Red Teaming: From the Military to Corporate Information Security Teams
Are you really going there?
Yes, I am aware that attempting to answer the question “What is red teaming?” within the infosec community is a topic that tends to ruffle the feathers and stirs the pot for my red team peers, but I am writing this article anyway. I am writing this, because I have experience as a participant on all sides (I will go into detail of these “sides” later) of Military training exercises in two different branches of the U.S. military. I also have experience in these exercises in a information security capacity as well as in traditional combat scenario capacities. For this reason I want explain red teaming from a military perspective and how that translates to the corporate information security environment.
What is a Red Team?
The very term “Red Team” comes from military training exercises. In the U.S. Army, soldiers take part in field exercises at their duty stations, or designated field areas. These field locations are where soldiers go to practice their soldiering skills, participate in “war games,” and/or get trained up in new skills, military equipment and military technologies and weaponry. Training exercises can also take place on a much larger scale with huge multi-discipline training exercises conducted at the National Training Center (NTC) at Fort Irwin, California, or The Joint Operation Training Center (JRTC) at Fort Polk, Louisiana. In the Air Force they have what is called “Red Flag,” for one of their huge, multi-discipline training exercises at Nellis, Air Force Base, Las Vegas, NV. As a soldier I participated in countless field exercises , I also worked as a defense contractor at NTC, and I was a part of an NSA certified Red Team (Aggressor Squadron) at Nellis, so I have a ton of experience in military training exercises. These training exercises are war games with the purpose of challenging operational processes and practices in order to discover weaknesses in those processes.
Why is red teaming important?
The U.S. Department of Defense (DOD) Science Board, Red Team Task Force concluded:
“We believe red teaming is especially important now. Aggressive red teams challenge emerging operational concepts in order to discover weaknesses before real adversaries do. Red teaming also tempers the complacency that often follows success .”
So, as red teamers, we need to exercise our defenders in their operational processes and practices so that they can adjust these before the enemy finds them. If the good guys have never seen, or reacted to a given enemy Tactic, Technique, and/or Procedure (TTP) than they probably won’t be very prepared for it if the bad guys hit them with it. We also need to keep our blue teams from falling complacent, by exercising their defensive muscles.
The Anatomy of a Military Exercise Teams.
In a training exercises there are 3 “teams” (the “sides” I referred to above). These teams are also referred to as “cells.” There is the Blue Cell (The team being trained), The Red Cell (red team, aggressors, threat emulation team, Opposition Forces (OPFOR), etc…), and the White Cell. These teams are very important to the point I am trying to drive forward in answering the “What is a red team?” question.
I think we can all grasp the ideas of a red and blue teams, but let’s just say this; The blue team are the good guys RECEIVING training, and the red team are ALSO the good guys, PRETENDING to be the bad guys, who are PROVIDING the training. There really aren’t any teams. There is one team. “One team, one fight!” as we used to yell in the Army. I am strongly emphasizing this idea, because this can be a pain point for some information security teams when they naturally take the competition factor of war gaming personally. We have to remember that there is no winner or loser in these exercises. We are all on the same team and we ALL win when we further develop and mature our processes.
Wait, what is this “White Cell?”
In a training exercise the blue team is given an objective. They are portraying a military unit of a fictitious nation while the red team are the opposition forces of another fictitious nation, who are given their own objective. The white cell oversees the entire exercise. They can be thought of as “God,” or “the all seeing eye.” They are privy to every single thing happening in the exercise in real time. They listen to all communications from both the red and the blue side. They know where everyone is at all times. They manipulate the game as it is played.
Let’s say that the blue team is destroying the red team. They are in the right place at the right time, and are on point with everything they have been trained to do. If the red team keeps operating at their current threat level, will the blue team get any training value out of the exercise? Will they find any weaknesses in their processes? The answer is “No, they won’t.” So how do we change that? How do we provide some training value? The white cell tells the red cell information to tip the scales, so to speak. The white cell starts telling the red leader where the blue cell will be, and when they will be there. The red team then elevates to a higher threat level. They can now meet the blue team at their level, or go higher. Now the blue team will be challenged and will get something out of this exercise. Remember, we are exercising muscles to defeat complacency as well as allowing our defenders to see the hole in their processes.
This all works exactly the same whether it be an Army field exercise, a huge NTC training operation, or a U.S. Air Force Red Flag engagement. Also these work the same in both a tactical combat training objective based exercise and for a military information security objective based exercise. I’ve worked in them all and on all 3 of the teams and I assure you the exercises all work exactly the same.
Again, this idea of the white cell is super important in the point I will be driving home.
How Does this Translate to my Corporate Red Team?
So, there are some differences in a corporate information security red team operations.
- We don’t have a designated “Exercise” time where the blue team can just stop with their real-world operations, so red team exercises have to occur WHILE the blue team is actually working. In the military, when we weren’t at war, we were training. The blue team is never, NOT at war. How do we then translate this from military to to the corporation then? We have a well documented operational plan in place with a well thought out deconfliction process with well placed and informed trusted agents at the ready. This is HUGE. As a red team we don’t want to blow operational security (OPSEC) by telling the Blue team that the activity they are seeing is us every time they ask. In fact we want published rules of engagement (RoE) that specifically state that the the red team will not respond to such questions. The RoE should direct the blue team as to who to ask such questions in order to properly deconflict if necessary. The goal here is to provide realism for the blue team. We need them to react as they would if this were a real attack, so we don’t want them to think that this simulation is anything other than real. We however do NOT want the Blue team to burn the network down for a simulation, so we need a solid, well documented deconfliction process and we need trusted agents at various points of escalation so that the CIO is not bothered every time the red team hits a nerve.
- We don’t have a white cell. I don’t see corporations paying security folks to oversee the red team engagements as a sole function. It just doesn’t seem very economical to do so. So what do we do? We make the red team the white cell. This is where I will get some push back, I know. This is simple though, so follow me. The red team’s purpose is to exercise our blue team. Our blue team is security operations team (SecOps). If SecOps matures and starts operating at a very high level and stops getting value from red team exercises then the red team needs an advantage. Remember, there is no winner or loser here. Though I understand that this will naturally become competitive in nature we must strive to realize that we are not in a competition with winners and losers. We only lose if we are not getting training value. So, yes the red team needs to be able to see what you are doing. We need to see your Jira tickets, your splunk dashboards, your Crowdstrike dashboard, etc…. I can hear the SecOps folks gritting their teeth. This is necessary to provide the best training we can to SecOps on the fly. I have been told that having this advantage is “NOT red teaming.” Well, I argue that it in fact is red teaming. From a military standpoint and from what the true goal of red teaming is, this is by definition, red teaming. I’ve been told that “real” red teaming is where the red team is doing black box testing and can’t see anything blue is doing. I ask why? How can not knowing what blue is doing provide better training value to blue? That IS our goal right? I know some may rebut with “Well, red can grow with blue.” While this is true, the reality is that they might not. There are many variables that can cause red to not grow with blue, like red team retention, red team size, and team funding. So, if red can’t keep up for whatever the reason, then how can you give red the advantage? I’ve given you the answer above. Maybe some of you work on HUGE red teams with unlimited funding and capabilities of that of a nation state threat actor, but I wager that this is not the case for most.
I think a lot of confusion of what red teaming is. and/or isn’t is because offensive security has a couple of functions. A red team operation is NOT a penetration test (pentest). A red team is a function of SecOps with a training objective. The red team operation answers the question “How effectively can IR respond to TTPs X, Y, and Z with their current processes in place.” A pentest team is a function of vulnerability management and typically has an impact objective. It answers the question “Can we get from A to B and cause X?” Now, red teams operations can also include impact objectives, but that is not their sole purpose. The red team might also find and report vulnerabilities during the course of the operation, but again not as its sole purpose. Pentesting, however does not provide training. A pentest finds or proves vulnerabilities. One can argue that pentesting is more important, but I won’t get into that one here. The bottom line is that both a red team and a penetration test team typically have a shared skillset. Hence the confusion between the two.
One thing that some of my peers might be thinking; “What about detection, alerting, and tool validation and gap analysis?” I will say that red teaming can be a great tool for this, but purple teaming and penetration testing are better. In a nutshell, purple teaming is where red and blue sit side-by-side while red attacks with a TTP, or a set of TTPs and Blue validates if/when the TTP was detected. I will add that red teaming or penetration testing can take this validation a step further by adding in the element of persistence via a persistent threat. Tool validation via purple team might miss out on this important element. If the detection tool is only configured to detect an attack that is conducted using a specific technique, a persistent attacker might be able to craft technique that gets around this detection. Without this persistent attacker element, detection validation might not be very effective. So you can add this element by taking persistence into account in your purple team planning, you can do a penetration test with impact objectives geared towards detection validation, or you can add impact objectives into your red team operation. If you are going to add them into your red team operation, I ask “why?” What advantage is it to validate your detections via threat emulation that you can’t do with a penetration test, or through persistent purple teaming?
As related to the question I just asked above, I have to add the following as a point of learning for myself: I have heard of red teams who provide their exercise as a service (EAAS) to corporate teams other than to SecOps. I would love to hear feedback as to why? What is the value of a red team exercise with impact objectives over a penetration test? Outside of a red team social engineering test, I am confused as to why this is at all necessary. I am not asking this to be argumentative, rather I truly want to know the answer from teams that do this.
There you have it. The point I wanted to drive home is that the military knows how to do exercises. They’ve been doing it effectively for a very long time. We can translate that over to the corporate information security structure with a couple of easy transitions. Your red team should be your white cell as well, have a very solid deconfliction plan, and RoEs that will allow the red team to maintain OPSEC.
1. Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics, Defense Science Board Task Force on The Role and Status of DoD Red Teaming Activities, September 2003, p 1. Found at http://www.acq.osd.mil/dsb/reports/redteam.pdf accessed on 11 July 2006.