Book Review: "Red Team"

"Red Team: How to Succeed By Thinking Like The Enemy" by Micah Zenko is an excellent book on the history and art of competitive analysis or red teaming a concept or scenario. I listened to the book on Audible for $15, which was an 11 hour listen (336 page).  The book is a great historical and theoretical look at the activity of Red Teaming, from how the practice of devil's advocate started to how red teaming grew through the United States military, intelligence community, and private sector. It's a great book for any pentester or intelligence analyst looking for a history of the field in terms of major players, groups, and events. Further, it's an excellent book for any CEO or CTO looking to get an objective view of their organization or processes. Overall, I give the book 7 out of 10 stars for history, theory, and perspective, but as good as all of that history is, the book tends to leave something to be desired in technical implementation from people like me, red team practitioners.  That said, the anecdotes and in-depth accounts of real world red team successes and failures really brings home the importance of such a program, as well as its various pitfalls. Zenko even spends a chapter on how red teaming can go horribly wrong, when misdirected, scoped too tightly, or even set up to confirm existing biases. Overall, this was an enlightening and warming book to read, as it codified many of the theories and beliefs red teamers have but have never put into any formal canon. Below I've included the chapters of the book, in my typical review fashion, as I believe this helps prospective readers know exactly what the book covers:

Introduction

Al Kibar: “Gotta Be Secret, Gotta Be Sure”
Why Organizations Fail, But Can’t Know It
How Red Teams Function
How Red Teams Succeed or Fail
Into the World of Red Teaming

ONE: BEST PRACTICES IN RED TEAMING

1. The Boss Must Buy In
2. Outside and Objective, While Inside and Aware
3. Fearless Skeptics with Finesse
4. Have a Big Bag of Tricks
5. Be Willing to Hear Bad News and Act on It
6. Red Team Just Enough, But No More
The Overarching Best Practice

TWO: ORIGINS: MODERN MILITARY RED TEAMING

Red Team University
Card Tricks: Mitigating Hierarchy and Groupthink
Marine Corps Red Teaming: Challenging Command Climate
Millennium Challenge: “The Significant Butt-Kicking”
Military Red Teaming Abroad
Conclusion

THREE: ALTERNATIVES: INTELLIGENCE COMMUNITY RED TEAMING

Team B: “Reflecting the World as They Saw It”
Al Shifa: A Missed Opportunity
Inside the CIA Red Cell: “I Wanted My Mind Stirred”
Osama bin Laden’s Compound: From Zero to Fifty Percent
Conclusion

FOUR: ADVERSARIES: HOMELAND SECURITY RED TEAMING

Pre-9/11 FAA Red Team: “A Substantial and Specific Danger to Public Safety”
How to Shoot Down a Plane: MANPADS-Vulnerability Assessments
NYPD Tabletop Exercises: “Never Let the People Believe That They’ve Solved the Problem”
Information Design Assurance Red Team (IDART): Making Red Teaming a Commodity Tool
Conclusion

FIVE: COMPETITORS: PRIVATE-SECTOR RED TEAMING

Simulating Strategic Decision-Making: Business War-Gaming
White-Hat Hackers and Hamster Wheels: Cyber Penetration Tests
I Can Hear You (and Everyone Else) Now: Hacking Verizon
Why Your Secure Building Isn’t: Physical Penetration Tests
Conclusion

SIX: MODESTY, MISIMPRESSIONS, AND THE FUTURE OF RED TEAMING

Realistic Outcomes of Red Teaming
Red-Teaming Misimpressions and Misuses
Recommendations for Government Red Teams
The Future of Red Teaming
Acknowledgments
Notes
Index

The most shocking chapter for me was in Part 4, where Micah discussed the FAA Red Teaming and the attacks performed on airports all around the US decades before the attacks on September 11th. This really hammered home how important it can be to listen to the red team findings, to me as a reader. Further, the book covers numerous important theories that shouldn't be missed anyone, such as humility, you can't grade your own homework, mitigating group think, challenging assumptions in a strategy, and having a documented alternative analysis performed. Ultimately, this was an enjoyable and educational book, both from the perspective of a professional penetration tester and the perspective of a CEO. Finally, I'de like to reiterate that Micha's six best red team practices are pretty spot on, but don't take from me, here's an interview with him about the book: