This article was taken from the Technological Leadership Institute Newsletter to highlight our board member, Brian Isle, and his efforts with the MSST Program and Red Teaming. Great job Brian!
Security Up Close
Red teaming offers students a practical look at what it takes to protect physical assets
After the terrorist attacks of 9/11, Brian Isle contributed his time and talents to participate in ‘red teaming’ exercises that were designed to improve security and prevent potential tragedies that can impact us all.
Now, as a senior fellow at the Technological Leadership Institute (TLI), he offers students in the Master of Science in Security Technologies (MSST) degree program a firsthand introduction to red teaming.
“Red teaming is the term that military and security business experts use to describe the technique of gathering subject matter experts together to think like attackers, identify potential targets, assess vulnerabilities and find options for limiting those vulnerabilities,” says Isle, founder and general manager of Adventium Labs.
Isle incorporates a red teaming exercise as part of the MSST course, “Methods, Theory, & Applications” (ST 8111). His own work focuses on assessments of critical infrastructure safety and security, including collaborations with federal, state, and local officials. Well-versed with red teaming, he served for six years as one of more than a dozen subject matter experts on a statewide red team that looked at ways to protect Minnesota’s critical infrastructure by theoretically attacking its vulnerabilities.
Isle runs the red teaming exercise in the same manner as real-life red teams. The practical nature of the exercise helps drive home the purpose and true value of risk assessment, he says.
“The class talks about risk management, risk assessment and vulnerability assessment in systems,” says Isle. “But what I found was when you talk about risk and vulnerabilities in the abstract, it’s difficult for students to grasp.”
As a start, student teams select a critical infrastructure area, such as pipelines, water, or power, among other options. Then they pick a specific target for attack, and the threat actor, or the attacker behind a possible event.
“I want them to be able to put themselves in their adversaries’ shoes and learn to understand the capabilities and goals of the attackers,” says Isle. “It makes security feel real when you think like a terrorist.”
Considering the intent and capabilities of attackers, students then research vulnerabilities and weaknesses of the target and the interdependence of infrastructures. For example, it may be possible to knock out a target by destroying a piece of a nearby infrastructure. They then brainstorm possible scenarios, applying red teaming methodology and tools. For example, a spreadsheet helps them rate the likelihood of scenarios and consider issues such as existing security and costs.
Students complete an analysis, looking at common points of vulnerability and possible solutions. Combining the practical and theoretical tools, they develop a mitigation plan, produce a formal report and present their findings to the class.
George Welles, MSST faculty member, also lends his expertise to the class. President of Imaging Futures, Inc. and national security subject matter expert working with senior federal executives, Welles covers the topics of leadership, ethical considerations and communication with the executive level. His contributions are designed to help students look at security issues from the perspective of management, develop their leadership skills and understand how to move their ideas forward in the organization.
Isle has run the exercise in three classes, and students in all classes consistently have produced top-level work – comparable to the work of experienced industry professionals, he says. MSST students work hard in the two-credit course and it shows in the outcomes. In fact, organizations have requested teams to conduct full penetration testing – executing an actual scenario – at their facilities.
“It’s very impressive what the students do,” says Isle. “It stands up to any red teams in the country.”
Isle is continually adding more tools to the course, with a focus on helping students learn more about red teaming. “I enjoy teaching it because the students are so excited about it.”
For more information about the MSST program, visit tli.umn.edu/graduate/msst.
Red Teaming at Work
The hands-on nature of the red teaming exercise for MSST students helps make it a unique class assignment. Students share their perspectives on the pluses and gains of the exercise.
Practical and fun
Joe Busch describes his red teaming experience as interesting, fun, valuable and very practical. Indeed, his student team was able to conduct a security penetration test as a red teaming exercise.
“It was exciting to actually have a company make themselves available for us,” he says. His team set to work identifying a potential threat attacker, looking for vulnerabilities, developing attack scenarios, assessing the most viable scenario and testing it. The team’s analysis pointed to some solutions. “There are a number of fixes that could stop more than one scenario,” says Busch.
Busch recently moved from an information technology position at the University into a new job as information security analyst for Hennepin County Medical Center, and credits his participation in the program for helping him make the transition to a security career. He appreciates the guidance and expertise of MSST faculty members—case in point, Methods, Theory, & Applications faculty Brian Isle and George Welles.
“Brian and George are both very enthusiastic about the subject matter,” says Busch. “They go above and beyond.”
He sees much applicability in the red teaming exercise, and believes the experience helps strengthen his skills. “I did find it valuable,” he says. “The class helps you take the theoretical and apply it, and it was a lot of fun as well.”
After deciding on their focus, Natalie Wood’s red team members took to the field, visiting the site of their target. They walked around the area, checked the doors and locks, and paid attention to the security.
“Then we went to Google maps for photographs of the area,” says Wood. “Sometimes the target is a target, and sometimes the target is a weapon to get to a different target.”
The team also searched for other activities and events in the area and then began turning their research into ideas for attacking their target. “We identified a number of options and then analyzed them.”
In the end, the team also made recommendations to help secure their target from the attack scenarios.
“There was much to do, but it was fun to think about it from the perspective of the bad guys,” says Wood, MSST student and IT consultant for RBA Consulting. “I learned a ton. It was a great, engaging way to learn risk analysis and was very eye-opening to see just how risky some targets are and how tough it is for folks to secure facilities.”
Her team soon will apply their skills again. They have been asked to do a red teaming exercise for an organization this summer, and she looks forward to it. The students in the class enjoyed the red teaming exercise, she says. “Everybody wanted to do it.”
Steen Fjalstad understands the importance of knowing as much as possible about the world of security. He serves as security and mitigation principal for Midwest Reliability Organization, a non-profit that helps ensure the reliability and security of the bulk electric power system for North America.
A security, audit, and risk professional, he selected the MSST program for its unique focus on security technologies. He appreciated the fact that the red teaming exercises took a real-world approach and introduced tools and techniques that can be applied in any setting.
“I think the biggest thing I learned is that as an organization, there are a variety of different ways that you can potentially be compromised,” says Fjalstad, who graduated in 2012. “You can’t protect everything. You have to identify your biggest risks and vulnerabilities…and remember that you are only as strong as your weakest link.”
Red teaming helped increase his awareness and added one more tool for him to tap. It also has come in handy on the job.
His participation in the MSST course and red teaming exercise prepared him for a recent experience. He attended a Department of Homeland Security session in spring that focused on red teaming and was able to apply what he had learned from the MSST course.
“It allowed us to understand that there is more to an organization’s security than policies and procedures or guards and guns,” he says. “It also comes down to focus and greater protection. The more knowledge you have, the more secure you can become.”