Professional Documents
Culture Documents
1
Copyright 2009, Michael J. Skroch, Sandia Corporation, approved for unlimited release, SAND 2009-7215 J. This article was written for
publication on Red Team Journal, redteamjournal.com.
and manipulations of human staff. So, how particularly to a well-armed Special Forces
is a red team or set of red teams supposed red team member that has no problem with
to cover the broader ground of a defensive direct expression. With that exception
entity and emulate all likely attacks on their aside, this brings up a number of interesting
target system? Providing more time and questions for discussion: When and in what
more funding are not popular answers to ways is a simulation more useful than a live
this question. The only real answer is red team? How can simulations of red
effectiveness directed by a cost-benefit teaming be used in concert with live red
approach to how the red team will cover teams? How do you reliably decide which
possible aggressor actions. to choose? Are there situations where M&S
can replace a red team?
Why focus upon effectiveness? Because
use of adversarial perspective in design is One could probably answer quickly that
essential and the ground red teams must humans are good at doing what humans
cover is growing. System security is not can do (intuition, creativity, etc.) and
keeping pace with threats. Of equal computers are good at doing what
importance is the impracticality of staffing computers can do (complexity, crunch
and funding a sufficient number of red numbers). Where else have computers
teams to address the problems we now face done well and are mature in simulating red-
or we project into the future. blue interactions? Consider a few:
Effectiveness for red teams may come in Chess Economic models
many forms. A defined process or Video games Ecological models
approach can improve accuracy and
completeness of a red team. One that can Common features of all these include a
be trained to a broad set of individuals will well-defined environment in which the
allow a broader army of red teamers programmers and mathematicians have had
following that process. Technologies a long time to model the environment or
enable red teams with capabilities that didn't analyze the system. These examples also
exist or were previously impractical. Some consider systems that are innately simple or
process and technology enables those less can be reduced in complexity for simulation.
initiated to emulate those with more skill and Complex red team situations involving
experience. One relatively new and very physical, cyber, and behavior do not share
promising tool for red teaming effectiveness these features.
is modeling and simulation.
Close but not systems Red Teaming
M&S cannot do everything.
Both M&S and Red Teaming are broad
What can it do? domains. In order to narrow the focus of
In researching this topic, I've discussed this paper, I want to acknowledge but set
modeling and simulation OF red teams with aside fields that are topically near or overlap
red team members of various types. I often with the focus of this paper.
receive an immediate, almost guttural, A growing body of work involves research
push-back that M&S cannot replace a live and development of adversarial behavior
red team. Nobody wants to become modeling. A number of these involve
obsolete because they were replaced by a simulation for training. A good Red Team
machine or computer program. Yet, in this M&S system should benefit from this
case their assertions seem plausible. A live research and be a source of adversarial
red team has features that cannot currently stimulus for such training; however, I wish to
be matched or replaced by a computer focus on red teaming of systems. A
simulation. I would never advocate that a potential way to distinguish training
simulation can replace a red team, simulation from systems Red Teaming M&S
Modeling and Simulation of Red Teaming 2 November 2009 2
Part 1: Why Red Team M&S? SAND 2009-7215 J
is that the latter can operate without human focus on the embodied interaction of a
participation, that is, operate in a typical red team force upon a target.
constructive mode.
There is a centuries-long military history of
Defining Red Teaming M&S
force-on-force modeling and non-computer With these modeling and simulation topics
simulation (often called wargaming) for set aside for now, a high-level positive
tactics development and training that has definition of Red Teaming M&S will be
lead to the inevitable inclusion of computers useful for comparing available systems and
for this pursuit. Most of these efforts refining detailed requirements.
focused upon training in flight or on the
battlefield 2. Some recent research and Required
development level training systems that • Simulates force-on-force interplay
• Complex adaptive human behaviors
exist include DARWARS Ambush! Trainer 3,
• Simulates 3D physics, cyber, or both
the RealWorld 4 system from DARPA, and
• Includes constructive-only mode
Ground Truth 5 from Sandia. We will Optional
exclude such systems from consideration in • Includes virtual and live interplay
this paper. • Federates with other simulations
Another set of modeling and simulation • Embodied human/object behaviors
tools that I will exclude for this paper is that This working definition implies that the Red
which analyzes scenarios, but without some Team M&S will be able to constructively
level of adaptive human behavior. They simulate human interaction with physical
tend to evaluate system-on-system systems, cyber systems or both. Interplay
performance without respect to complex of physical-physical (e.g., explosion, bullet)
human interplay. Some may model human and physical-cyber (e.g., control systems,
decisions, attack graphs, or defensive physical destruct of information) would also
tactics without actually performing any be required in the simulation.
force-on-force interaction. All these tools 6
are more suited to M&S for Red Teaming Red Team Measures of Effectiveness
applications.
Yet another set of simulations I will exclude How are we to provide some objectivity to
is that that which models interactions of the use of Red Team M&S? Developing
Measures of Effectiveness (MOE) or a
thousands to millions of agents making
national or globally relevant decisions. framework for comparison is a good start.
Interplay is often economic-based and Consider that a number of simulations may
shows trends or effects from impacts to a be able to provide capability for force-on-
system of systems. An example of such a force simulation including OneSAF 8,
capability that often considers JSAF , STAGE , Simajin , Avert 12,
9 10 11
consequence-based analysis is the NISAC 7. Umbra 13, Dante 14. Other tools may also be
While certainly a potential M&S tool for Red useful for this purpose. I’ll explore some of
Teaming, these types of capabilities do not those in a future paper in this series—first
8
One Semi-Automated Forces (OneSAF),
2
For example, DARPA’s SIMNET and the Army’s Close Combat www.peostri.army.mil/PRODUCTS/ONESAF/
9
Team Trainer (CCTT).. Joint Semi-Automated Forces (JSAF), predecessor of OneSAF,
3
www.darwars.net, en.wikipedia.org/wiki/DARWARS/; Ambush www.jfcom.mil/about/fact_jsaf.html.
10
trainer from SNL, Elaine Raybourn. STAGE, AI.implant, etc., Presagis Inc., presagis.com.
4 11
DARPA DSO Office, www.totimm.com Simajin, RhinoCorps LTD, rhinocorps.com.
5 12
Ground Truth incident responder training game, Sandia National Automated Vulnerability Evaluation for Risks of Terrorism
Laboratories, Donna Djordjevich. (AVERT), ARES Corporation, www.arescorporation.com.
6 13
Examples include fault tree tools, path planning tools like Umbra Simulation Framework, Sandia National Laboratories,
ASSESS by Sandia. umbra.sandia.gov.
7 14
National Infrastructure Simulation and Analysis Center (NISCA), Dante scenario analysis simulation tool, Sandia National
Department of Homeland Security (DHS). Laboratories, umbra.sandia.gov.
Table 1: Postulated Measures of Effectiveness for Red Teams and Red Team M&S
18
Conflict Of Interest (COI)
19
Motivation & Intent (M&I)