Adversarial mindset is important to any security program whether you are protecting a Fortune 500 company, critical infrastructure, a high net worth person or yourself. We discussed some of the elements of using adversarial mindset here: http://iprotectiveconcepts.com/4-steps-to-taking-the-adversarys-perspective-and-enhancing-your-security/.
I should empathize at this point I am mainly looking at protection against physical threats and not looking much at the cyber domain. I point that out because red teaming often has a cyber connotation in some circles. Frankly the cyber security community has been much quicker to embrace the use of adversarial mindset and the red teaming concept than their counterparts in the physical world have. The only digital aspect we will be considering here is the use of OSINT (open source intelligence) gathered via Internet search, etc.
There are a couple of different approaches you can use to implement this process, we will discuss two of them here. The first is full on out-of-the-box thinking. In this scenario you can feel free to do anything. You plan your attack as creatively as you like with no constraints. I once attended a vulnerability assessment class where the instructor encouraged complete free thought and consideration of the most outlandish scenarios.
The second approach is simulation of real world attackers. In this method you look at the real world threat actors in your environment and study the tactics, techniques and procedures they use. This may vary greatly depending on your geographic location and the nature of what or who you are protecting. In one place you may identify and model kidnap-for-ransom gangs, in another it may be carjackers/armed robbers and in a third it may be home-grown violent extremists.
So, which is better? Is one better than the other?
The out-of-the-box approach is very liberating and allows us to consider the possibility of threats coming from unconventional places or in unconventional ways. It means we may identify threats and threat vectors we wouldn’t recognize using a more conventional simulation model. It is also much more difficult to harness and control. There is typically a greater time commitment and it may be more difficult to develop and prioritize effective mitigation measures. There is also a risk of devoting significant time and resources to combat a threat that is very low probability.
The simulation model has us study and emulate threat actors in a given environment. If we know that terrorist group xyz is active in a given location we can gather intelligence on their tactics, techniques and procedures and have our red team replicate them. If we know they typically select a target in a given way – say for example : OSINT internet search; physical reconnaissance; physical surveillance; elicitation; probes/dry runs and then attack – we can replicate those phases using the tactics they use for each. This will allow us to identify different vulnerabilities each step of the way. We can take an element of comfort in knowing that we are defending against a known and valid threat. We can also better focus our efforts and time. At the same time, we run the risk of overlooking another threat that is outside the spectrum of threats in that environment. The 1995 assassination of Israeli Prime Minister Yitzhak Rabin is perhaps a good example of this. The argument could be made that Rabin’s protection team was likely focused on an attack on their principal coming from a Palestinian or other Arab faction. Rabin was assassinated by Yigal Amir, an Israeli Jewish student. The threat came from an unexpected place – one that they didn’t adequately anticipate.
A hybrid model?
So either approach has its pros and cons. Personally I favor the simulation model for the most part, although I do see the advantage in interjecting out-of-the-box thinking periodically too. One approach would be to conduct red teaming exercises on a regular basis modeling real threat groups by using their tactics and then occasionally introducing a least likely scenario as well. Regardless of the exact model you use, implementing the adversarial perspective in planning your countermeasures is a good practice to adopt.