Continuous Automated Red Teaming (CART): The future of security testing

By Bikash Barai

Today's cyber environment is one of rapid and constant change. Stepping up in technological savvy, threat actors are using an arsenal of new and sophisticated techniques that make recognizing their attacks harder than ever. With several thousand products and a rapidly changing landscape of ever-increasing threats and risks, cybersecurity seems as elusive, and probably as impossible, as the “happiness problem.”

Cyberattackers have an edge because they only have to succeed once where defenders need to succeed every time. On top of that, security is laborious. Organizations are typically only able to test some of their assets, some of the time, whereas hackers are attacking all assets, all of the time.

Continuous Automated Red Teaming, or CART, is an emerging new technology which can be a gamechanger in solving the problem.

Red Teaming: The Most Realistic Attack Emulation, but Hard to Scale

Red teaming is ethical hacking on a much broader and larger scale than conventional security testing. It’s a way for security teams to first discover an organization’s attack surface and then launch simulated attacks to test blind spots – just like a real attacker would. Unlike penetration testing, it is not based on scope of IPs/application but instead objective- or goal-based, meaning you can attack whatever you want to achieve the goal.

The challenge with traditional red teaming is that it involves multiple tools, manual effort and only tests a fraction of an organization’s assets, occasionally. It is largely manual, hard to scale and unaffordable for most organizations.

CART: Emerging Tech for Comprehensive and Continuous Attack Surface Discovery and Testing

CART is an emerging security technology designed to automate red teaming so that one can achieve the breadth and depth of the process as well as scale it and seamlessly conduct it on a continuous basis. There are multiple potential approaches including hardware, software or even Software-as-a-Service (SaaS).

During the CART process, an organization can search already indexed deep, dark and surface web data using similar reconnaissance techniques as nation-state actors. It automatically discovers an organization's dynamic digital attack surface, including unknown exposed databases, cloud buckets, code leaks, exposed credentials, risky cloud assets and open ports, etc. Once an attack surface is recognized and a scope for the simulated attack is authorized, the attack engine launches multi-stage attacks on the discovered surface to identify security blind spots and attack paths before hackers do. The platform then prioritizes the risks and recommends next steps for mitigation.

CART vs. Traditional Solutions

Traditional red teaming is typically conducted once or twice a year. It is consultant-driven and requires manual orchestration between multiple tools. CART automates the process and makes red teaming continuous.

Penetration testing is conducted on a few, known applications or systems. CART, unlike penetration testing, discovers the attack surface on its own without any inputs and launches a combination of multi-stage attacks, spanning from networks to applications to humans.

Breach and Attack Simulation (BAS) tools typically need hardware or software agents to be installed and work inside of an organization. The tools mimic real threat actions and tell how much an attacker can proliferate if it gains access to an internal system. CART on the other hand works using an outside-in approach and conducts real attacks without the need for any hardware, software or integration.

While today’s hackers operate with a level of sophistication that surpasses typical preventative and detection capabilities, CART can be a game changing approach to stay one step ahead. You must test your own controls to identify potential blind spots before an attacker exploits them.