Protect yo' self

Operator's new Protect Mode introduces a hands-off approach to security testing

In version 0.9.18, Operator dropped in a brand new feature that takes a big stride toward our mission of accessible red teaming for everyone: Protect Mode.

Protect Mode is a completely hands-off approach to security assessments, aimed at organizations that don’t have the time, expertise or money to conduct their own manual red team exercises.

You can enable this mode by opening your Operator workspace’s settings.yml file and changing the protect property to 0.

But what, exactly, does enabling the mode do?

  1. It adds Operator to your computer’s login/startup programs, so it’ll launch when you reboot your computer. The goal is to have it “always on” the same way you do for antivirus. Right now, we don’t hide it in the background like an AV program but we pop the GUI open, so you know it’s there.

  2. On a random interval, between 10 minutes and 4 hours a safe, your Operator instance will consider running a TTP or a small chain of TTPs. It’ll do so randomly and it will only execute a few TTPs each week.

  3. When a TTP executes, a training flag will become available in your system tray. This flag will teach you what TTP ran and what the impact of it was.

  4. The Prelude publisher will flip on. This means when you run security assessments, a record of the tactic, technique and success of each executed TTP is sent to a private Prelude database so we can automatically create custom adversaries, tuned specifically to your environment.

The Prelude publisher does not have the ability to read the request/command or response from any result, this is all encrypted locally.

Ok, but now really, how does it all work?

Internally, our security team has identified 100s of “malicious chains” that adversaries commonly execute to achieve a specific goal, most of them fly under the radar of modern defenses. These chains are comprised of benign actions, like copying a file or visiting a website. When several benign actions are run in sequence, they can have a malicious result.

Adversaries often get from point A to point B by going through C, D and E first. They do this because modern defensive products are tuned to catch adversaries doing known activities, such as running a keylogger or downloading a credential dumper. An adversary can typically achieve the same results by taking “the long way around” so they opt for chaining benign actions together instead.

The TTPs that execute are safe, non-destructive procedures which test not only the defenses on the endpoint computer and network but the employee using the machine. Certain attacks will prompt the user to allow a program access to specific directories or to enter their credentials in a pop up box.

Attacks like these are testing the user’s behavior while using the machine, which is the most vulnerable access point you have as an organization.

Modern defensive products tend to look for patterns, especially related to outbound network requests. An adversary beaconing every hour, on the hour, is bound to (quickly) get caught. But random, well-spaced beacons are less likely to get caught, as it’s tricky to identify the pattern.

Micro adversaries are created out of the TTPs you have access to, according to your license. If you have a Community license, this is about 100 TTPs (as of this writing) and if you have Professional, it’ll be closer to 400. This essentially means, if you have a Professional license, your micro adversaries will be smarter.

Cool, I get it - but how do I get value from this?

This is where we’re not done: getting consumable results from security assessments is complicated. We want to make it simple.

Right now, Protect Mode users can see the results and security recommendations generated from these micro adversaries in two places: the main Operate section and the Reporting plugin. The results will look the same as your manual assessments in Operator. You can decipher them the same way you would any other set of red team results.

Soon, we’ll be opening up a web portal so you can view results - and security recommendations - from all the Operator instances in your organization. Through this distributed look, we hope you’ll gain insights into your organization’s overall security posture. And through this, we hope to bring the value of red teaming to every organization.

Interested in getting early, alpha access to this portal? Shoot us a note at and we’ll hook you up when we launch it.