How Prelude Operator helps elite red teams

Six common problems advanced security teams face, and how we’re helping

This article is for advanced red team operators. From our shell to yours. 

We built Prelude Operator to make the benefits of red teaming more accessible to more people. The equation is simple: the more people who can perform advanced security assessments, the more businesses will be protected. 

This means we designed Operator to be used by everyone, simplifying the process of executing a security assessment. We stripped out complexity, replacing it with usability.

But if you’re still reading, you’re in a different crowd. You’re an advanced operator. Maybe a private consultant. Maybe you’re a red teamer for a government or for an internal security team at a large organization. Complexity is your middle name. So can Operator help you?

Yes.

Ignore the minimal GUI on Operator. Ignore the simplicity. Let’s break down the problems we want to help you solve.


Problem #1: Your payloads and scripts hang around in random git repos and not everyone on your team has access to the same set.

Solution: Operator is a natural central location to store scripts and payloads. It has a built-in script editor. It even contains the ability to import and sync across a shared repository.

In the near future, we’ll be adding a capability to link Operator apps together, so you can efficiently collaborate with your team members.


Problem #2: You spend a lot of time managing your RATs to ensure they don’t get caught and can beacon in/out without detection. This requires multiple binaries, in many languages, and constant coding.

Solution: Operator is not your typical adversary simulation tool. We have multiple agents, written in languages like Python and GoLang; one was even just published open-source in Nim

Our agents are, of course, designed to communicate with Operator over configurable TCP, UDP, gRPC and HTTP protocols. However, you can also point them at your own C2 infrastructure. We give you instructions on how to do just that. 

We are actively adding more protocols. Reach out if there is one in particular you’re interested in.

We even have modular malware, which enables you to customize agents in ways that are extremely advanced. Because we’ll give you the source code, you can take any of our agents, tweak them to your specific needs, and take them in the field. Essentially, treat our team as your agent factory and benefit from the open-source contributions from the community. 


Problem #3: After you conduct a red team engagement, you do a hot-wash with the blue-team and nothing happens. When you come back six months later, you find the same issues. 

Solution: Make your hot-wash more interactive by giving the blue team a copy of Operator, loaded with a simplified version of the attack you ran. This way, they can practice in between your assessments. Since Operator can be scripted, you can quickly create repeatable steps for the defense to execute, ensuring that when you come back you won’t find the same holes.


Problem #4: You may be an advanced operator but every team has a pipeline of inexperienced members who need more exposure in the field. Taking time away from your duties to train younger members isn’t always a good use of time. 

Solution: Leverage the ongoing training built into Operator. The included ATT&CK Procedures program walks through procedures under each ATT&CK tactic, explaining why they’re important, how they link to other TTPs and how defenders may attempt to detect and respond. This program is constantly updated with new materials, so it is a natural place to conduct team training, especially for those new to your team.

Soon, we’ll allow you to add your own training into the program, so you can customize what your operators are learning.


Problem #5: After an assessment, you spend weeks compiling a manual red team report. You need to read your notes, check audit logs and break it down into a PDF that can prove the value of your work. This takes (lots of) time. 

Solution: Our team is currently working on building a customizable reporting section into Operator. This will enable you to build formatted report templates, automatically fill in many details and allow you to cruise through the report writing quickly, with PDF export and digital sharing.


Problem #6:  My environment isn’t supported in your product, we have <insert specific environment that requires specific TTPs> and we build our own in house stuff to handle it.

Solution: Operator’s TTPs, C2, and agents are designed to support atypical environments. Our team has experience red teaming against ICS/SCADA platforms from medical devices to satellite systems, mobile devices, and more. We built Operator to facilitate engagements against complex and non-standard targets because there really isn’t tooling available for those systems. Whether it’s writing an agent that can proxy MODBUS commands to a closed ICS system or agents that can exploit and implant network devices, Operator is meant to simplify that process.


This is not an exhaustive list of ways we’re helping advanced red teams streamline their operations but we believe it’s a good starting point. We hope that you take Operator for a spin and let us know how it goes and what else we can do to support your mission.