Whether knowingly or not, red teamers, pentesters, and threat modelers employ what we call engagement models: the implicit and explicit frames governing the red teaming engagement. These models commonly include defining details such as the threat actor to be emulated, the threat actor’s assumed operational code, the engagement’s time horizon and scenario, the rules of engagement, and so on.
Depending on the nature of the engagement, the engagement model may be more explicit or more implicit. Explicit models add analytic rigor and allow fine tuning during the setup and analysis but, according to some red teamers, delay the process and constrain the red team’s creativity.1 Implicit models reduce the methodological burden but introduce ambiguity. This ambiguity is often unacknowledged, which can warp the engagement’s findings and recommendations.
In general, we recommended making engagement models more explicit and less implicit. Even if the red team and its client choose to impose no methodological constraints on the team, the key elements of the engagement model should still be identified and discussed. This allows the client and the team to make conscious decisions about the risks and opportunities of alternative approaches. It also allows the team to account explicitly for ambiguities and constraints in its findings and recommendations.
For example, you may wish to model no specific threat actor. That’s certainly a valid choice, but it’s a choice that’s best made intentionally. The client and team might believe that such a choice introduces no meaningful gap between the engagement model and the “real” world, but every choice introduces some gap. In the case of a threat-agnostic red team, the team is, in fact, modeling a specific threat actor: the threat actor the team sees when they look in the mirror. How this actor differs from the range of actual threat actors is a source of a variety of gaps. And while closing all gaps is impossible, we can still do our best to acknowledge and accommodate as many as we reasonably can.
Over the years, we’ve explored and addressed a variety of potential gaps (many which we captured in our “Mind the Gap” cards). We continue to see many of these gaps emerge unacknowledged in the red teaming events we review and attend. Recently, we distilled what we believe to be the most common sources and effects of gaps into what we hope is a simple and useful model, one that (though introducing gaps of its own) might help red teamers uncover and address the more worrisome gaps in their engagement models.
The following “Star Model” features three doggedly persistent flaws and three resulting illusions. (The flaws are the underlying source of the illusions which in turn inject major gaps into the engagement model.)
Here are the three flaws:
- A limited allowance for reciprocity. Reciprocity is the overt and covert give and take that occurs between attackers and defenders (and other affected stakeholders). It’s inherent in both war and security. Unfortunately, it’s ridiculously easy to reduce the realistic reciprocity in a red teaming engagement to the point that it begins to yield illusions and gaps. This might be due to project constraints, a desire to manage the engagement model’s potential complexity, or some other pressing limitation.
- Overly constrained system boundaries. As we’ve mentioned before, few red teamers are independently wealthy. Red teamers work with clients who pay them to red team, and clients want their red teams to address their own (the clients’) systems. Unfortunately, real-world adversaries tend to scan across a range of systems owned by a range of “clients.”
Even when targeting a client’s specific system, adversaries will often look for upstream and downstream points of leverage into that system. (We sometimes refer to this tension as the Catch-22 of red teaming.) For better or worse, expanding the engagement model’s system boundary means either spending more time and money red teaming or raising the level of abstraction, a tradeoff many clients find unappealing, hence the pressure to constrain the system boundaries.
- Entrenched misperceptions. Entrenched perceptions are the bread and butter of what we call Kontraspiel. They also underpin Gegenspiel, the adversarial form of red teaming we are addressing here. Flawed expectations about how the world works, cultural and organizational prejudices, and dynamic complexity can all yield misperceptions that, if not addressed, will undermine a red teaming engagement more quickly and fundamentally than either of the other two flaws, if only because entrenched misperceptions “boot up” before the red teaming engagement even begins.
These three flaws combine to yield three worrisome illusions: (a) the illusion of knowledge, (b) the illusion of control, and (c) the illusion of superiority. Framing these three flaws and three illusions are two global illusions: (d) the illusion of “the duel” and (e) the illusion of the narrative. We’ll discuss these illusions and their implications in part 2 of this post.
Postscript: Here’s some additional backstory to the Star Model. RTJ is free. Its mission is to advocate for and promote superior red teaming. Like most red teamers, however, RTJ’s founder, Dr. Mateski, is not independently wealthy, hence the recent founding of Reciprocal Strategies, a company designed to implement the principles discussed on RTJ on behalf of clients interested in superior red teaming. The star model is thus a “client facing” model—a model designed to explain the essence of RTJ’s message without unpacking 400 blog posts, 50 law cards, and 50 “Mind the Gap” cards. At the same time, we believe RTJ readers will find it useful.
- This is a view with which we don’t necessarily agree, at least not fully. We’ll address this in an upcoming post. [↩]