The Red Team cycle goes a little like this. A Red Team is hired, typically before the blue team is ready to go head to head with a nation-state actor. The Red Team uses threat intel, takes input from various business units, gauges blue teams' maturity, and designs a few operations.
The Red Team begins the engagement, acting in full stealth mode until they act on their predefined objectives. The Red Team may or may not gradually increase their noise to draw the blue team into the engagement.
After the engagement, a report is compiled with IOC's and technical findings. People are read into the operation, issues are resolved and the blue team has a list of actions and IOC's to hunt for and build detections.
Then what happens? Sometimes the blue team starts on the remediation work, they might follow through, they might get distracted with other priorities or they might just file the report and get back to "what actually matters".
The Red Team may eventually get frustrated citing lack of buy-in or lack of blue team maturity and begins to get creative with engagement models. This is oftentimes a driver for more Purple Team style work.
So what is missing? You have all the technical expertise. You have the processes, the frameworks the engagement models approved by leadership.
While Red Teaming and War Gaming are two different things, they do have many similarities and are often used interchangeably.
Have we been trying to War Game without knowing it?
According to the UK Wargaming Handbook, A scenario-based warfare model in which the outcome and sequence of events affect, and are affected by, the decisions made by the players.
If you've planned Red Team engagements, that should look familiar. Beyond what a War Game is, the War Gaming Handbook also defines several limitations:
- Wargames are not reproducible. Because they are driven by player decisions, they simply cannot be reproduced with the same results.
- Wargames are qualitative. We cannot use War Games to determine valid key security metrics. If that is the goal, another solution will likely be better.
- Wargames are not predictive. Because War Games have so many people-driven variables, we simply cannot predict the outcome with certainty. Only with a large number of War Games can we begin to see trends that have any substance.
- Wargames are only as good as their participants. An uninformed, unqualified or overconfident wargame team is unlikely to add value, and may be detrimental to the project. Furthermore, the product of a successful wargame will be of benefit only if it is accepted or considered by the sponsor.
If our goal has been to conduct successful Wargames, we need to first make sure we have all of the pieces. This includes having the right resources. While we may not need dedicated individuals for these roles, we need someone to assume the responsibility and we must have a clear delineation of roles.
The War Gaming Controller is "the critical role during wargame execution". The responsibilities include:
- Final arbitrator of all decisions such as adjudication, scenario evolution, or any other aspect of the wargame
- Facilitation of the wargame supporting both the players and the staff
The Handbook goes on to say that the War Game Controller includes, but goes beyond 'umpire'.
We've been asking the players (the Red Team) to take the role of Designer, Simulation Expert, and Analyst.
It's as if we've been making the rules for our own game and taking the role of umpire, then acting surprised when the blue team doesn't show up.
For an excellent example of a Red Team engagement ran as a war game with all the right pieces: https://medium.com/starting-up-security/red-teams-6faa8d95f602: