How 9/11 Pushed the Adoption and Evolution of Red Teaming

The September 11 terror attack on the United States is a bitter part of American history, but it is one tragic event that imparted important lessons on security—including cybersecurity. Not many may know that the attack on the World Trade Center and the Pentagon 20 years ago helped give rise to the concept of red teaming.

Bryce Hoffman, the author of the book Red Teaming, connects the government’s response to the attack with the adversarial approach in rigorously testing plans, policies, and systems for their soundness. “It sparked the creation of a revolutionary new methodology for making critical and contrarian thinking part of the planning and decision-making process at both the CIA and in the U.S. Army,” Hoffman explains.

Hoffman suggests that the birth of red teaming possibly came from CIA Director George Tenet’s activation of the group referred to as “Red Cell.” This group was put up to employ critical and contrarian thinking tools to challenge the CIA’s ideas and assumptions. Although there are no officially made public records of the Red Cell’s output, it is credited for the foiling of several major terrorist attacks.

An adversarial perspective

Red teaming is complementary to blue teaming or the efforts of the (usually) internal cybersecurity team of an organization responsible for establishing, troubleshooting, tweaking, and strengthening cyber defenses. In some cases, red teaming is done through a continuous automated red teaming (CART) solution designed to help blue teams concentrating on specific vulnerabilities and risk exposures with the greatest impact or most likelihood of penetration on an organization.

Essentially, what red teaming does is to introduce the perspective of a cyber attacker or bad actor in the security posture of an organization. Operating independently, it attempts to break, bypass, or employ tricks to defeat security controls. Typically, the red team does not coordinate or collaborate with the blue team to simulate the real-world cyber threat landscape.

However, when organizations use automated red teaming tools or platforms, what happens is that the red team somewhat becomes a tool for the blue team. How is this so? Red teaming tools are operated and overseen by the blue team. They don’t necessarily have control over the strategy and actions conducted by the red teaming tool (for them to maintain some degree of independence), but the blue team has access to the tool’s interface and the security data and analyses it generates.

In other words, the blue team gains an adversarial perspective through a mostly independent tool that thoroughly scrutinizes the efficacy of the security controls they have put in place. It is related to how organizations also adopt the MITRE ATT&CK framework. This regularly updated globally accessible resource for adversarial tactics and techniques helps organizations detect, mitigate, and prevent cyber-attacks by providing the latest threat intelligence and matrices of cyberattack activity and mitigation options as observed in the real world.

Red Team Thinking

As demonstrated in the cybersecurity application of red teaming, the idea evolved to become useful in different disciplines. It is worth noting that this evolution did not happen only recently. As Hoffman discussed in his book, in the first few years of red teaming’s inception in the military field, improvements were already introduced as they were deemed essential in addressing new concerns.

“Since [the book’s] publication, my team and I have continued to evolve these applied critical thinking tools and groupthink mitigation techniques. It did not take long for us to discover some of the shortcomings of the Army’s formal red teaming process–challenges that limited its applicability and made it difficult to spread throughout organizations,” Hoffman wrote in a recent article on Forbes.

Nevertheless, the Red Teaming book author argues that “the core principles of red teaming have proven more valuable than ever.” He and his team eventually developed Red Team Thinking, an approach in red teaming that is characterized as “lighter and more ad-hoc.” It makes use of several of the tools employed by red teams while introducing new ones that capitalize on applied critical thinking.

Hoffman says that a number of giant companies in the United States are already employing this improved approach to red teaming. Examples of these are JPMorgan, Verizon, and Kimberly-Clark. Government agencies including the National Park Service, the United States Forest Service, and notably the Centers for Disease Control and Prevention are also taking advantage of Red Team Thinking to address many of the pressing concerns they have encountered.

9/11 and red teaming 20 years later

The commemoration of two decades since the infamous terror attack on the United States has prompted many in the cybersecurity and allied communities to share their thoughts about the impact of the Osama bin Laden-led attack on cyberspace.

In a webcast, former Chief Strategy Officer for Cyber Policy (Pentagon) Jonathan Reiber discussed the idea of threat-informed defense, which brings together the best of both red and blue teams in an enhanced approach known as purple teaming. Reiber is convinced that the cybersecurity community is already moving away from a fortress-fixated approach of maintaining network defense into something that also pays attention to threat intelligence and the perspective of cyber attackers.

On the other hand, the United States Government is also cognizant of the cyber threats at present as they relate to the situation before the September 11 attack. A bipartisan panel in the US House of Congress learned from national security resource persons that the current state of US cybersecurity is comparable to the vulnerable state of the country that partly made it possible for the terror attack to happen.

“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11,” said historian-journalist Garrett Graff at the Homeland Security Committee hearing.

New York Representative John Katko, a Cybersecurity and Infrastructure Security Agency (CISA) advocate, expressed his belief that not enough is being done to address the country’s cybersecurity situation.

Before the current threat landscape aggravates, it is clear that there is a need to improve the cybersecurity status for everyone. Embracing the idea of red teaming is a good start. The recent discussions at the intersection of the 9/11 terror attack and cybersecurity point to the need for greater threat awareness, an openness to alternative perspectives, and the temerity to challenge groupthink and conventional knowledge and mindsets.

Greenlighting red teaming

The 9/11 attack showed how even the government of the world’s most powerful nation can succumb to attacks as if they never had any preparation for them. The failure to challenge the US military’s own assumptions and perhaps excessive confidence in its capabilities helped create a vulnerability bad actors were quick to exploit.

Organizations are now increasingly using red teaming to bolster their security posture. As New York Daily News columnist Michael Balboni declares, “today’s terrorists need an internet connection, not an airplane.” The biggest threats to businesses and human lives have been moving online and everyone needs ample protection. This protection is better achieved with effective security testing strategies, particularly red teaming, which also plays an important role in another advanced security validation approach: purple teaming.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.