“Red teaming” sounds ominous, kind of like a “black list” or something you might see in a Tom Clancy novel. But a red team is really not all that ominous. The term comes from the military concept of using opposing forces at different levels as adversaries to train the main force and shift perspectives. For example, after the Yom Kippur War in 1973, the Israel Defense Force’s Intelligence Division created a Red Team of officers with academic backgrounds whose sole purpose is to challenge prevalent assumptions. Engaging with a red team is more an exercise in perspective shifting and eye-opening than in real actual damage to you, your systems, and your data.
A red team is generally defined as a group, usually operating independently, that challenges organizational thinking, perspectives, and systems by viewing a problem or a system from a different or adversarial perspective. The expected outcome from a red teaming exercise is a better understanding of strengths and weaknesses, and from that an improvement in decision-making and courses of action. For example, a red team might play the role of a rogue hacker and attempt to penetrate a system. A different type of red team might test the physical security of a critical location and infrastructure, such as a data center. Employing one might get you the proverbial “black eye,” but better from a friend then an enemy.
The advantages of employing a red team are several, but generally the most important one is providing a shift in perspective. Too often, whether it is when putting together a new budget, selecting a software application, building out a data center, or making a multitude of other decisions, we tend to fall into ingrained ways of thinking and deciding. This is especially true in organizations, where we can fall into that organizational mindset or are highly dependent upon standard operating procedures. A good red team can step outside that mindset and bring a different perspective to a plan, system, or security process that can often get overlooked.
The primary disadvantages of employing a red team is that even looking from a different perspective, it isn’t possible to cover and employ every possible alternative. The number of possible alternatives for any single issue or decision are almost endless. When there are multiple decision or access points within a single system and then multiple systems combine into an even larger complex system, such as an ERP system, an email system, or a data center, the number of possible attack vectors becomes limitless. A secondary disadvantage is that an organization that is already locked into a strategy or an approach is not likely to see the value and benefits that employing a red team can provide. However, there is still much insight that can be learned from employing a red team.