Don’t Fear the Red Team

weakest-link-red-teamSometimes, when I propose red teaming as part of a security assessment or training program, I get an uneasy response. Or a flat out rejection: we don’t do red teaming. It’s odd when you consider no one would object to a drill for emergency responders. It is understood that realistic training is critical to being properly prepared in the event of a disaster. Should we not be similarly prepared for a security breach or threat? I would feel much safer knowing that a security officer is not facing a given issue or event for the first time. Better that he should already have faced it and handled it, if via a drill or test.

The objective of red teaming is not to pass a given test. It’s not about getting a certain grade. The bigger objective is to create and maintain the best possible security system. Yet there have been well publicized examples on a government level where security personnel were tipped off about an upcoming red team or penetration test. Some managers are apparently so fearful that they or their department would look bad if they failed a test, that they are willing to foil it. I well understand the miserable effects of political pressure to say nothing of negative media scrutiny. I feel their pain. But when the stakes are high, we can ill afford politically motivated mischief.

Other security managers express concerns that their officers will be offended by such testing, that it is a punishment or witch hunt. It is true that often the initial response on the part of a guard is to be nervous. He starts to worry, will he pass the test? Will the red team trick him? Is that customer over their a member of the red team? Well, if being nervous results in heightened awareness and higher standards, then even the potential for a red team occurring has already improved security.

No matter what the outcome of a red team, the results constitute an important learning experience. Information brought to light is constructive and can be shared across a security team. The lessons learned yesterday when the red team successfully infiltrated a bomb at Post One, could surely be useful to the officers at Post Two, tomorrow.

In every single instance where we have used red teaming to test security operations for a client, it has produced an excellent result. Recently, we tested a client’s security by deploying an agent who among other things, was loitering near the client’s facility. Note that the security guards had been trained, were aware of potential threats to their given environment and could identify suspicious activity that related to the methods of operation (MO) associated with those threats. The security officers were not aware that a red team was in progress. They reacted in a timely fashion and adhered by the book to procedures. They communicated flawlessly amongst themselves and with other officers on their team as to what was going on. When it was disclosed as a test, they were justifiably proud of their effective response. The success was a boost, for every member of the security team.

Mind you, they did not do nearly as well the first time they were red teamed for this MO. In fact, as I recall, they failed miserably. Which made their success all the sweeter.

Red teaming done correctly can have many positive effects. The security mission is clarified for officers. Awareness is increased, as is a sense of responsibility. Skills are rapidly improved upon. Red teaming is simply a great tool.

6 Comments

  1. J H Booth on December 11, 2013 at 10:29 am

    A great source of information on Red Teaming is contained at the RED TEAM JOURNAL website (//redteamjournal.com/). Red Team Journal is a whole community of individuals that actively advocate Red Teaming, provides training and references, and most important academic cover and support for those that want to advance all aspects of Red Teaming. I urge anyone interested in Red Teaming to subscribe to their email journal (its free).

  2. Ranger11 on December 12, 2013 at 11:59 am

    I concur with the article, in that the idea behind “Red Teaming” is learning. You need to know where your security needs to improve in order to evolve and be prepared for whatever threat you might face in the future, or today. Without the failures a Red team can bring, there is no way to know otherwise where we need to improve. The idea that we are all safe and that our security is sufficient because we haven’t been infiltrated is a myth.

  3. Steve Kettle LCGI on December 13, 2013 at 1:43 am

    I have anecdotal evidence that senior command team and executives tip off their Security officers to a Red Team. It is often that they want to create an illusion of total security whatever the threat and that they are in control of any potential situation. Reality can be a hard lesson that they view as entirely detrimental, mainly to themselves personally. Getting passed that mindset can be problematic but it must be done. A table top exercise is often preferred as being less intrusive into the reality of there security. However, as stated above, Red Teaming is a proper test and should be planned at irregular intervals and on different levels.

  4. Michael wright on August 30, 2017 at 11:07 pm

    I have personally taken part in numerous red team scenarios. Some in which those tested performed with excellence, some in which the out come was less positive. However, due to the debriefing and suggestions presented at the debriefing, I can honestly say that all were, in the end, extremely successful.
    All presented the opportunity for new training procedures and when the results were correctly presented, all invloved felt that the process was a positive one.

  5. A.B. Slatkin on August 31, 2017 at 12:34 am

    Hear, hear!! Great blog. Great comments. Now, if only those in supervisory positions will take note and act.

  6. Small cog on August 31, 2017 at 4:39 pm

    All too often, corporations pay lip service to this vital survival tool. It is about upper management or OH&S ticking an annual box to say they went through some sort of drill.
    I would rather work with a team who tried and failed, but were judged on how they got back up and made improvements than a team who thought they were ready. Unfortunately, we do not see enough of these sort of changes or drills because we keep hearing “we just don’t have the time to spare people.” “It’s an issue to get everyone together.” “What’s the cost of this because we don’t have a budget.” It’s funny how places can always find a budget for art. The build up of frustration from those of us in the security world is unbelievable, and although I COMPLETELY agree with this great article, many of us know that the corporate culture will not change until it faces a tragic incident. That will wake everyone up to the true cost of not being prepared.
    Until then, I will remain a small cog in a big wheel, I will do my best to make sure I play my part and trust in my team.

Leave a Comment



three × two =