teaming: A Balanced View.”)
RTJ Red Teaming Law #19: Arrogance is both the nemesis and the target of good red teaming. Your adversary thanks you for your overconfidence..
RTJ Red Teaming Law #20: If you defeat the red team, you still have to defeat the enemy. And if you do not win the war, you can always blame the red team! (Submitted by Riccardo Cappelli, winner of the Red Teaming Law #20 contest.)
RTJ Red Teaming Law #21: Red teamers are not immune to FUD. The seasoned red teamer recognizes it for what it is and manages it rationally. The superior red teamer recognizes it for what it is and exploits it. And to complete the implied syllogism, yes, politicians are superior red teamers.
RTJ Red Teaming Law #22: Unexpected surprise is what happens while you’re waiting for the expected surprise. Think tanks and pundits specialize in expected surprise.
RTJ Red Teaming Law #23: Very little is as it appears to be. Create the hypergame and play it to your advantage.
RTJ Red Teaming Law #24: Tell the red team what you want, and they’ll confirm what you know. Tell the red team what the adversary wants, and they’ll uncover what you don’t want to know (but should). Always remember that the red team is more like your doctor than your friend.
RTJ Red Teaming Law #25: The goal of a red team usually isn’t to find a needle in the haystack, it’s to help you see the haystack. What the … ? Where’d that haystack come from?