10 Red Teaming Lessons Learned Over 20 Years

I've written a few popular blog posts over at OODA Loop. Here is one I did on red teaming lessons learned.

"I often get asked what lessons I’ve learned over the past twenty years, so I started putting together this list of 10 lessons learned over 20 years of red teaming a few years ago. Given that I’ve officially hit the twenty year mark, I figured it was time to hit the publish button. While many of these feel like concepts, vice lessons learned, I hope the reader finds them thought provoking as they formulate and execute red teams of their own. As always, feedback and comments are welcome. This article is also posted at Red Team Journal if you’d like to discuss it there."

Source: OODA Loop - 10 Red Teaming Lessons Learned Over 20 Years

Virtual Reality paper from 1993

Before Neo awakened to the existence of the Matrix and before Mark Zuckerberg donned his first Oculus Rift VR goggles, I was writing about the relationship between immersive virtual reality, philosophy, and human behavior (adopting a position of do no harm). I've mentioned this essay several times over the past couple of decades and finally located a copy to preserve here for easy linking. I don't recall what the title was and it wasn't captured in my Word Perfect file with this text, nor was the bibliography for the paper.

The world is your exercise book,

the pages on which you do your sums.

It is not reality,

although you can express reality there if you wish.

You are also free to write nonsense,

or lies,

or to tear the pages.

-Richard Bach

There is a new concept floating around the computer industry these days, appropriately dubbed 'virtual reality'. Virtual reality entails the creation of a simulated environment on a computer system, which the human subject is allowed to experience through the use of special equipment such as body-sensory suits and 3D goggles. Though the virtual world exists as bits of information stored on the internal memory of a computer, to the person experiencing it, it is very realistic. Even though our power to create virtual reality worlds is somewhat limited at the present time, technological trends would indicate that it may not be long before virtual reality scenarios become indistinguishable from real life situations. Tony Deveaux explains:

“Virtual reality can be realistic or artificial, creating environments that could not otherwise exist, painting our wildest fantasies, or it can transpose reality into another scalable dimension, for example, simulating a human heart as big as a house, or conjuring a room-sized solar system...In these conceptualizations, you may not be able to tell a computer-generated hallucination from flesh and blood reality.”

Imagine having the power to create your own world, playing the role of the divine artist. It would be like being able to control the subject matter of your dreams. Now imagine that technology advances so much that the ultimate virtual reality machine is created. This machine would allow you to design a virtual world that incorporated all five senses, a full range of emotions, and objects to interact with. Some of these objects would be simple variables. You may create an object called a rose, which starts as a simple seed and over a projected amount of time grows into a beautiful flower, only to fade away again. You might design characters to interact with, and ultimately you would be able to connect your friends to share your virtual experiences with you.

Imagine the great adventures you would have, and the scenarios you could create, from Stephen King like horrors to Harlequin romances. Now imagine that a drug is developed that when taken in coordination with your virtual reality machine, allows you to forget you are engaged in an virtual reality experience. Imagine if once you started the program, this drug was injected into your body, and you forgot that a reality exists outside the machine.

You would perceive your virtual world as if it were real, forgetting that it is simple a world created by you, and that every variable is under your control.

This type of experience is exactly what Hindu philosophers say you are experiencing right now, and is the type of experience Richard Bach describes in the book Illusions. By using this analogy we can examine the nature of the ultimate reality, or Brahman as argued by the Vendatic philosopher Shankara. Shankara acknowledges that the empirical world, is an illusory experience of the ultimate reality, Brahman. Shankara argues that even though the objects of the empirical world appear real, they are simply illusions, shadowing the ultimate reality. Here we might substitute the empirical world with the virtual world we created above, and continue our examination of Brahman.

The person experiencing the virtual world actually believes they are experiencing reality. The drug that they take allows them to forget the ultimate reality, thus what they perceive in the virtual world is taken for the ultimate reality. The subject actually believes that they are seeing the true nature of the Brahman. As Shankara explains, they are ignorant to the true nature of the Brahman. What they are experiencing as reality is actually just electrical pulses within a machine that will cease to exist at the touch of a button. It appears to be real, just as Shankara's world of illusions appears to be real, just a dream appears to be real, but it is not. You are existing in a virtual world, dwelling on the electrical pulses of cyberspace. The ultimate reality, or Brahman is the world you wake up to.

Out of this ultimate reality you created a virtual reality. Once you wake up, you remember all that happened during your virtual experience was created out of a necessity to gain knowledge. Your virtual world is educational, programmed to repeat over and over until the final lesson is learned, until you achieve enlightenment.

According to Shankara, your enlightenment consists of simply overcoming the ignorance that allows you to believe the virtual reality is the ultimate reality.

In order to gain enlightenment you must realize that you created the virtual reality, that you have the power to manipulate it, that you are the ultimate reality. Tat Tvam Asi! With enlightenment comes the ability to manipulate the virtual world.

You might turn water into wine, walk on water or as Richard Bach describes in his tale of the reluctant messiah, you might chose to swim in the earth.

“He walked to the shore easily as walking on a painted lake. But when his feet touched the ground, the sand and grass at the edge, he began to sink, until with a few slow steps he was up to his shoulders in earth and grass. It was as though the pond had suddenly become an island, and the land about had turned to sea. He swam for a moment in the pasture, splashing it about him in dark loam drops, the floated on top of it, then rose and suddenly walked on it. It was suddenly miraculous to see a man walking on the ground!” (Bach pg 124)

You are also free to terminate the virtual world, or you may remain within it, a master it of instead of slave to it. You may chose to stay and help the people around you overcome their ignorance. Once again I turn to Richard Bach.

“Learning is finding out what you already know. Doing is demonstrating that you know it. Teaching is reminding others that they know just as well as you. You are all learners, doers, teachers.”

It would appear a beautiful process, but certain moral questions arise. For example, what value do you place on the virtual characters of your world? If they are not true reality, then it would appear that you could harm them without remorse. Or do these virtual characters have some value in relation to the ultimate reality? If you argue that the characters of the virtual world hold no value since they are not real, then you will have no difficulty with Krishna's teaching to Arjuna in the Bhagavad Gita that instructs him to kill without regret.

However, I would argue that we indeed do harm by hurting the virtual characters of our virtual reality. The virtual characters are indeed connected to the ultimate reality. To destroy these characters would be equivalent of depriving one of knowledge, stopping the lesson half way through, delaying the enlightenment process. Though it does no physical damage to the ultimate reality, the underlying motive is negative in its very existence. The underlying motive is to do harm, and this trait, along with those of greed, anger, hate, intolerance, and many others of similar nature are not traits I wish to associate with the ultimate reality. I would hope that in moving from the virtual reality to the ultimate reality, such traits evaporate into insignificance. However, I may be wrong.

One can smoothly re-substitute the empirical world for the virtual world. Might the empirical world be as illusory as the virtual world? Shankara and Richard Bach say yes. In that case, our enlightenment in this world is simply overcoming our ignorance that allows us to treat this world as the ultimate reality. We must remember that we are in charge and that the tools to program the world are at our fingertips. It is this realization that Hindu philosophers struggle to achieve. They desire to know the true nature of the ultimate reality, to overcome their ignorance and achieve enlightenment.

What Dan taught me

danOver 20 years ago, I was an unknown graduate student at the University of Vermont with an unpopular research idea.

I was convinced that our increasing dependence on inherently vulnerable critical infrastructure presented an emerging national security issue.

Few others were similarly convinced.

Then I somehow caught the attention of Dan Kuehl at the National Defense University and on a trip to Washington DC he invited me to visit his office. I ended up spending the entire afternoon with Dan who entertained all of my questions, walked me through the halls of NDU, introduced me to all his colleagues, and bought me lunch.

The most critical thing Dan did was encourage me to keep going with my research. Little did I know at the time, but Dan was privy to a classified dialogue at the Department of Defense surrounding DOD Directive TS3600.1 which was raising many of the same issues I was focusing on. Given I didn't have a clearance, he couldn't share the news with me, but instead stacked me up with papers on C3I and other relevant materials. You are on to something he told me. Keep going...

As the story goes I did keep going. My thesis topic rejection was eventually reversed and I published my thesis entitled "National Security in the Information Age". Dan was one of the most prolific distributors of my thesis. Copies wound up in the hands of officers going through his program, DOD leadership, local think tanks, and contractors. Dan even forwarded my thesis to one of the gentlemen that would eventually give me my first job.

When I moved to DC, Dan and I became friends. He continued to introduce me to his network and I started to occasionally lecture to his students at NDU. In 1996 he awarded myself and two colleagues the prestigious Sun Tzu research award for our paper "Information Terrorism: Can You Trust Your Toaster?". As recently as the past year, Dan was still cracking Internet of Things toaster jokes.

Over the past 20 years we've continued to see each other a few times per year. Every time I see Dan, his enthusiasm and energy puts a smile on my face. He is a friend I am always happy to see, even after the 500th time I heard him say "well, I'm a historian, but..."

Following Dan's lead, I've always taken the time to meet with students or folks early in their career to offer advice, encouragement, and even recommendations for employment. It has had a pay it forward butterfly effect that has resulted in hundreds of meetings over the past twenty years and continues to shape the world in important ways. Perhaps I would have taken the time out of my schedule for those meetings regardless, but I like to think it is what Dan taught me.

Virtual Tradecraft Paper outline from 2006

Capturing this here for posterity. A friend in the intelligence community got me interested in Second Life which lead to putting together some thoughts on the intelligence implications of virtual worlds. We were talking about this seven years ago...

Virtual Tradecraft 2006

Kill with a borrowed sword - An Origins Story

If you've seen me speak in the past 15 years, you've seen a slide that looks something like this:

Screen Shot 2013-05-29 at 8.15.43 AM

It was my adaptation of an ancient Chinese stratagem for the information age in which an adversary would use our infrastructures as weapons against us. I originally used it as a reference for information operations, but it turns out it was a good model for the attacks on September 11, 2001 as well. AQ terrorists could never have built missiles that could be delivered with the precision and explosive and incendiary impact as they achieved by hijacking commercial airliners.

In 2001, I also used the concept to promote a capability I'd started advertising in 2000 as an "Information Outcomes Cell" which proposed to use commercial IO capabilities as a replacement for U.S. military Computer Network Attack when our national leaders did not want to reveal "black" attack technologies. The premise was that any infrastructure that could be targeted with a conventional attack could be "taken down" by the Information Outcomes Cell. This would allow for the mission objective to be accomplished, but without revealing secret tools and allowing for the infrastructure to be rapidly reconstituted once friendly forces had control of the land domain. This addressed two critical issues in my opinion; 1) It helped overcome the hesitancy to use CNA because the target "wasn't important enough" to reveal the equivalent of a zero day (e.g. shouldn't use it in Iraq, because we can't use it against more important targets later), and 2) it reduced the impact on the host country's civilian population. They could be without power and telecommunications for months instead of years which would allow them to focus on building societal infrastructure like schools and hospitals.

I even went so far as to put together a Powerpoint deck and shop it around. Here is the ugly circa 2001 cover page:

Screen Shot 2013-05-29 at 8.34.49 AM

Despite lots of vibrant discussion, the capability wasn't utilized back then and others have consistently echoed the need. For example, see Mike Tanji's Buccaneer.com. I won't comment on whether we are any further along today.

Recently, I was listening to the audio book version of Tom Clancy's most recent book "Threat Vector" and Clancy was describing the fictional office environment for the Chinese mastermind of the hacking attacks against the U.S. and other countries. What sign hangs on the wall as an inspiration for the Chinese attack team? The ancient Chinese stratagem "Kill with a borrowed sword".

I am Big Data and so are you

Bob Gourley, former CTO of DIA and current CTO of CrucialPoint LLC was guest lecturing at my Georgetown “Information Warfare and Security” class and was discussing mega technology trends when it occurred to me - the next revolution in big data is going to be about me and you.

We are sitting on a treasure trove of data about ourselves that will be aggregated into big data repositories and analyzed and mined to augment our lives. Quantified self data from your Nike Fuel band, input from your Google Glass, your email, schedule, events you have attended, foods that you ate, times you got sick, searches you conducted, games you played, movies, books, music, social network status, your social graph, news you’ve read, on and on and on....

All this data will be aggregated and mined for our own personal benefit. A few years ago I anticipated the rise of AugBots (software agents that would mine your personal data to predict how they can help you). Imagine that you always call your wife when you are on your way home from work and the AugBot starts anticipating this behavior and when your smart phone indicates you are on your way home (based on GPS data) it asks you whether you want to call your wife. Google Now is pretty close to this level of functionality today and it is only going to get better.

I'm concerned about privacy, but under also understand the advantages of mining this data moving forward. What I want to know is who takes the lead on allowing me to start dumping data into some sort of repository that gets mined for my Google Now results. I'm waiting for when my Google Glass takes a picture of Bob, performs a facial recognition search, identifies who he is, searches my personal big data, and tells me "that's Bob Gourley. You first met him at an event in 1996."

With all the quantified self data, this will be rich health data as well. Evaluate food patterns to identify allergies, diagnose a potential illness based upon proximity - you had dinner with Bob three nights ago, and he reported yesterday on Facebook that he has Strep throat - I noticed you just bought throat lozenges - shall I make an appointment to see the doctor about that sore throat?

Imagine a Nest thermostat that starts raising the temperature because it knows you are on your way home or starts cooling because it knows you are scheduled to be out for the day. A security camera that doesn't alert because it recognizes the faces in your home are from the cleaning service.

Who are the leaders right now? Google, Facebook, Amazon, Apple - in that order.

I expect we'll see start-ups emerge focused on personalized big data. Create your repository, decide who to share with (family, friends, etc), and then decide which APIs can query against it. There will likely be multiple repositories and interfaces between them.

Then we'll see a layer of augmented intelligence interfacing with the data at an application layer.

Of course, security will be a concern, but I'm not sure if security winds up being essential or irrelevant.

And all of this will start happening in the next five years.

State Sponsored Cyber Threats - The Long View

"Thinking about state-sponsored cyber threats over the long term doesn't come easy to Western strategists. This essay takes a look at at the strategic implications of thinking only in the short-term."

Source: OODA Loop - State Sponsored Cyber Threats - The Long View

Tim Cook's Freshman Year: The Apple CEO Speaks

"We want diversity of thought. We want diversity of style. We want people to be themselves. It’s this great thing about Apple. You don’t have to be somebody else. You don’t have to put on a face when you go to work and be something different. But the thing that ties us all is we’re brought together by values. We want to do the right thing. We want to be honest and straightforward. We admit when we’re wrong and have the courage to change."

Source: Tim Cook's Freshman Year: The Apple CEO Speaks - Businessweek

Chinese IW - 1996

Digging through some old files and found this from 1996:


May 10, 1996, Friday

SECTION: Part 3 Asia-Pacific; CHINA; MILITARY; EE/D2609/S2

LENGTH: 308 words

China: characteristics of information warfare explored

SOURCE: Source: Jiefangjun Bao', Beijing, in Chinese 16 Apr 96 p6

[6] Text of report by Chinese army newspaper Jiefangjun Bao'

At present, information warfare remains a very abstract concept. In order
to clearly understand and master information warfare, we have to conduct a
more detailed analysis of information warfare by dissecting it into a number
of combat forms, each with a unique content, including an all-frequency
electromagnetic war, a computer virus war, a precision war, a small-scale war,
a non-destructive war, a geophysical war, and so on. After categorizing these
combat forms, we can divide information warfare into two major types: the
"visible" information war and the "invisible" information war. Only by
conducting such a detailed analysis of information warfare will we be able to
know clearly about human conceptual and behavioural changes wrought by
information warfare.

Owing to the increasing internationalization of information technology
development and the integration of social, political and economic development,
people now have to employ stealthier, more indirect and more "surplus" combat
means when applying war means to resolve bilateral political contradictions.
This means that along with the development of information technology and the
constant perfection of information warfare, "visible" information wars are
going to be reduced in scale so that it will be more difficult to predict when
and where a "visible" information war will break out and what type of a threat a
"visible information war will create. As " invisible" information wars are going
to be waged like "the water and the sky blended in one colour" , it will be
especially hard to know their "true faces" . Thus we should reach this
conclusion: Information wars in an information era are going to be small-scale,
difficult to locate, short and quick wars known for multiple and tremendous

Siri – the Augmented Intelligence Agent

My latest thinking about Siri over at TechGrid…

"Siri does not represent a foray into the realm of artificial intelligence, but rather a necessary stutter-step in that direction which can be more accurately referred to as Augmented Intelligence. Despite an ability to engage in limited natural language processing, Siri is only capable of augmenting the capabilities of an iPhone in ways that were pre-defined by her programmers. This augmentation will only be improved upon with future iterations of Siri and some day soon, she may become more context aware.

For example, ask Siri to play a game and she’ll trigger on the word “play” and look for a song or playlist that match the remainder of the interpreted words “play a game”. Tell her you really want to get drunk and she’ll offer to call you a cab, not find you a bar. As an augmented intelligence, Siri can be pretty helpful, but here are some ways we expect her to improve in the near-term.

Source: Siri – the Augmented Intelligence Agent | TechGrid