We Can Do Better
It seems that everyone is spinning up an internal red team these days. On the whole, we say "that's great!" We've been advocating for more and better red teaming for a long time.
So what's the problem? Setting aside the longstanding debate of whether pentesting = red teaming, we have to wonder at the continuing lack of a broader systems perspective in not just red teaming but in enterprise security as a whole.
Search for red teaming positions today on any major job site, and you'll find plenty. Nearly all of them will require practical experience with the standard pentesting toolkit (and accompanying certifications)—no problem; that makes sense, at least for cyber red teams (the vast majority).
Now check out the postings for red team leader jobs. The requirements will be nearly identical, with the additional requirement of supervisory experience. Again, it makes sense, right? You want someone leading your red team who's been in the trenches, who understands how to get down-and-dirty with the target networks.
Maybe, maybe not. Here's an alternative point of view: yes, your red team leader needs to be familiar with security principles and methods, but he or she should also possess a broader toolkit that includes
risk analysis and management,
decision and tradespace analysis,
system requirements elicitation and modeling,
stakeholder mapping, and
approaches to team knowledge management and coordination—in other words, the systems engineering body of knowledge.
Sadly, many red teams today are feeling their way more or less blindly toward this body of knowledge, apparently unaware that it's been around for decades. (And here's a shout-out to the Sandia's IDART red team, who started exploring this space in the 1990s.)
Enterprises are highly complex socio-technical systems, yet most red teams focus on the technology (as important as it is) because that's what they know, leaving the complex systemic and "socio" factors largely unaddressed. As a result, they end up treating symptoms while in many cases the disease itself festers and systemic risk grows. As the Congressional investigation of the OPM breach concluded, it was "a failure of culture and leadership, not technology." We can do better, and the systems engineering toolkit can help.
Want to explore the systems side of red teaming? Take a look at the Reciprocal Strategies Becoming Odysseus proactive risk avoidance course.