Climbing the Red Teaming Ladder
When we launched Red Team Journal in 1997, no immediate need existed to define different types of red teaming. Back then, red teaming was red teaming—the practice of looking at a problem or situation from the perspective of an adversary. In the years that followed, the number of practitioners expanded, and so did the range of the practice.
Today we find red teamers of all stripes. Some are pentesters, and others help us challenge assumptions in much broader contexts. We’ve followed our own path, though we’ve found it increasingly difficult to explain to others how we can be a red teamers without being either (1) pentesters or (2) “assumption challengers.”
Believe us, we’ve tried. We tried, for example, dividing red teaming into “point” and “pattern” red teaming. We tried separating out the need for “strategic” red teaming. We even tried splitting red teaming into Kriegsspiel, Gegenspiel, and Kontraspiel. We're not sure any of it worked. We still face the challenge of explaining to a potential client that we’re not pentesters, that what we do is more akin in spirit to a systems analyst wearing a “red” hat.
On one hand, we suppose we should let it go. Red teaming will become what it will, irrespective of how we view it. On the other hand, we face the ongoing need to explain what we do. So, here’s one more (last?) try.
We see four levels of possible security-related red teaming:
The first level is the technical assessment. The focus is technology. The adversary model is generic. The question is “How will our technical defenses fare against an attacker?”
The second level is the operational red team. The focus is the defender’s operations and how an adversary might breach, exploit, leverage, or disrupt these operations. The adversary model is the red team itself . . . that is, the red team represents the adversary. The question is “How can the red team get through?”
The third level is the analytical red team. The focus again is the defender’s operations, although an analytical team can also address things that don’t yet exist (designs, plans). The adversary model varies and often includes multiple possible adversaries. The question is “What are all the ways different adversaries might get through, and how do they compare from a risk perspective?” Operational and analytical red teams tend to be highly complementary in practice.
The fourth level is the organizational assessment. The focus here is the upstream organizational behaviors that lead to downstream security problems. The adversary model can vary from generic to specific, but in this case, the adversary model is arguably less important than the latent pathogen’s in the defender’s own organization. The question is “Why?—Why do security flaws continue to emerge?” The goal is to treat the disease and not just the symptoms.
The level of adversarial thinking peaks in operational and analytical red teaming. A certain level of reciprocal thinking should exist in all levels (for example, “If we do this, then they would respond by doing that.”)
Level I addresses local issues and local trade offs—issues and tradeoffs specific, for example, to a department or a system (even if that system is an enterprise system). Level IV addresses enterprise-wide issues and enterprise-wide tradeoffs. At level IV, you’re looking at issues of communication, hierarchy, bureaucracy, and control that affect all downstream systems. Stepping from level I to II to III to IV increases the span of the redteam’s purview and the scope of the trade space.
Naturally, the elephant in the room is pentesting. We view pentesting as sitting at level 1.5—right between the technical assessment and the operational red team. Pentesting engagements tend to have a technical flavor but aren’t necessarily limited to technical avenues. They also tend to be more narrow than most of the operational red team engagements we’ve encountered.
An important point here is that all levels are necessary. One is not more important than another, and in most cases they complement each other. We believe we need to do more at levels III and IV, but that’s our preference. The first portion of that job is to explain the difference, the second portion is to describe the need, and the third is to sell it and do it. We’ve done a bit of each, although we still have the nagging feeling that even though there’s a need, not many enterprises care. They’re too busy wrestling with the strictly technical aspects of their systems to lift their eyes from the screen and look around at the bigger issues.
If you were at aRcTicCon in October, you got to hear RTJ founder Mark Mateski talk about level IV (“Red Teaming ‘Whole’ Systems: Lessons from the Security World”). If you're interested in doing some level III and IV red teaming, contact Reciprocal Strategies.
Also, be sure to check out our “Four Levels of Security Red Teaming” infographic.