Red team exercises provide organizations a mechanism to challenge their reasoning and assumptions and iron out issues that may hamper the success of their plans or projects. To achieve this, it is must that organizations empower and listen to their red team. Be it in the cyber world, military, intelligence or business, the success of a red team largely depends upon the following six best practices, as laid out by the author, Micah Zenko, in his book Red Team - How to Succeed By Thinking Like the Enemy.

1. Management’s commitment - Without the approval from the executive team or “top cover”, the impact provided by the red team will be largely diminished. It will also lead the team to be under resourced, stressed and demoralized. By the nature of it, red team exercises often produce results that may be hard to digest. But that’s where the true value of a red team comes in, they will tell you things that no one else in your team will. As the top boss, your support (or lack thereof), is the crucial factor that decides whether the red team will succeed or fail.

2. Positioning within the organization - A red team is most effective when it is semi-independent but still engaged with the organization it is testing. Its role is to challenge assumptions, improve security, and provide unbiased insights without being isolated or overly influenced by the institution. Three key factors that determine a red team’s success include,

   1. Structure ensures proper positioning within the organization, ideally reporting directly to top leadership.

   2. Scope defines clear objectives to prevent misunderstandings.

   3. Sensitivity requires understanding the organization’s needs, avoiding excessive disruption, and ensuring findings are actionable.

3. Hire the right people - Successful red teaming requires assembling the right individuals with distinct thinking styles. Effective red team members are often unconventional, skeptical of authority, and possess critical thinking skills. They often prioritize truth over career advancement. While hiring people for red team look for skills such as interpersonal communication, storytelling ability etc. It is important to remember, techniques can be taught but not everyone is suited for this role. Also look out for people with unique experience or unconventional career paths, for example, people with exposure to systemic failures often bring-in actionable insights.

4. Handy collection of techniques - A red team’s tools, tactics and techniques are its bread and butter. If used repetitively, they become less and less effective. Therefore, it is important that the red team adapts its toolkit per engagement and avoids them becoming predictable. It is also crucial that the red team does not reveal all of its technique in the first engagement itself, leaving nothing for future engagements. The red team must be flexible and adaptable to be able to modify their techniques on-the-fly, if required. The red team’s arsenal should reflect their adoption and comfort with modern technologies.

5. Acknowledge and act on red team’s observations - There is no point in spending time and money on conducting a red team exercises, if the observations and recommendations from it are just going to collect dust in a corner. More often than not, the observations from a red team exercise are hard to face and therefore, easy to ignore or deny. The true value from a red team exercise can only be gained by acting on the red team’s observations. It is a painful process but rigging the exercise or ignoring the results will only lead to more pain in the future.

6. Figure out the right frequency - Red team exercises can be stressful for everyone involved in them and must only be performed as and when necessary. Frequent red team exercises can create an environment of mistrust between the organization and the red team. Remember, that people do not like their judgement being questioned in front of their superiors, repeatedly. Red team exercises must be conducted at a frequency suited to the organization’s environment — more often in dynamic, high-risk settings and less frequently in stable ones.

Red Team Notes
- An organization can setup a red team for success by adhering to the following six best practices:
  - Provide management's commitment or buy-in.
  - Place the red team at an appropriate level in the organization's hierarchy so as to not diminish it's effectiveness.
  - Hire people who have right skills, attitude and experience. 
  - Enable the red team to keep their toolkit up to date and adapt their techniques as per the engagement.
  - Acknowledge and act on the observations and recommendations provided by the red team.
  - Figure out the right frequency to conduct red team exercises. Doing them too often can lead to mistrust and stress whereas doing them too infrequently can lead to complacency. 

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

For a detailed discussion of the above best practices, read Chapter 1 of Micah Zenko’s book Red Team - How to Succeed By Thinking Like the Enemy.