Read RTJ_Occasional_Paper_01_July_2010.pdf text version

RED TEAM JOURNAL

occasional paper

OP 01

Jul 2010

Adaptive Red Teaming: Protecting Across the Spectrum

REDTEAMINGisanapproachtounderstandingthreatsandadversaries. Initiallydevelopedtogaininsightintophysicalvulnerabilities(thatis, penetrationtestingofspecifictargetvenues),ithasbeenexpandedto includearangeoftechniquesandmethodologiesforunderstanding adversaries,capabilities,intentions,andpotentialattackvectors,including tactics,techniques,andprocedures(TTPs).Redteamingisoneapproach tocombatwhatThomasSchellingcalledthe povertyofexpectations where thedangerisnotthatweshallreadthesignalsandindicatorswith toolittleskill;thedangerisinapovertyofexpectations aroutine obsessionwithafewdangersthatmaybefamiliarratherthanlikely. 1 Adaptiveredteaminginvolvesaniterativerangeofanalyticaland physicalapproachestounderstandinganadversary.Theseapproachesare valuabletoolsforcounterterrorism,counterinsurgency,andcounter violenceapproachesandareusedbymilitary,police,andcritical infrastructureprotectionprofessionals.Thisessayreviewstheconceptof adaptiveredteaminganddiscussessomeoftheanalyticalredteaming toolsavailableforintelligenceassessmentsandoperationalplanning. Analyticredteamingisessentiallyanapproachtogettinginsidethe mindsetoftheterroristoropposingforce(OPFOR)group.Ideally,the resultwouldbe enhancedunderstandingofthegroup sparticulardriving factors strategicgoals,leadershipanddecision makingdynamicsand processes,operationalcapabilitiesandrationales,organizational dynamicsandbehaviors,adaptivecapacities,etc. andtheircorollaryand derivativeoperations. 2AccordingtoDemarceandSullivan, Overall,the keytosucharedteamingapproachistoidentifyandunderstandthe prevailinganddrivingfactorsanddynamicsanimatingtheparticular groupanditsoperations. 3Analyticalredteamingwilldevelopa Group StrategicThreatandModusOperandiProfileAnalyticalFramework that contributesto Adeeperunderstandingofeachgroup sunique mindset (ideology,strategicagenda,leadership)andoperational behaviors(operationalcapabilities,modusoperandi,targeting preferences)canenableamorepreciseandadvantageous assessmentofnotsimplywhatthegroupiscapableofattacking, butwhatthegroupwants/intendstoattack,aswellashowthe groupislikelytoconductoperations.4 by John P. Sullivan and Adam Elkus

John P. Sullivan is a senior research fellow at the Center for Advanced Studies on Terrorism (CAST) and a lieutenant with the Los Angeles Sheriff s Dept. Adam Elkus is a widely published analyst specializing in foreign policy and security. He is currently associate editor at RED TEAM JOURNAL.

A Wider Threat Spectrum

Islamistterrorismoccupiesalotofattentioninmilitary,intelligence,and lawenforcementcircles.Thisisunderstandableduetoitshighly destructiveandfanaticalnature.However,thereisawiderthreat

www.redteamjournal.com

page 01

spectrum.Agenerationago,terroristgroupsweregenerallyleftinspired, andtheideathatreligiousterrorismwouldbetheparamountthreatto publicorderwouldberidiculed.Today,therearemanyotherphysical attackthreatstopublicorderthansimplyIslamistterrorism.Avarietyof groupshavegrievancesthatcantranslateintoviolenceagainstbothpublic andprivateentities.InAmerica,forexample,animalrightsgroupshave targetedsciencelabs.InEurope,deepeningeconomiccriseshave provokedviolenceagainstfinancialtargets. Publicandprivateentitiesmanageriskthroughacombinationof assessment,protectivemeasures,andstrategicshiftsinpolicy.Good doctrine,securitypolicy,andsimpleprudencecanbeusefulindealing withbotha blackbloc violentanarchistthreatinadignitaryprotection missionandthethreatofalQaedaattackonahighvaluetarget.Adaptive redteaming,however,isacrucialelementofanyprotectiveplan.Red teamingtestsandchallengesexistingsecurityparadigms,andanalytical redteamingcandiscovervulnerabilitiesinthewayweconceptualizethe securityproblemandpointoutnewpossibilities.5 Ourpurposeistointroduceorreintroduceconceptsthatcanbe employedinananalyticredteamingprocess:the killchain, orderof battleanalysis,andtheemergingArmymilitarymethodologyknownas Design. Thisisnotanarticledetailingstandardredteammethodology, whichiswellcoveredelsewhereintheredteamliterature.Rather,welook atsomeneworoldelementsfromothersourcesthatcanbeincorporated intoestablishedstructuredredteamingprocessesinbothgovernmentand privatesectorsettings.

OP 01

Jul 2010

Our purpose is to introduce or reintroduce concepts that can be employed in an analytic red teaming process

Kill Chains

Thefirstconceptwelookatisthe killchain. Experiencehasshownthata varietyofopposingforcegroupsandorganizationtypesexist.Wehave lookedatthisconceptinthecontextoftheMumbaiattackinourpieceon policeoperationalart.6Thekindofloose,emergentstructure demonstratedintheSeattle netwar isapartoftheproblem,asisthe moretraditionaloneoff"cell"typegroupofurbanradicals,the lone wolf, aswellasmultipleindividualsandgroupslinkedtogetherinspace andtime. Amajordebateiscurrentlyunderwayinterrorismandconflictstudies aboutcommandandcontrol(C2)conceptsindecentralizedgroups.The disputebetweenMarcSageman s LeaderlessJihad thesisandthemore traditionalcentralizedconceptofBruceHoffman sthesisisoneexampleof this,asisDimaAdamsky smorerecentstudyonthepossibilityofjihadi operationalart.7Further,researchhasrecentlybeenpublishedinthe scientificjournalNatureproposingamathematicaltheoryofdecentralized insurgencyandterrorism.8 Asananalyticaldevice,thekillchaincanbegeneralizedacrossthe spectrum.Asnotedpreviously,thebasickillchainmodelistheprocessof assemblingweaponsandpersonnelinplace,conductingreconnaissance anddryruns,andthencarryingouttheactitself.Itcanbelikenedtothe slowbuildingofaweaponanditseventualemployment.Thevulnerability envelopeoftheOPFORincreasesasitgrowsclosertotheassemblingof theweaponanditsemploymentonthefield.Thisisabasicfactorcommon toalladversarytypesandconceptsofoperation(CONOP).Thekillchainis ananalogofadecisiontreeandcontainsbranchesandsequelsforeachof itstasksandsubtasks.Eachofthesecontainstransactionsandsignatures thatcanbeanticipated,withtheresultingpatternsofdata essentially trendsandpotentials contributingtotheformulationofhypothesesfor testingOPFORcapabilitiesandintentions.Toillustrate,wecantakea samplescenarioofablackblocCONOP.

As an analytical device, the kill chain can be generalized across the spectrum

www.redteamjournal.com

page 02

Blackbloc(anarchist)groups pertheirphilosophy,theirloose organizationallinks,andtheirgenerallackofpatronsandresources tendtooperateinanemergentmanner.Whileallhumanorganizationsare interactivelycomplexsystems,somegroupstendtobemoreinteractively complexthanothers.9Theycooperate,tradingonthecharismaofaleader oranamorphouscommonaim,however,toaccomplishsettacticaltasks. Theirdisorganizationmayimpedethecreationofacommonstrategy,but itcanbehelpfulinfrustratingalineardefense.Thiswasfamouslyseenin the BattleofSeattle in1999. Forexample,inaplottoinflictmasspropertydamageandevensome injuriesanddeathsduringatradeconvention,akillchaincouldstillbe modeledastheassemblageofpersonnelandweaponsthroughthe buildupofcriticalmassintheperiodprecedingtheconvention. Indicationsandwarningscouldbeculledthroughacombinationofboth openandclosedsourcedata.Opensourceresearchandinvestigations couldbeemployedtoconstantlyprobeatsignsofcommunicationand opensourcecollaborationtoeffectanattack. Incorporatedintotheoverallredteamprocess,knowledgeofthekill chaincanalsobeusedtotestassumptionsbeyondtheindicatorsofa formingattack.Italsocanbeusedtoexplorevulnerabilitiesindefenses withdifferentkindsofadversaryC2combinations.Utilizingdifferent modelsofcentralized,decentralized,and mixed networkgroups,thekill chainconceptcanexplorepossibilitiesforOPFORstrike. The Order of Battle Thisbringsustoournextconcept:orderofbattle(ORBATorOOB) analysis.Inconventionalmilitaryaffairs,anORBATdisplaystheenemy s organizationanddisposition.Anyonefamiliarwithmilitaryhistoryor professionalorrecreationalwargamingmayrecallthesetsofboxes, checks,andarrowsdenotingdifferenttypesofunits,equipment,andaxes ofadvance.UsingORBATs,militaryintelligencespecialistscreate analyticalpicturesofOPFORunits(cellsornodes)andusethepictureto trytopredictthebehavioroftheseunits.Inacivilorhomelandsecurity context,utilizingORBATsderivedfromhistorical,opensource,andcovert intelligencedatacanhelpananalystordecisionmakermentallyvisualize theenemyandtheenemy sattackconcepts.In2005,inNetworks, TerrorismandGlobalInsurgency,LisaJ.Campbelladaptedsucha methodologyfordoingso.10 Inredteaming,ORBATanalysiscanbeusedtogiveteethtoanalysisof thekillchain.Inmuchthesamewaythatamilitaryintelligenceofficer wouldlookattheORBATofaSovietarmy,ORBATanalysisbyeither governmentorcommercialanalyticalteamscanhelpmodeladversary attributesandbehavior.Thiscanaidinanalyzingrawintelligencedata, creatingfutureoperationsstudies,orconductingaredteamthreatand/or vulnerabilityanalysisofagiventacticalscenario. OnewayanORBATcanbevisualizedinrealteamredteamingis throughfreeplaytacticaldecisionmakinggames(TDGs).Manywargame scenariosareoverlystructuredanddonotprovidearealistictraining environment.TDGs,pioneeredandadvocatedbyformerArmymajor DonaldVandergriff,aretacticalscenariosthattestadaptationindifficult situations.Inthespiritofequality,thereisnoone right decisiontosolve atacticalproblem.Rather,eachparticipantevaluatesandcritiques(ina respectfulmanner)theothers approaches,andthecoordinatorculls largerlessonsfromtheexercises. Additionally,freeplaygamesemployingamirrorimageOPFORhave beenastapleoftheArmy sNationalTrainingCenter(NTC),where countlessunitshavegoneupagainstthefictional Krasnovians highly

OP 01

Jul 2010

In red teaming, ORBAT analysis can be used to give teeth to analysis of the kill chain.

www.redteamjournal.com

page 03

skilledmaneuverspecialistsplayingSovietblocandThirdWorld opponents.Mirrorimagetrainingisalreadyapartofstandardred teaming,butfreeplaygameswithteamsdevotedtoplayingterroristscan alsobeusedtotestreadinessandplayoutadversarytacticalconcepts. ORBATscanfleshouttheseexercisesbyprovidingconcretescenariosfor TDGsaswellascomposite,wellstructuredopponentsforredteamersto playincompetitivegaming.This,unlikethestandardpenetrationexercise, isaninteractivegamethatprovidesgreateropportunitiesforlearning.

OP 01

Jul 2010

Design

Lastly,theemergingArmymethodologyof Design providessomefood forthought.DesignisamethodpioneeredbytheSchoolofAdvanced MilitaryStudies(SAMS)toframeaproblemcreativelypriortosolvingit. TheArmyconceptofDesignnotesthatagooddealofmistakeshavebeen madebyafailuretocometoa goodenough conceptualframeofan operationalproblempriortobeginningmorereductiveplanningand assessment.11 ADesignmethodologyconsistsofframingtheoperational environment(thecontextinwhichthedesignisapplied),framingthe problem(thatis,thesituationthattheuseofpowerwillsolve),andan operationalapproachtopushtheproblemtowardasatisfactorysolution. Theprocessissimultaneouslyseparateconceptuallyfromplanningbut alsocontinuouswithinit,similartotheconceptsoftheoperationalidea, thecommander sestimateofthesituation,andtherunningestimateof thesituation.12Whilecontroversial,theDesignmethodologymayhave someutilitytothecivil/homelandsecuritycontextofredteaming. TheanalyticalprocessbywhichDesignsortsthrough wicked or ill structured problems(interactivelycomplexproblemswithnostopping rule,noone right answerordefinition,andothersuchattributes) throughcommanderleddialogueandcollaboration(sometimeswith outsideexperts)issimilartoconceptsofanalyticalredteaming.Whileit maynotbeofuseinimmediatetacticalsituations,itcanbeofusein challengingconceptualassumptionsinamorelongtermissuesuchasrisk analysisandriskmanagement.(Wehaverecommendedtheuseofthe modifiedintelligencepreparationofthebattlespacevariantintelligence preparationforoperations[IPO]13courseofactionanalysisfunction.) Design semphasisonproblemswith nostoppingrule isparticularly pertinenttoterrorismissues. TheGermanRedArmyfaction,whileorganizationallydecrepitbythe endofthe1970s,stillcarriedoutkillingsandhitsforalongtime afterwards.TheIrishRepublicanArmy(IRA) sdeclinewasonlyaprelude totheevenmoreviolentProvisionalIrishRepublicanArmy(PIRA).Aview gainingconsensuswithintheterrorismstudiescommunityisthatal Qaeda sendislikelytobefarmoremessyandinconclusivethanadecisive victory.14Sinceterrorismisaproblemthatrequiresriskmanagement,the employmentofDesignmayenhancenotonlystructuredredteamingand wargamesbutalsosupportplanningfordefensivemeasuresbypublicand privategroups.

While controversial, the Design methodology may have some utility to the civil/homeland security context of red teaming

Conclusion

Redteamingextendsbeyondphysicalvulnerabilityanalysisbyredcell penetration.Byemployingbotholdandnewredteamingmethodologies inastructuredyetcreativeprocess,publicandprivateentitiescanhelp diagnosethreats,vulnerabilityandrisk,andpointthewaytowardabetter meansofprovidingsecurityandaddressingemergingthreats.Adaptive andanalyticalredteamingarevaluablecomponentsofthetoolboxthat enabletheabilitytoidentifynotonlyvulnerabilitiesbutalsopatternsof

www.redteamjournal.com

page 04

behaviorthatcouldculminateinaterroristattack.Thesecanpotentially beleveragedinordertorefinesupporttopreventionanddeterrence activities.Integratingthetoolsdiscussedinthispaperintoredteaming effortsandcounterterrorismintelligenceisonewayofenhancingour understandingofemergingterroristthreats,anticipatingthreatsto provideindicationsandwarning,andensuringaneffectiveoperational planningprocessthatenablesnimbleandadaptiveresponsetothethreat envelopethatcontainstherangeofpotentialthreatsthatmaybe encountered.

OP 01

Jul 2010

1 ThomasSchelling,quotedinMaryMcCarthy, TheNationalWarningSystem: StrivingforanElusiveGoal, DefenseIntelligenceJournal,vol.3,no.1(Spring 1994):13.

Notes

AndreDemarceandJohnP.Sullivan, DevelopingaGroupStrategicThreatand ModusOperandiProfileAnalyticalFramework, paperpresentedtoPanelon IntelligenceandOperationalIssuesforCounterterrorismandCounterinsurgency, InternationalStudiesAssociation,2006ISAAnnualConference,SanDiego,CA,24 March2006.

2 3 4 5

ibid. ibid.

Foranintroductiontotheconceptofredteaming,seeCol.TimothyG.Maloneand Maj.ReaganE.Schaupp, TheRedTeam:ForgingaWellReceivedContingency Plan, AerospacePowerJournal,Summer2002. SeeJohnP.SullivanandAdamElkus, PreventingAnotherMumbai:Buildinga PoliceOperationalArt, WestPointCombatingTerrorismCenterSentinel,June2009, pp.4 7.

6

MarcSagemanandBruceHoffman, DoesOsamaStillCalltheShots?Debating ContainmentofalQaeda sLeadership, ForeignAffairs,July/August2008,pp. 163 166andDimaAdamsky, JihadiOperationalArt:TheComingWaveofJihadi StrategicStudies, StudiesinConflict&Terrorism,Vol.33,no.1,2010pp.1 19.

7 8 SeeJuanCamiloBohorquez,SeanGourley,AlexanderR.Dixon,MichaelSpagat, andNeilF.Johnson, CommonEcologyQuantifiesHumanInsurgency, Nature,462, 911 914(17December2009),doi:10.1038/nature08631. 9 Foranapplicationofthistopolicypractice,seeJeremiahS.Pam, TheParadoxof Complexity:EmbracingItsContributiontoSituationalUnderstanding,ResistingIts TemptationinStrategyandOperationalPlans, inChristopherM.Schnaubelt(ed.), ComplexOperations:NATOatWarandOntheMarginsofWar,Rome:NATODefense CollegeForum,forthcoming,2010,p.3. 10 SeeLisaJ.Campbell, ApplyingOrderofBattleAnalysistoalQaedaOperations, inRobertBunker(ed.),Networks,Terrorism,andGlobalInsurgency,London: Routledge,2005,pp.129 146. 11 12

DepartmentoftheArmy,FieldManual50TheOperationsProcess,2010,p.31.

FM50,p.37.

13 SeeJohnP.Sullivan,HalKempfer,andJamisonJoMedby, Understanding ConsequencesinUrbanOperations:IntelligencePreparationforOperations, INTSUMMagazine,MarineCorpsIntelligenceAssociation,VolXV,Issue5,Summer 2005,pp.11 19foranindepthdiscussionofIPO.

SeeAudreyKurthCronin,HowTerrorismEnds:UnderstandingtheDeclineand DemiseofTerrorismCampaigns,Princeton:PrincetonUniversity,2009.

14

About RED TEAM JOURNAL

TheREDTEAMJOURNALWebsite(www.redteamjournal.com)was launchedin1997tofurtherthepracticeofredteamingandalternative analysis.Thecurrentiterationofthesiteisdesignedtohelpanalystsand decisionmakersimprovetheirabilitytogenerateeffectivenational securityandbusinessstrategies.

www.redteamjournal.com

page 05

Information

5 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

393955