Using a Red Team to Assess Security
What is a Red Team?
Red Team is a term coined from the military decades ago during table top and field exercises where the “Blue Team” represented U.S. forces and the “Red Team” represented Soviet Block adversaries. In the civilian world of today, the term is used to describe a person or group that acts as a potential intruder in order to uncover security gaps and vulnerabilities for one’s organization. Although Red Teams can be used in both the cyber security and the physical security arenas, our specific skill sets here at ORS are in the worlds of physical security, business continuity, and executive protection so that will be the focus here.
How is a Red Team Used?
So how does one use a Red Team? As with almost anything in security and protection, it depends. And it starts with a Risk and Threat Assessment. That assessment gives an overall view of where a security program’s strengths and weaknesses lie and what potential the realistic and most likely threats are. This is vital for a number of reasons. First and foremost, it can save a client a lot of money. Many times, an organization has an idea of what they believe it needs to test. Sometimes, an initial assessment will show that something else may have a higher level of threat or critical vulnerability and the client’s limited budget may be better spent in another area. Also, it allows the Red Team to simulate a realistic attack from a realistic adversary rather than spend time and client money on an unrealistic and unlikely event.
Physical security Red Teams can be utilized at any type of organization whether it is a school campus, corporate office, house of worship, factory, warehouse, event venue, or a residence. Red Teaming is used to test an organization’s access control, badging procedures, key control, visitor management, escort policies, alarm response time, guard force proficiency, etc. A more sophisticated security operation may want a Red Team to test their surveillance detection protocols or even their Executive Protection (EP) practices.
EP Red Teams will normally be used to test the ability of an EP team to adequately safeguard their protectee at home, at the office, and during travel. They are especially helpful in testing usual travel routes to determine if EP teams can identify potential threats or hostile surveillance prior to an attack.
Red Teams Plan Like the Bad Guys
Potential adversaries, even a street level burglar, will undertake some form of planning before attempting an attack or an intrusion. Even if this planning effort is short and amateurish, there will be some form of preparation. The adversary’s eventual plan will be based on information they have gathered, a decision on how to perpetrate the act, and an idea of how to get away. A Red Team should do the same and plan its attempted act just as the potential perpetrator would.
Common Red Team Mistakes
Not controlling the scenario. If, for example, part of the Red Team exercise includes placing a suspicious item somewhere to evaluate the security force’s ability to detect it and respond to it, the item and the area in which it is placed needs to be tightly controlled and observed. Imagine the chaos that could ensue if the item were discovered and the local police were notified before the any notification could be stopped?
Going too far
Red Teams need to stay within the realm of reality and also take into account the possible negative results of their own actions. Any building or facility can be breached if the adversary is motivated enough, equipped with almost unlimited resources, and the target is worth the effort. Therefore, it is important to understand what the actual threat picture looks like and what, in reality, we can do to thwart any attempted incursion or attack. There are times where Red Teams forget this and get carried away, stepping out of reality and into fantasy. For example, if we were testing perimeter security at a small manufacturing plant that produces high-end furniture, it is unlikely we need to test their ability to fend off a team of terrorists storming the main gate with automatic weapons. Yes, this happened. No, not by us.
Not Keeping Key Staff and Local Officials in the Loop.
This can lead to very embarrassing and sometimes costly results. For example, if you plan on Red Teaming an active shooter protocol, an experienced Red Team will ensure local police are informed beforehand and the notification at the time of the event is tightly controlled (see above). It is fine to test the emergency notification procedure for alerting police, but you may want to tell police of your plans well in advance and work out a communication and verification plan. No senior executive wants his or her company to become the subject of anger and ridicule because SWAT deployed looking for a non-existent active shooter. It tends to annoy employees, too. And, always ensure the Red Team’s planned actions are approved at the most senior levels. Most senior managers and executives like to know what is happening in their organization.
Failing to Conduct a Hot Wash. After a Red team exercise, there needs to be an in-person, face to face meeting with major participants, sometimes referred to as a Hot Wash. An organization may just ask for a written report or the Red Team will only offer a written report. Just reporting in writing eliminates the opportunity for open discussions and conversation that can only occur when key players are all in the same room.
If utilized correctly, Red Teaming is an effective way to test an organization’s security program and its incident management protocols. It is also extremely valuable in testing existing security technology and in identifying training needs.
If you are interested in more information about Overwatch Risk Solutions’ Red Team capabilities, or just have questions about what we can do for you, reach out to us at firstname.lastname@example.org.