Red Teams: Sexy Disservice
“We’re battle-tested, covert, specialized, government-cleared, highly trained elite operators with international experience.” You sexy beasts… Red teaming at its finest. But…, is it effective in the private sector? I mean, if you are checking a military installation… Even private sector lingo in the last couple of decades specifically includes phrases like, “We can’t operate a fortress here…” and “There has to be a balance between security and business operations…”. A bit of a conflict, eh?
C’mon! Who can really make their facilities and operations sufficiently resistant to red teams? Yeah, maybe like 10 firms on the Fortune 100 list. As for the rest, red teams are really assuming a lot about capabilities of those who ask for their service. So, why do clients continue to ask? I suppose it’s because the service recently is more frequently described using language from the first sentence above — it sounds SEXY! Prospective clients think that a team of Jason Bourne-like operatives will descend on their organizations to wreak havoc on existing security controls. Well.., what are those controls? On the front line, underpaid, undertrained, out of shape, and undervalued security officers!!! Let’s see, what else? Poorly designed, implemented, and managed asset protection technologies. Remember that people are still talking about nuisance alarms and signal noise. NUISANCE ALARMS and SIGNAL NOISE!!! What else? How many organizations have command and control facilities designed using ISO11064? A more frequent question — still — is, “What is ISO11064?”. What else? Seen a paper visitor log lately? My favorite call name is Abraham Lincoln. What else? Do you know anything about door hardware circumvention or RF card cloning? And, where do we stand with resistance to social engineering?
Most importantly, red teaming exercises test performance of controls during a very short time period without any possible guarantee of the same results next time — even if asset protection controls remain unchanged. Furthermore, improvement recommendations developed as a result of a red team exercise can only be meaningful if clients have the necessary human, operational, and technological resources for implementing them.
There is an easier and more meaningful way — building realistic threat scenarios based on overt observation of control / process performance. When we observe control performance we rely on behavioral psychology and use a bit of misdirection as well as a few very simple tools. Your actions should appear totally normal and obvious. All the while, you must think like a threat actor.
For example, imagine you’ve just parked your typical sedan at an open parking lot next to a bland building in a corporate office park. Your observation skills need to be turned on as soon as you exit your vehicle. What have you just learned? There is no physical protection layer between public zone and the parking lot. Next, the walk to the main building entrance. See any people wearing their IDs as they are either arriving or leaving the site? If so, this is an opportunity for ID snatching. This also means employees are not trained well enough to take off their IDs whenever they’re outside the building. Another small detail may be the type of lanyard used for wearing IDs. It is very easy to tell how knowledgeable those responsible for asset protection measures at the facility are if the lanyards are unbreakable.
Another nuance is cleanliness of surveillance camera enclosures either in the parking lot or on the facade of the building which you’re approaching. Dirty enclosures tell a compelling story.
Moving closer, notice the type of doors and windows on the facade. What visibility of internal spaces can you gain while still outside the building? Are any windows or doors ajar?
You can see where I’m going with this. You can actually identify so many red flags before even setting foot inside the building that throwing a red team at the facility may be completely unnecessary.
Thanks very much for your attention.
Soar above mediocrity!
www.spherestate.com
