Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko focuses on the role that red teaming plays in a variety of institutions, ranging from the Department of Defense to cybersecurity. It’s an excellent book that describes the thought process behind red teaming, when red teaming is a success and when it can be a failure, and the way a red team can best fit into an organization and provide value. If you’re looking for a book that’s highly technical or focused entirely on information security engineering, this book may disappoint. There’s only a single chapter covering the application of red teaming in the information security space (particularly “vulnerability probes” as Zenko refers to many of the tests), but that doesn’t make the rest of the content any less useful – or interesting – to the Red Team practitioner.

The book largely focuses on how a Red Team can bring value to an organization, and how to structure the team, interact with the other parts of the organization, and how to drive change from red teaming. It largely divides red teaming into two types of practice: those where the Red Team is used to identify systemic vulnerabilities through vulnerability probes and penetration testing, and those where the Red Team is used to provide an alternative viewpoint (the “Devil’s advocate”), as in business decisions and intelligence agency reporting.

Most of the book uses examples and story-telling to make his points. The stories are interesting and serve to make his point well, making a book that is otherwise about organization, management, and structure an easy read. Even Red Teamers in the information security sense can relate to the intelligence-gathering and business decision points of view (for example, in new product development or threat intelligence).

The 300 or so pages are, at the least, thought-provoking, even if they do not provide a specific lesson to your team. There were dozens of points throughout the book where I had to stop to make a note about useful information or resources to look up later. These included:

Likewise, the book contains hundreds of citations providing access to many more resources for the reader. Many of these are also interesting or useful reads and can provide more focus in the particular areas of interest to the reader.

I do have a few bones to pick with Zenko, however. It’s not clear how prevalent this is in the other chapters, but he makes some generalizations about information security practitioners that push continued stereotypes:

This distinction can be an oversimplification because all of the best and most proficient white hats started off doing some black-hat hacking before they began to hack lawfully as a profession. (pg. 175)

If this is true (and I’m not saying it is), repeating it seems to encourage those looking to enter the security industry must spend time committing crimes in order to be accepted as a legitimate hacker.

And even then, it is not uncommon for hackers to have a day job conducting penetration tests, but then in their personal life to also engage in unauthorized hacking for political or ideological purposes, or just as a hobby. (pg. 175)

In fact, most white-hat hackers find their jobs to be so easy that they pursue more innovative, and potentially illegal, hacking activities while off duty. (pg. 182)

While it’s true that many hackers hack in their spare time, referring to it as “unauthorized” implies criminal or unethical behavior, as opposed to responsible security research, tool development, or the number of other ways hackers spend their spare time.

Overall, I think this is a worthwhile read for any Information Security practioner, but especially team leaders and managers. A large part of the book will be useful in selling your team to management, how to demonstrate impact, and how to interact with the business unit. All of these are things that will ultimately have your Red Team seen as more successful and more useful to the business. Overall, this is a solid book and I’d give it a 4/5.