Toward Continuous Automated Penetration and Attack Testing (CAPAT)

GettyImagesContinuous-Automated-Penetration-Attack-TestingAccording to ESG research, 73% of security professionals say that cyber-risk management is more difficult at their organization today than it was 2 years ago. Why? Survey respondents point to things like the growing attack surface, the rising number of software vulnerabilities, and the increasing technical prowess of cyber-adversaries. 

How can organizations mitigate growing cyber-risks? One common way is to get a better handle on the strength of existing cyber defenses through exercises like red teaming and penetration testing. 

Many organizations already conduct penetration testing or red teaming and use the resulting data to measure security team performance, review results with IT leaders, and reassess security controls and processes, which are all worthwhile outcomes. 

Okay, but here’s the problem: Most organizations undertake penetration testing and/or red teaming exercises once or twice a year. Furthermore, ESG research indicates that penetration testing and red teaming efforts last only 2 weeks or less at 75% of organizations. While valuable, penetration testing and red teaming can be expensive, and few organizations have the dedicated staff or advanced skills to conduct these exercises themselves or increase frequency using third-party services. 

In a changing IT environment, two weeks of poking at security defenses simply isn’t enough. 

Fortunately, there is a new and promising cybersecurity technology market segment that ESG calls continuous automated penetration and attack testing (CAPAT). Rather than hire skilled penetration testing or white hat hackers, CAPAT emulates attacker behavior through techniques like simulated phishing emails, social engineering, or application layer exploits to flush out weak links in the cybersecurity chain. 

Unlike humans who tend to follow static attack patterns, CAPAT tools can be constantly updated to include the latest adversary tactics, techniques, and procedures (TTPs), so organizations can assess their defenses against current attacks and not just the tried-and-true tool sets of ethical hackers. Some tools use machine learning to modify attacks slightly as they scan and learn the idiosyncrasies of an organization’s network. Vendors in this space include AttackIQ, Cymulate, Randori, SafeBreach, Verodin, XM Cyber, and others. 

Used correctly, these tools can truly help organizations improve cyber risk measurement/management. In other words, CISOs can see where they are vulnerable and prioritize remediation actions. This can also help improve ROI on cybersecurity spending by enabling security teams to dedicate budget dollars in high priority areas based upon data rather than educated guesses.

As you may be able to tell, I’m bullish on this technology and believe that enterprise organizations will test, pilot, and deploy tools within the next 18 to 24 months. As they do:

  • CISOs will finally have timely cyber risk metrics for sharing. CFOs understand the need to increase cybersecurity budgets but can’t seem to get an answer to an obvious question: “What do I get for my money?” CISOs will use CAPAT tools to capture metrics and then share risk and financial management data with executives and corporate boards to help improve decision making and finally answer CFO money queries. 
  • Red and blue teams can turn purple. In my experience, red and blue teams often have trouble collaborating due to different skill sets, tools, and processes. CAPAT tools can provide common data to unify these teams, giving them a purple hue in the process. 
  • CAPAT may usurp penetration testing. Penetration testing tends to end once testers find a vulnerable system or entrance point. CAPAT has the potential to democratize advanced red teaming. As this happens, CAPAT will push past penetration testing to demonstrate how attacks move beyond network penetration to all phases of the kill chain. This alone will be extremely valuable for security operations.
  • CAPAT becomes part of SOAPA. Security operations tools like SIEM, EDR, and NTA tend to focus on threat management rather than risk management. CAPAT data will become an important input into these tools as well as a more integrated security operations and analytics platform architecture (SOAPA) to help balance threats and vulnerabilities. When new threats are discovered in the wild, the SOC team can consult CAPAT tools to understand if they are vulnerable to similar attacks. CAPAT data will also be combined with things like the MITRE ATT&CK framework, helping the SOC teams characterize simulated attacks and guide them through logical investigations. 


Topics: Cybersecurity SOAPA