The Information Design Assurance Red Team (IDART™)

Sandia’s IDART™ has been performing assessments since 1996 for a variety of customers including government, military, and commercial industry. Through its participation in a variety of government programs and leadership of industry conferences, the IDART team has assembled what is perhaps the widest vision of the use and practice of red teaming in the nation.

IDART, part of the Information Systems Analysis Center at Sandia National Laboratories, continues to perform leading edge assessments to help its customers acquire an independent, objective view of their weaknesses from a range of adversaries’ perspectives. At the same time, IDART, drawing on nearly sixty years of Sandia experience in assessment, remains committed to evolving the practice of red teaming and training qualified organizations, even helping such organizations stand up their own red teams.

The Information Design Assurance Red Team apply their craft principally to cyber systems. This introduction to red teaming and other information on this site tend to underscore this expertise in cyber systems. However, red teaming is appropriate for use in multiple domains: physical security, control systems, CBRNE, defense, corporate strategy, etc.

Introduction to Red Teaming

What exactly is red teaming? Examples of different terms related to red teaming include black, gray, and white hatting; blue teaming, green teaming, and tiger teaming; penetration testing, and vulnerability assessment. Cyber red teaming, especially, has strong ties to both network vulnerability assessment and penetration testing. All these related terms make it difficult and confusing to talk about the knowledge, skills, methods, and tools red teams use in their work.

It is very important to understand what an assessment team means by red teaming. Sandia National Laboratories’ IDART™ defines red teaming to be "authorized, adversary-based assessment for defensive purposes."

Authorized means someone with legal control of the facility, system, or entity to be red teamed has agreed to the process.

Adversary-based means that the activity is centered around what would one or more adversaries do if they were attacking the target. This means taking into account the adversaries’ knowledge, skills, commitment, resources, and culture.

Assessment means one is making a judgement, possibly a comparison, of the state of the target with respect to actions by the adversary. We deliberately exclude security because red teaming doesn’t necessarily involve attacks — we have red teamed adversary reactions to potential business decisions.

Defensive purposes ties us back to the good guys — we do what we do to help the good guys make decisions about business, about security, about computer systems, about control systems.

The IDART group advocates that red team assessments be performed throughout the system lifecycle but especially in the design and development phase where cooperative red team assessments cost less, and critical vulnerabilities can be uncovered and mitigated more easily.

A key, distinguishing factor is that red teaming is mission-driven and involves the use of a simulated, goal-directed adversary attacking a system or network. Many different groups perform red teaming and use differing terminology, techniques, and processes: commercial security firms, various military units and government agencies, and national labs.

Red team assessments are a flexible tool that program managers and sponsors use to identify critical vulnerabilities; understand threat; deliver effective and secure components, systems, and plans; and consider alternative strategies and courses of action.

Red teaming traces its roots to warfare where commanders need to test and refine their own defenses and battle plans to ferret out weaknesses, study adversary tactics, and improve their strategies. Modern red teaming is an exciting and maturing field. As the community of red teams has begun to collaborate, exchange ideas, share tools, and develop new techniques, the implementation of red teaming has grown, with new applications in challenging domains like cyber security. Over time, many different groups have come to use red teaming in one form or another, applying it to answer different questions (e.g., “are my personnel prepared to defend my network from a cyber attack?” and, “which of several security appliances will best protect my network?”), and in different domains (e.g., cyber and physical).

Top of page