I can’t sit here and pretend to have the experience necessary to give prescriptive advice on how to build and run a successful Red Team function at your organization. While I’ve been an early hire for two red team functions at two different organizations, it has not yet been my responsibility to ensure the success of the function. However, being involved early, I was able to see first hand multiple things that threatened the function. Additionally, I’ve been involved in the broader red teaming community for close to 10 years; I’ve seen many organizations grow their teams and I’ve seen their struggles.

Rather than give advice on how to run a successful red team, I want to take the late Charlie Munger’s advice, who in turn took the advice from noted mathematician Carl Jacobi – “invert, always invert.”

I cannot guarantee that you will run a successful team, but I can absolutely give you advice on how to fail. Should you choose to heed my advice, your red team will surely fail in stellar fashion.

Indoctrinate, Indoctrinate, Indoctrinate

At it’s core, a red team exists to challenge the assumptions of the organization they are operating in. In order to maximize your chance of failure, you will want to make sure that your team is completely indoctrinated into the organization. It’s vital that they think like every other employee and attempt to approach every problem the same way anyone else in the organization would.

A red team that maintains fresh perspectives and approaches problems in novel, outside-the-box ways will struggle to fail as effectively as a team that successfully gets indoctrinated into their organization.

Measure Success via Velocity

I can’t think of a better way to discuss effectively failing than to discuss how to measure success. Measuring success as a red team is notoriously difficult; this makes it a great opportunity to guarantee you’ll fail. Among the measurements available, measuring success via the velocity of engagements is a wonderful way to create perverse incentives that will help you to minimize impact.

By focusing on how many red team engagements you can complete in a quarter, or in a year, you can focus on completing them quickly. By focusing on completing engagements quickly, you can make sure your team doesn’t have time to find anything interesting. It won’t work, but it’ll be fast.

Measure Success via Number of Vulnerabilities Found

An incredible way to ensure the failure of your red team is to measure their success via the number of vulnerabilities found. Treat the team as an additional penetration testing resource, focus on how many vulnerabilities they find. This approach can help you fail in two ways, which makes it super effective.

In the first way, your team can respond to the outward pressures of vulnerability count by focusing on identifying and reporting the highest number of vulnerabilities, without regard for impact to the organization. They will produce a remarkable number of vulnerabilities and exceed the quarterly metrics, time and time again. This will incentivize them towards the wrong behaviors, guaranteeing that they will fail as a red team.

In the second way, your team can ignore the outward pressure of vulnerability count and instead focus on telling high impact security stories, looking for disconnects between the realities of the organization and the mental models people hold about the organization. You will find high impact security weaknesses, but you will absolutely fail your quarterly metrics. Your message will be undercut by your consistently weak quarterly success metrics, and other teams will wonder why they should listen to you if you can’t even deliver on your own metrics.

Frequently Interrupt

Your team has developed quite a reputation over its lifetime for being very strong technical experts that can operate in uncertainty and deliver results. Your leadership has noticed, and they are excited to have such a strong team of experts that they can tap about whatever project fancies them. That tweet they saw about the latest vulnerability. The report they read about North Korean spies. Anything that fancies them, they can tap your excellent team to investigate.

You will curry favor with leadership, which may be helpful at times. You will also catastrophically fail to deliver on your team’s mission. Your engagements will be interrupted. Your timelines will slip. The context switching necessary to support this sort of “paratrooper” approach to security work will erode your team’s ability to deliver high impact work, and you will instead be relegated to the cyber equivalent of a bucket brigade, waiting around for the next fire to line up outside of.

Real adversaries wouldn’t seek legal cover, so why should you? You have the technical expertise to perform any operation and ensure success. Your team is held to the utmost ethical standard, you simply won’t look at the data you don’t need. Except to find out if you need it. But that’s different, right?

Develop and maintain an adversarial relationship with your legal department to help guarantee your failure. They are just lawyers, they couldn’t possibly understand the details of your next operation anyways. Keep them in the dark for as long as possible, and when they are brought into the light, admit nothing, deny everything, and make counter accusations. If you spend most of your time fighting with legal, you will become a huge liability for your organization and may well be promoted to customer in the near future.

Develop an adversarial relationship with Incident Response

In a similar spirit, developing and maintaining an adversarial relationship with your incident response team will help maximize the chances of your team’s failure. Throw those findings over the wall. Forego any thought of how your actions as an attacker could show up for defenders. Again, admit nothing, deny everything, and make counter accusations. Schedule and complete your engagements with such speed that it will barrage incident response with work. Trigger those on-calls, get them working long nights and weekends. Tell yourself its just helping make sure they are well practiced. So long as your team maintains a hostile relationship with incident response, your chances of failure remain high.

Emphasize technical superiority

If you’d like your red team to fail to deliver value and impact to the organization, emphasize the development and maintenance of technical superiority among the team. Focus on it while hiring, and focus on it throughout the year in the form of professional development. Cast aside those silly notions of using that skill which is appropriate; achieve and assert dominance through your sheer technical superiority, and watch how your team shall fail.

Prioritize Checklists

The nature of red teaming flourishes when the practitioner is given room to think creatively and laterally. To ensure you do not allow a chance for this type of thinking to take place, take great care to heavily structure the workload of your red team. Should every engagement be operated from the same checklist, you can guarantee that the checklist will be checked very thoroughly, while everything else will remain under-examined.