Red Teaming: From the Military to Corporate Information Security Teams

Are you really going there?

Yes, I am aware that attempting to answer the question “What is red teaming?” within the infosec community is a topic that tends to ruffle the feathers and stirs the pot for my red team peers, but I am writing this article anyway. I am writing this, because I have experience as a participant on all sides (I will go into detail of these “sides” later) of Military training exercises in two different branches of the U.S. military. I also have experience in these exercises in a information security capacity as well as in traditional combat scenario capacities. For this reason I want explain red teaming from a military perspective and how that translates to the corporate information security environment.

What is a Red Team?

The very term “Red Team” comes from military training exercises. In the U.S. Army, soldiers take part in field exercises at their duty stations, or designated field areas. These field locations are where soldiers go to practice their soldiering skills, participate in “war games,” and/or get trained up in new skills, military equipment and military technologies and weaponry. Training exercises can also take place on a much larger scale with huge multi-discipline training exercises conducted at the National Training Center (NTC) at Fort Irwin, California, or The Joint Operation Training Center (JRTC) at Fort Polk, Louisiana. In the Air Force they have what is called “Red Flag,” for one of their huge, multi-discipline training exercises at Nellis, Air Force Base, Las Vegas, NV. As a soldier I participated in countless field exercises , I also worked as a defense contractor at NTC, and I was a part of an NSA certified Red Team (Aggressor Squadron) at Nellis, so I have a ton of experience in military training exercises. These training exercises are war games with the purpose of challenging operational processes and practices in order to discover weaknesses in those processes.

Why is red teaming important?

The U.S. Department of Defense (DOD) Science Board, Red Team Task Force concluded:

The Anatomy of a Military Exercise Teams.

In a training exercises there are 3 “teams” (the “sides” I referred to above). These teams are also referred to as “cells.” There is the Blue Cell (The team being trained), The Red Cell (red team, aggressors, threat emulation team, Opposition Forces (OPFOR), etc…), and the White Cell. These teams are very important to the point I am trying to drive forward in answering the “What is a red team?” question.

Wait, what is this “White Cell?”

In a training exercise the blue team is given an objective. They are portraying a military unit of a fictitious nation while the red team are the opposition forces of another fictitious nation, who are given their own objective. The white cell oversees the entire exercise. They can be thought of as “God,” or “the all seeing eye.” They are privy to every single thing happening in the exercise in real time. They listen to all communications from both the red and the blue side. They know where everyone is at all times. They manipulate the game as it is played.

Red, White and Blue cells

How Does this Translate to my Corporate Red Team?

So, there are some differences in a corporate information security red team operations.

  1. We don’t have a white cell. I don’t see corporations paying security folks to oversee the red team engagements as a sole function. It just doesn’t seem very economical to do so. So what do we do? We make the red team the white cell. This is where I will get some push back, I know. This is simple though, so follow me. The red team’s purpose is to exercise our blue team. Our blue team is security operations team (SecOps). If SecOps matures and starts operating at a very high level and stops getting value from red team exercises then the red team needs an advantage. Remember, there is no winner or loser here. Though I understand that this will naturally become competitive in nature we must strive to realize that we are not in a competition with winners and losers. We only lose if we are not getting training value. So, yes the red team needs to be able to see what you are doing. We need to see your Jira tickets, your splunk dashboards, your Crowdstrike dashboard, etc…. I can hear the SecOps folks gritting their teeth. This is necessary to provide the best training we can to SecOps on the fly. I have been told that having this advantage is “NOT red teaming.” Well, I argue that it in fact is red teaming. From a military standpoint and from what the true goal of red teaming is, this is by definition, red teaming. I’ve been told that “real” red teaming is where the red team is doing black box testing and can’t see anything blue is doing. I ask why? How can not knowing what blue is doing provide better training value to blue? That IS our goal right? I know some may rebut with “Well, red can grow with blue.” While this is true, the reality is that they might not. There are many variables that can cause red to not grow with blue, like red team retention, red team size, and team funding. So, if red can’t keep up for whatever the reason, then how can you give red the advantage? I’ve given you the answer above. Maybe some of you work on HUGE red teams with unlimited funding and capabilities of that of a nation state threat actor, but I wager that this is not the case for most.

Finally.

There you have it. The point I wanted to drive home is that the military knows how to do exercises. They’ve been doing it effectively for a very long time. We can translate that over to the corporate information security structure with a couple of easy transitions. Your red team should be your white cell as well, have a very solid deconfliction plan, and RoEs that will allow the red team to maintain OPSEC.

Red Team Pen Testing Nobody | OSCP | InfoSec | Tech Junkie | OIF Veteran | Tweets are mine, not yours, nor anyone else's... Certainly not my employer's