Shostack + Friends Blog


Red Teaming

Red Teaming by Bryce Hoffman is a thought-provoking read. A screencapture of the book's cover.

Red Teaming by Bryce Hoffman is a thought-provoking book for those in threat modeling, and worth reading for its descriptions of how red teaming fits into business. Hoffman went to the US Army’s Red Teaming school, which is about applying red teaming to concepts and plans, rather than the technical red teaming of breaking into a system. He’s since become a consultant, which brings me to the first major flaw that you’ll have to get past: He spends a lot of time telling you how important red teaming is, how his great consulting helps customers and the like. The second major flaw is that his first book was a hagiography of Alan Mulally, whose legacy is tainted by his time at Boeing, and whose opinions of Mulally were distracting. This Red Teaming book was written before the 737 MCAS crisis or the 737-9 MAX crisis. Technical readers may be happier having skimmed or skipped the first two chapters.

The core of the book is a collection of tools for thinking critically, and getting groups to think critically, about what can go wrong with a plan. Those are intertwined with quite good advice about the interpersonal elements of effective red teaming in a business environment.

The tools are a collection, mostly collected from the US Army, the UK Ministry of Defense and others, that include Liberating Structures, String of Pearls analysis, SWOT, How Others See, and similar tools. One recurring theme is have people write down their ideas before you start discussing. I’d heard about this technique recently and have started incorporating it into my training to good effect. It’s inexpensive and surprisingly powerful. You can see the Army’s list of 48 structures in the Table of Contents of The US Army Red Team Handbook. I think the Army’s list is longer than Hoffman’s.

The Army manual has a great list of techniques, and some helpful advice, and it’s also focused on how to use the techniques in a military setting. Hoffman adds value in organizing these into these of how to start, the problem and the solution, questioning the unquestionable, thinking the unthinkable, and challenging everything (Chapters 4-8). Where Hoffman shines is the business integration of red teaming. He doesn’t just say “Don’t be a jerk,” but explains how red teaming often appeals to people who are critical and they end up acting like jerks, limiting their own effectiveness. He also discusses how “you don’t always have to be right, but you can’t always be wrong.”

Let me talk about the subtitle, “Transform your business by thinking like the enemy.” It’s a fine tagline, but it’s just not what the book teaches. When I look at the Army list (easier because of the nature of their Table of Contents), I see the following as trying to think like the enemy:

  1. 4 Ways of Seeing
  2. Cultural Perception Framework
  3. Devil’s Advocacy

Now, Hoffman adds, “Being your own worst enemy,” and notes “The U.S. Army simply calls this method Threat Emulation or simply Traditional Red Teaming.” He may have a couple of others along the way, But regardless it’s only one technique in ten. And I think this — unintentionally — makes a crucial point: we don’t have to think like the enemy to bring critical and even contrarian thinking to our analyses. There is a long list of tools that help us do so. (Depending on which edition you get the subtitle may also be “How your business can conquer the competition by challenging everything.” The cover Amazon currently showns me is the “think like the enemy” version. Mr. Hoffman is lucky that his publisher is willing to re-cover the book several times.)

There’s a fairly deep set of similarities between red teaming and threat modeling. Each is frequently seen as an inborn skill, but turns out to be a set of skills that we can teach. Is there an aspect where temperment, perspective, cunning, or other innate quality come in? Possibly! But much like threat modeling has STRIDE and kill chains, red teaming has its own structures that allow us to teach and scale the practices. Almost all of Hoffman’s advice on the business side of red teaming applies well to threat modeling, and so leaders responsible for threat modeling will get at least that out of it.

Relatedly, a few months ago, I wrote about the role of wargames in Adversarial Thinking and Wargames, and have a collection of links about adveraries in posts like Think Like SiegedSec (they go back further than the formal adversaries category.)