The Start Here Page was recently updated with a whole bunch of goodness. Check it out for an intro to the Red Team Mindset, specific posts about it and a deeper understanding of what the blog really is about.
Major Matt Cavanaugh, at the War Council website, has an interesting article about a different, red teaming related, way of thinking. It's worth reading:
The ultimate challenge is to express these divergent and dissenting ideas in such a way as to respect and remain steadfastly loyal to the organization. There are basically two ways of doing this, one formal and informal.
"RTJ Red Teaming Law #45 (“Blunderland”): When what must be said can’t be said, multiply your risk by ten. If the denial is tainted by arrogance or fear, multiply your risk by ten again."
-- Red Team Journal: Laws of Red Teaming
From our friends at the Red Team Journal.
The second tool is the “R-W-W” screen, a set of questions designed not “for making go/no go decisions but, rather, a disciplined process that can be employed at multiple stages of product development to expose faulty assumptions, gaps in knowledge, and potential sources of risk, and to ensure that every avenue for improvement has been explored.” The screen is structured around three high-level questions (the ones from the article’s title):
- “Is it real?” [the “R”],
- “Can we win?” [the “W”], and
- “Is it worth doing?” [the second “W”].
Maybe it's the day, or maybe it's my age... I think it's time to get a little philosophical.
I've practiced Aikido (and other martial arts) for many years. Like Red Teaming, you are always practicing and learning. Morihei Ueshiba, the creator of Aikido, once said:
"If we stop growing, technically and spiritually, we are as good as dead."
In Aikido you are always training, you are always discovering new things about yourself and about your possible opponents. Over the years, the different Sensei (plural) that I've had the privilege of training under, mentioned different Aikido Principles. Some resonated with me and I can see how you would also apply them to Red Teaming and security in general. Bear with me, please, while I try to make sense of this.
Or "True Victory is Victory over Onself". This is one of the hardest things to learn in Aikido. In Red Teaming, in order to know what security issues you might have, you need to know your enemy. To know your enemy, first you need to know yourself. It is a recursive problem, I know, but one that has to really be addressed during a Red Team assessment.
Principle of Circular Motion
In Aikido, the circle is a key element. Regardless of the ways the opponent attacks, linear, circular or angular, a circular motion allows you to blend into the attack and gain control of your opponent. The same can be said in Red Teaming. Try to force something, try to stop something and more likely you will fail. However, if you blend in, if you find that circular way in, the gaps in the security of your "opponent" (the organization or plans you are red teaming), then a much greater chance for success is achieved.
Extend Ki Forward
In Aikido, Ki is energy, our life force which keeps us alive. Ki is the binding force of our mind and body. Think of it as "The Force". Aikido practitioners focus on harnessing this energy and using it to achieve both a greater control over their bodies and minds, and to control the opponents. Extending Ki Forward means to present to the world an image that you are in control, that you are sure of yourself and, while you are calm, you can defend yourself if needed. This means to be alert, to be always aware, in Red Teaming parlance. Always project that sense of being aware of your environment, of being confortable and sure during stressful situations. It will help you and your team.
Keep One Point
Similar to the provious principle, keeping one point means being centered. Being in control of your emotions and your body. Once you achive this, you can being to control your opponent. Think about this when you are trying to find the holes on a plan, the vulnerabilities on a network or that gap that will allow you to break everything. Keep your focus, your "one point".
Aikido is the act of redirecting the attacker's energy
In Aikido redirecting the opponent's attack and its energy is key for the techniques. Rendering the attack harmless to you is what you are trying to achieve, blending it and controlling the attacker. In Red Teaming, think of this as the art of misdirection. Try to get the Blue Team "attack itself", send them in a wild chace after a ghost. Think about this.
Or "controlling the first move". In Aikido, you get to a point where your situational awareness allows you to "see the opponent's move before he has made it". This allows you get control of the attack better by "being there" before it happened. Those precious seconds can save you or those around you. This is a general situational awareness tip. Very relevant not only to Red Teaming, but in all aspects of life.
There are more pronciples, but I thought these are the ones more relevant to Red Teaming and life/work in general.
This came out on a conversation yesterday with an old time friend and colleague. We were talking about the different techniques we've used in the past to get that crucial piece of information that resulted in the success of the projects.
We both laughed at some of the social engineering attempts we've made, some really ridiculous, and what worked and what not. Then we moved to the more interesting physical attempts to get information.
Yes, in one project that we worked together, we used a simple method to gain information about the hotel room number of the person we were Red Teaming (well, the company hired us to see the weak links and this person was THE weak link). It was a simple method and it worked like a charm.
We knew the hotel and we tried to social engineer the concierge over the phone to get this person's room. The idea was to get in and try to get to his laptop when he was away. Well, it didn't work, so we instead mailed a rather large package to the hotel addressed to the person we were targetting. The next day, when the package arrived (my friend was at the hotel's lobby waiting), I called from a cellphone and asked to talk to the concierge. I asked him if the package for Mr. Target had arrived. He searched in the computer to see if Mr. Target was indeed in the hotel and then went to see the pile of packages that arrived a few minutes earlier. At this point my friend approached the desk and waited there. As the concierge came back, my friend asked something, and the concierge politely asked for a minute. He said to me on the phone that yes, the package was there. I asked very politely to make sure that Mr. Target get it immediately since he - Mr. Target - needed it for his morning meetings. The concierge said yes and I thanked him. He wrote in a piece of paper the room number and name of Mr. Target, called a bellboy and told him to get "that big package" to the person in that room right away. My friend saw the name and room that were written in the paper and that was it. We had the info.
Anyway, the point of this post came out after that conversation with my friend. A simple plan, one flexible and that can adapt, often will work better than one that has many moving parts and it's not so dynamic.
Think outside the box, keep it simple and Red Team it.
I was surprised on how much effort the author put into this article. It's a good source to start and if you want to understand and use the OODA Loop.
put another way, the OODA Loop is an explicit representation of the process that human beings and organizations use to learn, grow, and thrive in a rapidly changing environment — be it in war, business, or life.