On Shared Purpose
A team's north star shines brighter than any individual
What will you get by reading this?
A deep dive into Chapter 5 of Call Sign Chaos
Lessons and ideas about common goals that unite us
Application of all lessons to Red, Blue, or Purple Teams
Soft Skills
I have spent most of my career as an individual contributor and a red team operator. Learning new coding languages or adversarial techniques was how I marked my technical progression, a narrow and focused mindset that stopped me from exploring soft-skill topics such as leadership or emotional intelligence.
It wasn't until I moved into the role of a manager that I started reading books on non-technical subjects like productivity, talking to people, how to listen, biographies on leaders, and leadership in all forms. I realized I had been missing critical learning by not reading these types of books from early on in my life. If you take only one lesson from this letter, it is this: soft-skills are the glue of a well rounded life, and always worth your time to master in all stages of a career.
“…soft-skills are the glue of a well rounded life, and always worth your time to master…”
Cyber Generalship
Coming from an Army background, I tend to gravitate towards military case studies: battles, tactics, biographies. Like many others, I see cyber as a theater of war. Reading about combat leaders provides me with accelerated learning on strategy, cooperation, and tactics in the real world that I adapt to cyber. I read these books through the lens of a security specialist, changing details around until the scenarios fit teams and situations in my career.
Defending a city?
I see the Blue team defending against an attack!
The attacker tactics used in the real world example we could adapt and add to our offensive red team capabilities. Maybe there are tactics that we should avoid too, as the attacker.
Admirals negotiating a ceasefire or peace treaty?
Adapted to Cyber, that could be negotiating headcount from peers who are normally friendly, but now are placed in a difficult position to fight for desperately needed resources.
“…negotiating headcount from peers who are normally friendly but are now placed in a difficult position…”
Call Sign Chaos
When I read the book Call Sign Chaos by former US Secretary of Defense Jim Mattis there was a chapter that really hit home: Chapter 5 - Rhino, described how Gen. Mattis brought multiple service elements, countries, and dignitaries to the table to launch a backdoor invasion all within 28 days. What resonated with me was that he did it all through a usage of loosely written policy, while not technically breaking any rules.
Thinking about the policies to which I am beholden as an offensive security leader, the mission that a red team has, the shared purpose of all cybersecurity elements helped me identify the policies can't be broken no matter what. More importantly, it showed me what policies could be bent without being broken to further the mission. Gen. Mattis bent the rules by framing the Rhino invasion not as an invasion, but as a raid. And at that time, raids were an authorized activity.
Framing the request in the right way was almost as critical as the raid itself.
“…usage of loosely written policy while not technically breaking any rules…”
Clear Raid Chat
You see, a raiding party has to return back from a raid with spoils; that’s what a raid is! If the raiders go get something and don’t come back, that’s called an occupation which comes with different rules. What’s fascinating about the Rhino raid is it included no withdrawal plans. Gen. Mattis initiated action upon a shared purpose: to defeat enemies that would further do them harm. As Gen Mattis led through his peers to convince stakeholders to sign off on a raid with no end, he did so by framing and using relationships with peers and first team.
A diplomatic success such as Rhino was accomplished because of the shared purpose and understanding in the post September 2001 world. This raid with no end, Operation Rhino, was the manifestation of what the country needed the most: a shared purpose, understood by all, realized.
“…a shared purpose, understood by all, realized.”
Good Copy
I write to you in this letter about the specifics of the Rhino campaign that motivated me, and how Rhino inspired me to adapt its lessons to cyber. Mattis’ genius in putting together Rhino inspired me to find the shared purpose of our cyber teams, and then work to align ourselves to it. I have taken key areas of Chapter 5 and refined them into smaller sections, packed with various examples and how they influenced my growth as an offensive security leader. My hope is that, similar to how I was able to apply Mattis' examples to my own scenarios, my experiences can help spark new ideas with your unique situation, cyber or otherwise. But the Stoic in me prefers cyber.
“…Rhino inspired me to find the shared purpose of our cyber teams…”
While this letter may touch on a geopolitical situation at the time, it is by no means a political letter. Context around the time period is important to understanding why certain actions were required. But fear not! I’m not arguing for or against a particular viewpoint, other than the one that brings us together: a shared purpose.
Updated Thinking
Context: In 2001 the United States received a shared purpose: to defeat adversaries that would do them further harm. Anxious to help defend his country, Jim Mattis offered to get his Marines into the fight as quickly as he could.
The request was denied by Central Command (CENTCOM) because the location of where the help was needed was 400 miles inland. More-so, because Marines are amphibious: there's no beach to land on!
The offer to help in a time of need was turned away. But Mattis kept his eyes open for any opportunity to help, and when he finally saw one a month later - Operation Rhino happened.
Here’s why Mattis wasn’t able to help: the people in charge still thought the term amphibious meant water only, a definition from an outdated lexicon. The past 50 years of warfare had provided advancement in technology and tools that redefined exactly what amphibious meant. Unfortunately and all too often, those at the top were giving their best effort at making critical decisions with outdated data.
“…those at the top were giving their best effort at making critical decisions with outdated data.”
For a modern expeditionary force that could launch from ships to be anywhere in the world at any time, amphibious had evolved from “water only” to “water optional.” Mattis found a way to help a month later by letting his network work for him, waiting for an opportunity to step in at the right time. He found a champion in the form of Admiral Willie Moore.
More accurately though, the champion found him. Admiral Moore pitched a rough concept that Mattis would expound on, and turn into, Operation Rhino.
Cyber Thinking
The implications of “updated thinking” for cyber hit me immediately. Tools and technology, like people, adapt and change over time, and that requires that the people that make the strategic decisions also need to adapt and change over time. Blind spots in strategy happen when a team stops training.
Training has different meanings to different people, especially for cyber:
Taking a certification course
Mentoring sessions with a trusted engineer or leader
Friendly group working sessions where people can talk shop that involves leaders observing and interacting
“Blind spots in strategy happen when a team stops training”
The act of defining your expertise establishes the limitations of that expertise. Example: “I am a red teamer.” We draw a box around what we can and cannot do, what we should focus on, what we should do to max ourselves out as a red teamer.
Another example: “I am a hacker.” Notice the contrast in this statement versus the one that limits yourself to only red teaming. Every profession can use a hacker, someone willing to push the boundaries to solve a problem.
We define the boundaries of a skill based on our expertise, telling ourselves at some point “I have achieved the required success for this skill” and happily move one while the world evolves around us. As people grow and take on additional responsibilities, pushing the boundaries of our older outdated skills becomes less important, which doesn’t stop us from relying on that “expertise” to make decisions.
Remember, Amphibious means water only.
“Every profession can use a hacker”
Pushing Boundaries
Without a constant stream of new ideas, even bad ones, the cyber leader stagnates.
Do adversaries stagnate? I think not.
Threat Actors have unbound and unchecked resources to achieve their goals. We as cybersecurity professionals are limited by budgets, OPEX, hiring limitations, and self imposed rules. Cyber teams define the boundaries of our defenses and expect threat actors to obey the rules of our game. Which is a problem because we play by the rules when our opponents are not.
As a leader, I struggle to find proper type training for myself to help with my outdated thinking. I wasn't on-keyboard anymore, and technical training made less sense as a place to spend my limited extra time. I focus on fixing strategic problems now, why would I take another hacking course when I could be building relationships instead?
“For the expertise!”, you say.
“Learning advanced technical skills will make you understand the threats better!”, you decry.
Friend, it wasn’t Jim Mattis’ skill with a rifle that led to Operation Rhino. No, what led to Rhino was the relationship with Willie Moore that gave Mattis the opportunity for action.
The best training for leaders isn't done in a classroom: it's done in the field. Whatever and wherever the field is, that’s where we need to be. To adapt a famous quote about German General Erwin Rommel, “Where the leader is, there is the front.”
Don’t bring the field to you. Bring yourself to the field: it’s where the rest of your team is.
Fieldwork
Leaders get training by doing. We learn how to talk by making mistakes in conversations. Leaders learn how to listen by being active in conversations. Leaders learn new ways to apply tools by having diverse thinkers on staff, trusted, and highly motivated. We can expand the boundaries of our outdated skills through the uplifting of others, with the added benefit of providing an opportunity for growth to others by stepping out of the way.
Leaders train by doing. Simple, easy to understand.
“Leaders train by doing”
I had at my disposal access to countless Slack channels, Discord groups, and skilled leaders on Twitter and LinkedIn. All the training I ever wanted or needed was right at my fingertips. I should budget my own training time by seeking out and engaging in conversations with peers, leaders, and front line troops far removed from my command center, right? Why should I expect the team to take training seriously if I wasn’t in the field training myself?
Was an hour a week connecting with people too much for me to bear? Was an hour a week my breaking point?
No, it wasn’t my breaking point. I could bear it. I can do an hour a week.
“…as a cyber leader my ops are building relationships instead of throwing exploits”
Requirements for training and growth has evolved as my career and responsibilities has evolved. I was on course to ensure that when it came time to make critical decisions, I had updated thinking to give us the best chance at the right decision.
That got me to thinking about what other boundaries I had tucked away that now need to be updated? What it meant to be “on-keyboard” or “doing an op”? Well…maybe as a cyber leader my ops are building relationships instead of throwing exploits.
My ops: people.
My loot from ops: relationships, established and strengthened.
My thinking: updated.
Shared Purpose
The primary goal of the Rhino raid was simple and easy to understand:
Put resources in the country to take on a greater offensive
“Land in Afghanistan, shatter the defenses”
Once Rhino was underway, execution of the shared purpose was priority: concerns with the plan, criticism of policies, and praise all fell to the side until the action was over.
If and when confusion did occur with the Rhino, shared purpose made it easier to correct and realign without needing to ask a central authority allowing the completion of the mission all the quicker.
What did they need to do? Land and establish a base. Imagine applying a simplistic message to elements of a cyber team.
What do we need to do? Defend the company.
Which of these two things accomplishes the goal listed above:
writing a security policy
monitoring and responding to alerts
Easy to prioritize is it not? Try it.
Commonality
“Shared objectives unite and enable swift decisions…”
When a common goal is understood and communicated around the team, amazing things happen.
Here’s a historical example: In WW2, General MacArthur asked if Admiral Halsey would cause a diversion with his fleet, giving sparse details to Halsey as to why, or how the diversion would help the war effort in the Pacific. Only that it was it was needed and Halsey needed to be in a certain place at a certain time to engage the enemy.
Halsey took two days and responded with a plan to give the MacArthur what he needed.
The result? The culmination of the Salamaua-Lae campaign.
Shared objectives unite and enable swift decisions, and in the example of MacArthur and Halsey, a major offensive was created with simple language because:
It was needed
They trusted each other
Trust remains the coin of the realm, even to this day, and the trust that MacArthur and Halsey wasn’t built overnight. They built it over years, and the result is that a major naval offensive in the Pacific was drafted with two pages: one page for each Halsey and MacArthur.
For cyber teams, do what you need to do to not burn your people out. Why? To achieve the trust and shorthand that Halsey and MacArthur had, they need to stay at the company long enough to build it.
The Coin of the Realm
Trust, and clear concise communication, is all that is needed to execute upon a shared purpose.
Do I trust this person
Do I understand what they want
Looking inward I realized that I did not know what the shared purpose was between the Red Team, Blue Team, the Cybersecurity team as a whole, and the company.
I had ideas, but I didn’t know if the ideas in my head were shared amongst others. If I didn’t know what the shared goals were, then there was no way for me to know if we were if we were acting on shared goals. If I wasn’t acting on shared goals, then that meant I was acting on my own for my own ambitions.
Time to figure out why we were doing what we do.
Trust, and clear concise communication, is all that is needed to execute upon a shared purpose.
Simple Language
“Go find out what you need and come back and tell me”
Coming back to modern day and Rhino, Admiral Willie Moore was in charge of all Naval operations in the Indian Ocean during 2002. Admiral Moore was kicking around some ideas in his head about how he could help move the needle on America’s new shared purpose (from way above: defeat those that would seek to do them further harm).
Asking Gen. Mattis point blank: "Can you pull Marines together from the Mediterranean and Pacific fleets to land in Afghanistan to conduct an operation?"
Mattis: (simply) Yes.
Moore: (simply) Go find out what you need and come back and tell me.
An idea and a common goal: two items that stripped communication down to their most basic elements resulted in a brief and intimate exchange of words and actions that spanned the globe.
Cyber Simple
“…simple and clear language to survive confusion..”
The lesson I took from the exchange between Admiral Moore and General Mattis is that simple, effective communication can move mountains. The shared purpose needs to be in simple and clear language to survive confusion when implementing a complex strategy. For Mattis and Moore, barriers and ego were dropped: the shared purpose was all that mattered.
I thought about how the Red Team was communicating to the Blue Team.
How effectively were we communicating operations?
Were we communicating why we were doing operations in a manner that our defender friends understood?
I had questions that I could not answer, problems I was seeing applied to Offensive Security:
Does a shared purpose for this operation exist? And if so..
..was it communicated?
Do our Blue Team counterparts understand why this operation is happening?
Do the stakeholders and senior leaders understand why this operation is happening?
Reading the exchange between Mattis and Moore showed me how leaders can expedite communication by laying common groundwork first.
It was time to lay some groundwork and take a page out of the MacArthur/Halsey history books.
Skip-Echelon
Mattis was moving forward with answering the request from Willie Moore: “Go find out what you need and come back and tell me.”
Mattis put together a staff for Rhino that consisted of around 30 people. Military doctrine stated that it was permissible to have a staff of up to 200 for an operation like Rhino, considering that Rhino was a major offensive. Mattis didn’t need a big staff: he needed a lean staff. He had put skip-echelon tactics in place, not duplicating capabilities that existed elsewhere, ensuring that everything had a place, and a place for every thing. No plus ones here!
“A lean staff means that nobody is exempt from simple tasks”
Skip-echelon allows the leader to use what is already in place: if there was a specialist or capability already on staff somewhere else, Mattis would use them instead of requisitioning a new one. By keeping his staff lean, Mattis leaned on others. By delegating as much authority to proven commanders elsewhere in the org chart as he could, the execution of Rhino took 30 days from prep to boots on the ground. The results of skip-echelon speak for themselves.
An unwritten benefit of the way Mattis utilized skip-echelon was that he showed he was willing to work with the staff that was in place, sending the message that he could work with those already there. He wasn’t there to clean house and replace people that had valuable knowledge with yes-men. He was there to execute on the shared purpose.
“…he was willing to work with the staff that was already in place”
A lean staff means that nobody is exempt from simple tasks, an effective method of fostering humility within leaders. People like Jocko Willink often call this “picking up brass”, meaning: if you want the benefits of a lean staff, then everyone including the leader needs to be willing to get their hands dirty.
Overlap without Duplication
“A lean staff produces a group of bonded specialists, united in both task and purpose. “
Duplication wastes time and resources.
The benefit of a lean staff is that it is agile, able to adapt to situations quickly. Everyone on a lean staff pulls their weight, everyone fights, everyone places trust in and on each other.
Most importantly, everyone knows why they are there, what it is specifically that they contribute to the team, what it is that they need to do, and how their talents will help get the team to their goals faster.
Thinking of my own experiences lobbying for headcount, I starting thinking that scaling vertically would never be enough to truly accomplish the goals of a Red Team/Offsec team.
"I need more pentesters, I need more operators, I need to build a deeper bench."
I will never have everything I need, and honestly, I will never truly need everything I ask for. Why? Because it forces me to trust those outside of my team, to seek out and build relationships. To execute on the shared purpose of us all.
Is running a lean staff harder? Yes. Does running a lean staff enable mobility on your team? Absolutely.
A lean staff produces a group of bonded specialists, united in both task and purpose.
“Through trust, relationships, and simple communication”
If you are concerned about utilizing resources needed by others, this is where the shared purpose comes into play. If both teams understand the overall goals of the organization, and the project you are implementing gets the organization closer to achieving that goal, then doesn’t it make sense to utilize that resource appropriately?
Logic dictated that Mattis couldn’t conduct Operation Rhino, but he did it anyway. How? Through trust, relationships, and simple communication.
Lean Red Team
“…ensure that the Red Team are in place to do their unique thing.”
A lean staff comes natural to a Red Team, as one operator has a wide scope of influence.
A lean staff doesn't mean that it is okay to be understaffed, only that all core bases are covered.
A lean team needs to have a bench, but not necessarily a deep bench.
A lean team needs specialists that can cover ground in a specific direction, not bogged down with capabilities that overlap.
The Red Team can and should use resources that already exist, adding only to the team the unique skills of offensive security (or other specialties if you are the Blue Team) that are hard to find or can only be cultivated on the job.
The Red Team has a place. As the leader, ensure that the Red Team are in place do to their unique thing.
Simple Goals
“Keeping language simple and concise cuts right to the point”
Almost execution time for Rhino! Mattis has built his staff and is ready to roll out. But rolling out required more relationships.
The simple goal for Rhino was to get Marines from the ocean to the land. After landing, others would use the base to conduct operations. Mattis had to gain partnerships from the special forces, the Air Force, US ambassadors in Pakistan, and high ranking military members in Pakistan.
While all had questions, most were willing to help immediately because the language was simple and understood: the shared purpose of the overall strategy (defeat those that would do further harm) and the specific strategy of Rhino (land, attack, establish).
When communicating requests, Jim kept it short: I need help with X. We want to do Y.
Keeping language simple and concise cuts right to the point. As an example, Mattis said to a critical high ranking military member in Pakistan, "I'm not a diplomat. I'm going to Afghanistan and I need to know if you will help."
“…as a community, Cyber teams are lacking in unification of shared goals…”
Unsurprisingly, Mattis got the help he requested, communicating even through language barriers.
Operation Rhino was only doable because of the combined group of elements united in shared purpose. It took a leader that could communicate unifying goals to each of the elements to work together to make something greater than the sum of their parts. A leader to inspire others to lead and execute.
I think that as a community, Cyber teams are lacking in unification of shared goals and it makes me want to help fix that.
Three Questions for Success
“…peers are your advocates on your blind side"
Building relationships is essential for those both above and below you who can be your advocates. Assuming that everyone above you sees things the same way you do is a fatal career fallacy. Spending time with your senior leaders talking about the situation on the ground is like spending time on red team recon: the time and effort is seldom ever wasted.
Communicating with your peers is also important. Your peers are your advocates on your blind side, the ones watching your back, the friends gained on the road as you both walk in the same direction for different reasons.
Three questions Mattis would always ask himself to help with communication up, down, and to the side:
What do I know
Who needs to know
Have I told them
When I adopted these three questions to daily Red Team operations, I didn't need a detailed report about what was going on. What I needed was a tipper, something simple, that I could fill out and fire off to people that needed the info.
“Pictures are nice, but people just want to know what’s up”
Something easy to read and action upon, forcing me to change how I write and what I write. Communicating intentions with operations, reports, and strategic initiatives all needed to be…simpler. The team gets more feedback and interaction now with simple formatted messaging than with heavily formatted flashy messaging. Pictures are nice, but people just want to know what’s up. Quickly and simply.
Summarize the message in one sentence and move on.
Make it Quick
“Simple messaging allows word to spread”
Red Team products and communication now all adhere to a formatted template: simple.
Any customers or partner teams who sees any of our tippers, reports, requests for action, or operational updates knows where to look to find what they want to know. Like a newspaper: comics are near the back, important stuff is on the front page near the top. Priorities change based upon the reader, but the reader knows where to go to find their priority.
Changing to a simplistic and uniform method of communication has increased our knowledge share with the company, brand recognition for the offsec team, and the passive footprint of the security org.
Simple messaging allows word to spread, and at least once a week I get messages from someone at the company asking about Red Team capabilities they heard from someone else.
Often, I have never spoken to these people previously. The simple language and shared purpose tells them enough of what they want to know to get a conversation started.
How Comes After Why
“Force the adversary to decide on which of the two objectives is more important”
When planning the "How" of the invasion, Mattis modeled his plan after Union General William Sherman's tactics:
Threaten two objectives at once
Force the adversary to decide on which of the two is more important
Split resources away from the defenses of your primary objective
Mattis used this same tactic for Rhino: let other elements already engaged continue to threaten the northern part of the country so that the southern part would remain undefended. It didn’t hurt that the southern portion of the country was also the most direct route to an amphibious landing for Rhino.
Mattis trusted and communicated with the commanders of the operations in the north, freeing him to focus on executing operations in the south. From the initial brainstorm session with Admiral Moore to the execution of the raid, Operation Rhino took only 28 days.
The “why” took one day, the “how” took a month. Imaging working 28 days on the how first, only to figure out that the “why” was misaligned.
Deploy the Cryptominers
"Operations occur at the speed of trust.”
Our Red Team was going into operations not communicating appropriately why certain targets were selected or the rationale behind the intended outcome. We were doing the how before the why, a mistake that I see lots of offensive security teams make: the reason we do ops is…ops.
Our objectives were only going after one goal which in contrast to General Sherman's tactics of threatening two objectives at once. If processes and decision trees could be exercised at the same time as technical assessments, wouldn’t that be the best use of Red and Blue operations? To test and assess multiple fronts, technical and process oriented.
In line with General Sherman's thinking, we (all of Ted Teams) can update our capabilities to always operate with a secondary suite of goals. The secondary goals don’t have to be anything grandiose by any means, and can be something as simple as an XMR CPU miner running with one CPU thread.
“The harm caused by a single CPU miner is trivial and adds…process decision trees for training the Blue Team”
The harm caused by a single CPU miner is trivial and adds additional process decision trees for training for the Blue Team:
Do they go after lateral movement or go after the mining traffic?
What do their TTPs and playbooks say they should do? Do they have playbooks for either?
For the Red Team, the mining hash metrics can be extrapolated out over a year, providing a real dollar value cost to vulnerabilities without causing harm to the assets directly. Often those dollar cost value metrics can also be tied to specific MITRE ATT&CK TTPs used to get on the target.
Troublemakers
“…show up unannounced, cause problems, and then move on…”
Perception is reality regardless of intention, and the perception of our Red Team was that it was a troublemaker. We show up unannounced, cause problems, and then move on to a different targets.
Fixing the perception that we were an adversary instead of a partner was critical to establishing the kind of trust that could move mountains with few words. The kind of trust that Halsey and MacArthur had. I wanted that. Moreover, the security team needed it.
Communications during all stages of our operations needed fixing. Words matter, and operations couldn't help us achieve our shared purpose without the right words to bring everyone together.
Partnership
“Not two teams working together, but both joined to make something new”
Simple words to send a simple message: purple team, a mix Red and Blue to make something more. Not two teams working together, but both joined to make something new.
Convincing the Purple Team that they were more than words on paper took time, patience, and trust. We stopped planning Red Team ops, and instead planned fully transparent Purple Team ops. All data was on the table
What was being assessed
Specific targeting objectives
How taking action on those objectives benefited the company the most
Often the benefit was increased security
Sometimes the benefit was more business focused
As the Purple Team ops went on we discovered our shared purpose: protect the company, protect each other.
“…protect the company, protect each other.”
The Courage to Stand Up to your Peers
“Sometimes the hardest people to stand up to are our peers…”
Back to Rhino.
For the first time in 200 years a Navy ship flagship was placed under the command of a Marine: Mattis. Admiral Moore received criticism from his peers for that decision, but it was the right call to make to achieve the goals needed for Rhino. Admiral Moore showed tremendous leadership by placing his trust in the leadership of another, regardless of the location in the org chart of that leader.
Sometimes the hardest people to stand up to are our peers, and Admiral Moore showed courage to stand up to his friends to enable Mattis.
Go/Nogo
“He didn’t make the mistake of asking for permission to do things he already had the authority to do…”
From the flagship Mattis conducted the go/nogo meeting for Rhino while already underway to the staging site. Mattis needed permission to execute one particular part of the raid. He didn’t make the mistake of asking for permission to do things he already had the authority to do, something I see people do all too often.
The genius of conducting the go/nogo meeting while en route to Rhino was: "we are going." To give the “nogo” response was a decision to discard all the work already moving full speed ahead towards Rhino, possibly triggering some loss aversion.
The meeting didn’t progress as positively as Mattis hoped. It’s a sinking feeling when you see that the room is starting to turn against you, and Mattis was certain the order to stand down was all but assured.
The order to stand down didn’t come, and Mattis was saved by the shared purpose that he had established and widely communicated in simple language. How? An unlikely ally spoke up at the last moment to sway the stakeholders and pushed the final piece of approval over the edge, all as a result of someone he had never spoken to.
“It’s a sinking feeling when you see that the room is starting to turn against you”
Breaking down the scenario with the unlikely ally, he understood enough about what needed to be done for the war effort and how Rhino would help. Simple concise language that communicated a shared purpose gave Rhino the Go.
Cyber Leaders at all Stages
Virtual teams and dotted lines redefine how to read an org chart. Leaders can come from anywhere, any place, on any team, and at any level. It doesn't matter if that leader is “far away” on the org chart on another team: if they are the right person to lead the project, ensure that they do.
Having a shared purpose expedites involvement with cross team leadership. The person that pushed Mattis’ go/nogo decision over the edge wasn’t part of the Rhino direct staff, but that of a virtual team. A cultivated advocate, united by a common goal and nothing more.
“There is no specific doctrine for establishing a Purple Team, nor are there any rules for who should lead it.”
Purple Teams share the common goals of both Red (offense) and Blue (defense): offensive informed defense. We can use the expertise of the attackers to embolden and enhance the defenses of the organization, while using defensive capabilities to push the attackers to test in different ways. There is no specific doctrine for establishing a Purple Team, nor are there any rules for who should lead it.
I am lucky that our Purple Team has leaders from both Red and Blue driving change across the company. Having the goals of the virtual team clearly and simply defined enables anyone on the team to step into a leadership role, at any time: a whole group of potential leaders that can step up at any time to tackle hard problems.
Taking
“Mattis got what he asked for, but he didn’t get everything he asked for”
After receiving the go head to capture Rhino, Mattis did exactly that.
Taking an objective is easier than holding an objective. Taking requires breaking. Holding requires a certain type of finesse to keep what was taken alive.
Support staff were needed to maintain Rhino, but high level politics limited the amount of combat troops allowed on the ground. Mattis got what he asked for certainly, but he didn’t get everything he asked for.
To help break through the layers of communication while on the ground, Mattis would send out short and succinct intention letters nightly, spreading information on why he intended to do something. He did this to help everyone stay aligned and focused on the next fixed point, something that would change almost daily.
“The shortest way is the way of nature”
What would “should and succinct intention letters” look like for operations teams like Red or Blue? How quickly could they be created and sent out without taking more time than was needed? Figuring this out is still on my mind to this day. I know that I need to do it but haven’t quite figured out the correct method. “The shortest way is the way of nature” as the Stoics say. It’s not so much about finding the perfect answer, just one that works.
Holding
“…loose, decoupled, and trusting”
Navy operational control rotated out of Rhino and the Army had come in to hold the objective.
Naval operational style is loose, decoupled, and trusting. Army command has policies and procedures and is detail oriented: place for everything, and everything in place with a top down approach.
Adapting to the changing command style was hard for the Marines at Rhino who were used to fast and loose. They failed to adapt properly to the new way of operations, and ultimately cost the coalition a coveted target, extending the war in Afghanistan for an additional decade.
“As a Red Team, we can’t do operations the same way against each business unit”
As a Cyber Leader I need to ensure I always have a good lay of the land technically and politically. Not understanding the landscape in which you operate sets the team up for failure.
Mattis failed to adapt to his new surroundings when transition from taking to holding, and it wasn’t him personally that suffered as a result but the nation. As a Red Team, we can’t do operations the same way against each business unit or project. Some stakeholders thrive on kicking down the door, while that same method would forever close doors to another business unit.
Failing to adapt to different targets may affect the security posture of the company more than the Red Team itself.
Red Team Startup
“Showing value is easy when the previous metric was 0%”
From my own experience with Red Teams, the concept of taking and holding takes the form of establishing and maintaining. A company can quickly establish a Red Team (year 0-1). And it is harder to maintain the Red Team once established (year 1+). Surviving is easy while thriving is not guaranteed.
When establishing something new, the sky's the limit. Loose policies are put in place that allow for the Red Team to explore and find bad stuff, while allowing for mistakes. Everything found by the Red Team is new and undiscovered previously. Showing value is easy when the previous metric was 0%: everything found is a 100% increase!
“Lack of funding will lead to burnout, then attrition, and then the Red Team will dissolve”
After a Red Team's startup period, leaders expect to start seeing metrics and quantifiable value and aren't wrong for thinking so. It's a similar type of experience that Mattis had when taking Rhino: fast and loose, get it done, everything gained is an increase over what they previously had: nothing. The Marines took, and the Army came in to hold.
Specializing in land warfare - holding and maintaining taken objectives - is the Army's forte. For the Red Team, not adapting to your partner teams which have different capabilities has a cost: the overall goals of cyber defense, the shared purpose, the “why.” Not adapting may cost the Red Team through lack of funding as a result of being unable to show sustained value. Lack of funding will lead to burnout, then attrition, and then the Red Team will dissolve.
Socially Engineer Stakeholders
“What they need is adversarial guidance and help”
Red Teams must adapt to their partner teams and give those teams whatever data they need. Red Teams are there to embolden and enable other elements of Cyber, and the quickest way to discover exactly what the other teams need is to ask.
The Blue Team may not actually need Red Team covert operations right now as they know they have severe defensive problems. What they need is adversarial guidance and help on what to fix first. Red Teams can do that. We are trusted adversaries, and that trust cannot be earned if you never leave your keyboard and talk to the person on the other side.
I have found that our shared Purple Team operations are what is needed the most by our defender friends right now. Yes we still do covert operations, but they aren't the main method of how we help the company. Purple Team operations allows the Red Team operators opportunities to use their adversarial mindset to hunt and root out any adversaries that aren't supposed to be there.
Dual Spec
Let me drop a radical concept on you: Red Team operators and Hunt Team operators are two sides of the same coin. One operates in peacetime, one in wartime.
Thinking that a Red Team can’t help root out adversaries during an incident is not utilizing the full capabilities of an adversarial mind. And thinking that Hunt Team operators can’t pick targets and adapt TTPs is not using the full capabilities of a professional warrior.
To drive it home, here is a quick metric from another Cyber Letter on submarines:
During World War 2, the number one defense against enemy submarines, the defense that sank more enemy submarines than any other defense, were other submarines.
Your Red Team operators can help with lots of things. Enable them with a shared purpose, and let them do what they are good at: hacking.
Hacking technology, process, policy, or other adversaries. .
Closing Thoughts
Call Sign Chaos is the first book where I felt that the deeper message I apply to Cyber needed to be shared. I felt strongly enough about how the message affected me that I wanted to write Chapter 5, Rhino, specifically. It helped me when I was dealing with my own struggles of shared purpose and bringing people to the table for true Purple Team operations.
Applying chapter 5 to my own experience, I found:
I had not effectively communicated what the shared purpose was for the Red Team
I had not communicated how the team was going to contribute to the wider mission because we had not defined our unified goals
I had not brought people to the table to generate ideas on our shared purpose
I had not communicated how each of our teams can work together to accomplish goals to get us all closer to the “why”.
Now after having spent a few months applying these lessons to our cyber teams, when defenders see the Red Team conducting operations they now know that we aren't doing operations for our own benefit. They trust that we are defending the company through our own unique methods. They trust us to do no harm, and we trust them to take action with the data we discover.
As Mattis said, "Operations move at the speed of trust." As a result of our partnership and shared purpose, our Red and Blue joint operations now move at the speed of light: ultraviolet light.
Farewell.