Lost Keys and Sober Red Teams
Like the proverbial drunk looking for his lost keys under the lamppost, many red teamers focus on what they know best. But if what they know best differs from what the adversaries know best? That’s a gap, and gaps can be problematic if not addressed, as we’ve discussed before.
We can recall, for example, more than one red teaming project in which the red team members were experts in the most likely form of attack. Did the most likely attackers possess the same level of expertise? No, and that's a gap.
We can also recall more than one red teaming engagement in which the red teamers strictly applied normative standards of rational, Western thinking. Did the likely attackers employ similar modes of thought? No, and that's a gap.
Finally, we can recall engagements in which the red teamers knew a lot about the target system—how it worked, who worked it, and why the client wanted it red teamed. Did the likely attackers know as much about the system? No, and that’s a gap.
Does this mean that we shouldn’t employ experts, think rationally, or talk to the client? Of course not, but it does mean we should think clearly about the potential gaps we create whenever we run a red team. As we’ve said again and again in our Becoming Odysseus course, “Find the gaps; close them when possible and address them when not.”
One of the most important things you can do when closing gaps is to learn about your adversaries. By default, many of the so-called adversaries in red team engagements are little more than the collective, semi-anonymous skills and preferences of the red team members. Even when a red team seeks to emulate a specific adversary, such efforts too often lack even a minor degree of empathy. If your red team attempts to model a specific adversary, take the time to understand that adversary. Learn their operational code inside and out. You must learn to think like them before you can act like them.
Even when your red team is not emulating a specific adversary, remember that you’re still modeling a specific adversary: the one that matches your red team’s skills, preferences, and perspectives. That adversary may not exist in the real world, but it’s the one you’re using to test your systems, and that’s a gap.
And what if your adversary really is the proverbial drunk weaving around the lamppost? In that case we recommend accounting for the gap rather than closing it. (And if your red team has already closed that gap, it’s time to find a new red team.)