What is Continuous Automated Red Teaming (CART)?
Is this a genuinely novel idea, or could it simply be a buzzword introduced by vendors?
I got curious about Continuous Automated Red Teaming (CART) because it is recommended by the Securities and Exchange Board of India (SEBI) in its Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) (see pages 119 and 121).
As the name implies, Continuous Automated Red Teaming or CART, means ongoing red team exercises being performed in an automated manner. Conceptually, it works as follows:
Create a profile of an adversary’s TTPs (such as that of APTs or ransomware). Ideally, these will be the adversaries who are most likely to target the organization.
Feed this profile to a platform, known as the CART platform. This platform has necessary tools, exploits and other artifacts that are required to perform those TTPs in an automated manner.
The platform executes the exercise and reports back the results.
This exercise can be scheduled to execute at a periodic interval.
The CART platform provides capability to tweak the profile as per the organization’s requirements. Additionally, multiple profiles can be fed to the CART platform for performing multiple red team exercises in an automated manner.
Most of the [security vendor created] content I read for this post, recommends CART as a replacement to traditional red teaming because of following reasons:
Traditional red teaming is a point-in-time exercise. It does not provide ongoing security testing of an organization’s critical infrastructure.
The costs associated with traditional red team assessments are high.
Manual red team assessments require trained man-power which can be expensive.
Due to reasons 2 and 3, small organizations often miss out on the benefit of red team exercises.
I want this to be a non-opinionated post so I will refrain from writing my opinion here but following questions do come to mind:
Will organizations be comfortable with exposing their critical assets to a platform capable of automatically exploiting them? What if an attacker gets access to this platform?
A manual red team assessment is an objective-oriented exercise which not only simulates or emulates an adversary tactics but also mimics their objective (e.g. exfiltrating intellectual property, placing a back door in the software product etc.). Can CART simulate this? If not, then can it truly replace a manual red team assessment?
The ultimate objective of any red team exercise is to help and improve the blue team’s capabilities. How does CART interface with blue team? How does it help them?
Red Team Notes
- Continuous Automated Red Teaming or CART, means ongoing red team exercises being performed in an automated manner.
- Can CART truly replace manual red team assessments?
Follow my journey of 100 Days of Red Team on WhatsApp or Discord.
It is possible that this is a vendor created buzzword to pitch another of their ‘state of the art’ security product to organizations (no offense meant to any vendor). During my research, I found mostly security vendor websites talking about CART and why their product is the best in the industry for organization looking to implement CART.