What does Operator do?

If you’ve been using the app over the past 18 months, your answer will probably include the words red, purple or adversary emulation.

Operator promotes writing TTPs, composing attack chains, connecting agents and running repeatable offensive security assessments. These generic behaviors attract red team operators, blue team defenders, penetration testers, hobbyists, students looking to break into the industry, and - our bread and butter - purple teams looking to set up continuous security testing at their organization.

Early on, we started writing adversary emulation chains and releasing them each Tuesday, calling the event TTP Tuesday. We then wrapped each chain under a 6-week theme - often emulating a specific APT group - so they could be used in a focused campaign.

These are fun to build and exciting to talk about - but to be useful, the results often require manual interpretation by an experienced professional.

Ask 10 red teamers what makes a security assessment unsuccessful and they’ll probably tell you it’s when they don’t have time to execute advanced attacks. Ask 10 blue teamers the same question and you’ll probably hear complaints that the results of the testing aren’t useful. Pay attention to these motivations. They’re connected.

Adversary emulation chains often have prerequisites to run and are composed of layers of dependencies. Look at our recent APT 38 Sony hack as an example.

While powerful, this chain requires several user-defined “custom facts” (or dependencies in the form of variables) in order to run the chain. These include things like AWS credentials and an S3 bucket name.

That’s not a problem if you have the time and experience to work through the setup. But it does require a healthy dollop of both. And when it’s time to interpret the results you better prepare to dig in. Discerning what it means if all six TTPs in this chain succeed vs if it fails at the fourth one is not for the faint of heart.

But then again, Operator users are usually not faint of heart.

The downside of this approach, is that the Operator professional license (i.e., those with a subscription to TTP Tuesday) is designed for the advanced of the advanced.

But because Operator is designed for accessibility, we’ve decided to extend our approach.

Starting today, we are adding CVE exploits into our TTP Tuesday release cycle.

If you’ve been using Operator for awhile, here’s what this means to you:

• Over the next 6 weeks we’ll be leaning into this direction heavily, releasing 6+ CVEs aimed primarily at Linux, but with a few MacOS and Windows exploits mixed in.

• Each TTP will have 0 dependencies and can be detonated on any computer with a matching platform/executor.

• Each will return an exit code of 0 (exploitable) or 1 (not exploitable) when run. This binary result removes any ambiguity in what a TTP response means - and allows you to leverage more automaton when evaluating results. Inside Operator, this will be reflected with a green (exploitable) or red (not exploitable) status.

• We will release TTPs more frequently. We may not wait until Tuesday to drop new ones. Instead, we’ll be generating exploits as CVEs come across our desk and getting them out to you quicker.

• You can send us CVEs you’re interested in seeing and we’ll add them to our queue to consider.

We’re not done with adversary emulation chains. We’re simply leaning into our new CVE theme to explore how they work for you.

As you boot up on this topic, your first instinct may be to compare CVE testing to vulnerability scanning. We are not doing that.

A scanner runs perimeter checks to see what software is exposed on a machine, and of what version, to determine if there is a potential CVE. Super useful. Essential. But because it doesn’t live on an endpoint it can’t exploit it to be certain. And there may be other vulnerabilities hiding on the box, beneath the view of the scanner.

That’s what we’re doing.

We hope you enjoy this new theme over the next 6 weeks. If you have an Operator license, we’d love to get feedback on how its working (or not!) for you. If you don’t have a license, we hope this encourages you to give us a try!