We are often asked a rotating set of questions about Operator. Security from the offensive side is such new concept (in the commercial space) that it can be frightening for many, at first.
"You mean, you want me to launch a hacker into my network on purpose?"
But safely. The value of Operator is that it unveils security holes that the current security solutions are not designed to catch. Offensive operators are trained in chaining benign actions together to form a malicious attack. In other words: the fastest way from point A to point B is not a straight line. The straight line will get you caught - a jagged line is what keeps you safe. Every decision an adversary makes requires balancing the effectiveness of it with the likelihood of getting caught.
In the world of Windows, Mimikatz is the most widely used tool for dumping password hashes. It's great and super effective, especially on older Windows boxes. However, don't think the adversary will be calling Invoke-Mimikatz from PowerShell anytime soon. 10 out of 10 antivirus programs will catch, flag and delete it immediately. It won't even make it on disk. And then a bright, shining light will be shone on the person who tried to use it.
So with that, let's examine a few burning questions people have about security through autonomous red teaming!
What makes Operator different from others in the market?
There are several differentiating points:
Simplicity. Just install Operator (for free) and try it. If you've used security products before, you should notice the difference yourself, I don't need to tell you.
Self-learning. As Operator runs adversary profiles, it parses the output of each command and attempts to parse and learn information about what it just did. This information is dynamically fed into future commands, creating command combinations that could not have been predicted from the start.
Easy procedure development. Many tools require you to know programming languages in order to create procedures, which are then loaded into their systems. In Operator, the procedure format is a simple, human readable YML which can be built from an attack UI inside the app.
Simple, transparent pricing intended to be accessible to all.
Is it safe to have this tool free and largely open-source?
Having components which are free and open-source, we allow the public to analyze source code, make contributions, and find and fix bugs. It also allows the open-source community to have trust in the system, as the code is freely available to verify. Could an exploit be developed from reading this code? Sure, but there is a higher likelihood of a white-hat finding and fixing the bug long before this occurs.
Finding a security hole in the platform (a vulnerability) is not the same as a risk. A hacker who uncovers a zero-day would then need to breach the network of a company using the tool in order to take advantage of it.
How often should I run this tool?
Operator should be run on a continuous basis, daily or weekly, depending on what your goals are. As an automated tool, you can hook it into continuous integration tools, such as Jenkins or cloud servers, to run as often as you’d like. This allows you to test much more frequently than manual red-teaming. In fact, this is our recommended approach for larger organizations.
Red teaming should be part of the cultural norm. It shouldn’t live alone, it should be integrated with your existing defensive posture.
Can Operator perform initial access exploits?
Operator was developed as a post-compromise tool, meaning it assumed you had breached a network already and established a foothold (agent). However, the design allows you to deploy a local agent and task it with initial access techniques pointed at remote systems. Doing so allows you to hide your attacks through proxy hosts. For example, you can spin up an AWS EC2 server, deploy an agent on it, connected to your Operator instance. You can task it with initial access commands, allowing you to hide non-attributable, behind the EC2 proxy.
We will be dedicating resources in the future toward more extensive initial access attack patterns. Initial access shares similarities with lateral movement, both of which are possible with Operator today but not our strongest areas as we’ve opted to start with the lower-hanging fruit.
How much of the ATT&CK framework is covered?
We get this question a lot. The ATT&CK framework is a great classification tool, creating a common language for attackers and defenders to use - however, covering every box on the matrix does not mean you are protected. As such, we aim to cover procedures which are impactful and most commonly seen in the wild. Note that we focus on procedures, not the techniques above them. There are 1000s of procedures for every technique, so covering a single one does not guarantee safety: we aim to create procedures that will keep you safe.
How many endpoints (computers) can Operator run on simultaneously?
Operator technology has been tested on as many as 1,500 endpoints, simultaneously. However, this type of testing is strongly discouraged, as it is not representative of how adversaries actually work. One of our biggest goals is realistic emulation. As a hacker, you generally try to work through a network undetected and establishing too many footholds in a network can be noisy and open you up to getting caught. It’s typically better to run agents on 3-5 computers and rotate these computers between tests.
Is this tool only for red teams?
Contrary to popular belief, Operator is actually primarily a blue-team tool! The goal of automated red teaming is to lessen the need for manual red teams. While offensive security experts certainly use Operator, our primary audience is blue-team or defensive-minded professionals looking to secure their networks.
Is Operator limited to shell commands?
No, Operator can actually run any type of command in any language. Essentially, if you can do something from behind the keyboard, you can easily have the platform replicate the same thing.
By default, Operator’s agent executes shell commands such as PowerShell, command-line and bash, but it can easily be extended to execute commands in assembly, C, system calls, shell code, arbitrary payloads and more. In fact, in the Professional license, you will see many of these options.
We are continually expanding the professional license capabilities and we flesh out the system. The next big iteration will be fully in memory operations.
Won’t this teach defenders to just find Operator agents, not the actual effects happening?
By default, Operator agents take several defensive evasion precautions, such as having the ability to compile on the fly with a different file hash each time (if you want). We also make it easy for users to write their own agents and connect them to the platform. These evasion techniques encourage defenders to look for the effects of commands, instead of the actual Operator binaries.
How is Operator different from antivirus or vulnerability scanners?
Antivirus programs (AV) primarily look for file signatures of known malware and flags or quarantine them. More advanced AV will look at browser traffic and warn or block malicious websites.
Vulnerability scanners primarily scan software versions of installed applications, in order to identify known CVEs associated with the versions. This gives members the ability to identify when to upgrade software when patches are available.
By contrast, Operator deploys actions that a hacker is likely to attempt. Oftentimes, these are benign actions that an AV or vulnerability scanner is not going to catch - but combining benign actions can result in a malicious attack. A good example of this is scanning local files, looking for passwords the user may have jotted down in a text file.
All breach and sim tools are behind a website. Why is Operator a desktop application?
This is such a big question, we wrote an entire post about it!
Should I run Operator in my production or development environment?