teaming is the practice of rigorously challenging plans, policies,
systems and assumptions by adopting an adversarial approach. The purpose of
red teaming is to countermand cognitive errors that impair critical thinking
such as group think and confirmation bias. In the enterprise, a red team may
be either a contracted external third party or an internal group whose
existence has not been shared with employees. |
Red teaming as a formal discipline originated with the military and intelligence agencies. The North Atlantic Treaty Organization (NATO) handbook defines red teaming as the art of applying critical thinking from a variety of perspectives to challenge assumptions and explore alternative outcomes. Its earliest implementation in the enterprise was in security, where ethical hacking and pen testing are two common examples of using contrarian thinking as part of an organization?s strategic planning process.
A properly conducted red team exercise extends further than simply identifying gaps in security practices and controls. Instead, it determines how an organization is equipped to deal with real-world attacks. For example, results can be used to engage a board of directors to get further investment in security defenses and staff security awareness training.
Red team testing vs. pen testingRed team exercises generally start with passive reconnaissance and open source intelligence gathering, using publicly available data such as social media postings and online searches to identify individuals to target within the organization.
While a penetration test usually relies upon the company providing relevant information such as the IP addresses to scan or the necessary credentials to access an application, a red team starts from the same position as a real attacker ? from inside or out of the organization. Red team exercises also take place without the knowledge of most personnel at the target organization.The legal implications of a red team are much the same as for a penetration test. This means the attack team could potentially be in contravention of the Computer Misuse Act, and the Data Protection Act (DPA) could come into play where access to data is concerned. Provision of the relevant authorization avoids the former, and if the security company conforms to standards such as ISO27001 and ISO9001, DPA issues can be avoided.
Principles of red teamingIn 2015, Bryce Hoffman became the first civilian to graduate from the U.S. Army?s Red Team Leader Program at the University of Foreign Military and Cultural Studies at Fort Leavenworth, Kansas. In his 2017 book, Red Teaming: How Your Business Can Conquer the Competition by Challenging Everything, Hoffman recommends a few exercises that can help a red team gain a fresh perspective:
Be your own worst enemy - a role-playing exercise in which red team members assume the role of a competitor trying to gain a competitive advantage.
Devil's advocacy - a role playing exercise that requires red team members to take a belief central to an organization's strategy and develop a compelling case for the opposite.
Think-Write-Share - everyone on the team thinks about the problem and writes down their ideas before sharing them with others. The goal of this exercise is to avoid groupthink and encourage people to value their individual perspectives.
Celebrate by Practicing or learning about it. The world is a far better place when more people participate in this glorious activity!
We can be contacted at:
email@example.com or 609 818 1802.===============================================================
In addition to this blog, Netiquette IQ has a website with great assets which are being added to on a regular basis. I have authored the premiere book on Netiquette, “Netiquette IQ - A Comprehensive Guide to Improve, Enhance and Add Power to Your Email". My new book, “You’re Hired! Super Charge Your Email Skills in 60 Minutes. . . And Get That Job!” has just been published and will be followed by a trilogy of books on Netiquette for young people. You can view my profile, reviews of the book and content excerpts at:
Anyone who would like to review the book and have it posted on my blog or website, please contact me firstname.lastname@example.org.
In addition to this blog, I maintain a radio show on BlogtalkRadio online newsletter via paper.li.I have established Netiquette discussion groups with Linkedin and Yahooa member of the International Business Etiquette and Protocol Group and Minding Manners among others. I regularly consult for the Gerson Lehrman Group, a worldwide network of subject matter experts and I have been contributing to the blogs Everything Email and emailmonday . My work has appeared in numerous publications and I have presented to groups such as The Breakfast Club of NJ and PSG of Mercer County, NJ.
Additionally, I am the president of Tabula Rosa Systems, a “best of breed” reseller of products for communications, email, network management software, security products and professional services. Also, I am the president of Netiquette IQ. We are currently developing an email IQ rating system, Netiquette IQ, which promotes the fundamentals outlined in my book.