It would be easiest to explain what red teaming is by demonstrating what it aims to avoid—inefficiency and misuse of precious security resources. We all know that efficiency is one of the goals and chief components of any given security organization's mission statement. But how do we assess efficiency? The following story gives us a clue:

One night, a person was seen thoroughly searching the pavement underneath a large street light. “What are you doing, sir?” asked a citizen, unable to restrain his curiosity.

“I'm looking for my keys”, the man replied.

“Let me help you,” the citizen offered, searching the ground. “How did you lose them here?”

Loosening his collar, the man muttered, “Well, I didn't lose them here. I lost them two miles back—by that dark parking lot.”

The citizen looked at him with brows arched. “So, why are we searching for them here instead of there?”

The man grinned and replied, “Because here we have light.”

The moral of the story is thus: when an organization tends to do what is more convenient and not what is more efficient, their targets will more likely be missed. In order to do the right thing and not merely the easier thing, a different approach should be adopted. How are we to best determine the correct approach? When it comes to security and terrorist threat mitigation, it takes a thief to catch a thief. That is the red team philosophy.

Adopted from the Cold War era when NATO forces were trained against a tangible enemy, i.e. the Soviet Union (the Reds), red teaming became a way of using enemy characteristics and tactics to enable realistic war-game scenarios. Though the Cold War is now history, use of the term has remained for assuming the profile of any opposing side, whoever that might be.

Learning the methods in which terrorists act increases the chance of intercepting an attack and mitigating it prior to execution. Accomplishing this requires assuming the terrorists' profile and examining a potential target's environment. This includes using a terrorist's perspective in assessing technical systems, security loopholes, and operational processes, providing a snapshot of an environment's vulnerability. However, such assessments are only valid if based in reality. Sci-fi scenarios, while good for novels, are of little value in real environments and situations.

To achieve the most realistic and impartial assessment, it is best to use red team operatives who are detached from the security staff and daily protocol of the target environment. This allows operatives to determine whether the keys are being searched for underneath the light or in the place where they were lost; something difficult and politically sensitive with existing personnel.

The operative's most important task is to explore what might deter, disturb, or defeat a terrorist plan and provide the security force with details of the potential threat. It is this knowledge that can assist security in turning a soft target into a hardened environment through the construction of a useful mitigation strategy.

Contrary to popular belief, terrorists are not crazed people. Their acts are calculated, sophisticated, and most of all—well planned. Nobody wakes up one morning and decides to conduct a bombing on a whim. Therefore, such acts require extensive preparation, not unlike a military operation.

The key to integrating a successful red team program lie in the emulation of the terrorist attack process, from the marking of the target to the getaway after the execution. Within this, it is important for the red team to assess each step for ease and viability, including:

1. Target identification

2. Intelligence acquisition (e.g., open source and social engineering)

3. Target surveillance to confirm or refute intelligence

4. Assessment of target attack plan

5. Assessment of resource and tooling acquisition

6. Rehearsal or training of the attack, including traveling to an unfamiliar environment and blending in with the target's surroundings

7. The execution and its desired impact

8. Planning and testing the escape routes

Regardless of the type of attack, terrorists usually take in excess of a year to plan the above steps. In most cases, the execution is the shortest stage of the mission, taking split seconds for the detonation of a bomb, to a few hours for a hijacking or sabotage.

This said, it is the tooling and execution phases where conventional criminal justice rules and technology are usually applied as they are the first instances where means and intentions come together (probable cause). In most cases, when explosives, arms or other means are introduced, it is already too late for law enforcement to prevent an attack.

Clearly, most attack plans, and by extension red team scenarios, would avoid any contact with law enforcement and security. In fact, the optimal attack is the one with the fewest obstacles. Using this rule as a guide will help in focusing search and deterrent energies and determine where mitigation procedures and personnel (undercover when possible) should be deployed.

Red team assessments should serve as the starting point for implementing new or refining existing security practices. As practices are refined, additional red teaming evaluations should be utilized to continue this process and to address new threats or methodologies. Red teaming should be an ongoing process, with fresh eyes brought to bear on each evaluation (new eyes, new creative solutions). It won't automatically help us to find the lost keys, but it will help us to shed light on areas where we should be looking.