Offensive and defensive security are typically viewed as opposite sides of the same fence. On one side, the offensive team aims to prevent attackers from compromising an organization, whereas on the other side the defensive team aims to stop attackers once they are inside. The fence, metaphorically speaking, is the adversary. The adversary’s moves, motives and mindset are the driving force behind the tactics, techniques and procedures (TTPs) of the offensive and defensive teams. Both teams put themselves in the adversaries’ shoes, predicting how they will try to achieve their objectives, and execute strategies to reduce the opportunity for those adversaries to succeed.

With that common ground in mind, IBM Security’s offensive and defensive security teams recently joined forces. X-Force Red is IBM Security’s team of hackers. X-Force Incident Response (IR) is IBM Security’s team of responders, researchers and investigators. While the teams provide offensive and defensive security services, they are now part of one team — X-Force — which is led by Global Managing Partner Charles Henderson. I spoke to Charles about the joint team, and how they will separately maintain autonomy while also providing value as one.

Abby: Thank you for speaking with me, Charles. Let’s begin the discussion with that point. It seems that the objectives for offensive and defensive security clash a bit, with the offensive team doing everything it can to prevent a compromise and the defensive team doing everything it can to stop attackers when there is a compromise. How does putting both teams under one umbrella help overcome this clash?

Charles: It’s important to keep in mind that from an organization’s perspective, you have the best of both worlds. When you look at offensive and defensive capabilities, they are research-driven. The teams dig into adversary motives, attacks in the wild, criminal behaviors and how adversaries are achieving their goals, but from different perspectives. The teams can share that research to gain a more well-rounded profile of the adversary. They can use that research to step inside the shoes of adversaries, understand what they may do and then develop mitigations to stop them. Additionally, while the offensive and defensive teams’ objectives may differ, the kinds of people who take on those roles are similar. Offensive and defensive practitioners are competitive, intellectually curious and driven people. They are driven by this adversarial nature of red versus blue and strive to help organizations conquer the criminal.

Abby: So how does that like-mindedness differentiate a combined offensive and defensive team in the crowded cybersecurity industry?

Charles: It centers around the adversarial component. That’s what makes it interesting. Both teams are dedicated to fighting against someone or something. As the offensive team, we are trying to evade organizations’ defenses, using the same TTPs as attackers. As the defensive team, we are trying to stop attackers in their tracks to minimize potential damage. Other security services and products don’t center around that adversary component. Our deeper understanding of the adversaries and shared drive to beat them is what sets us apart.

Abby: How will the X-Force Red team of hackers and the X-Force IR team of responders remain autonomous if they are operating under the same umbrella?

Charles: Nothing will change regarding delivery. X-Force Red and X-Force IR can co-exist under the same roof while maintaining a separation of deliverables. The biggest change, and it’s a positive one, is in quality. Now that both teams are under one roof, they can share more research and intel, which gives them a stronger view into the enemy. It’s also important to note that the output of our engagements with customers will remain separated. X-Force Red doesn’t need to see the results of the X-Force IR team’s work and vice versa. The teams will only share engagement-specific information if the customer requests it. Otherwise, the firewall between our teams will remain intact. That said, engagement from a customer perspective will be seamless with a unified experience.

Abby: Which kinds of threats are both teams combatting most?

Charles: Ransomware is the biggest one. The team is focused on building playbooks to prepare organizations’ incident response teams to detect and contain ransomware attacks while also performing active threat assessments and threat hunting to help bolster organizations’ defenses. On the offensive side, the team is performing network and application testing and social engineering exercises like phishing and vishing to find vulnerabilities that ransomware attackers could leverage. The team is also performing adversary simulation exercises to simulate ransomware attacks and find gaps in organizations’ incident response programs that would enable an attack to succeed. With all those exercises, organizations can gain a clear understanding of the top risks in their environment and how to reduce the risk of a ransomware or any other kind of attack.

Abby: I have one last question, Charles. From a security leader’s perspective, what would you say is the number one value point for using one partner for offensive and defensive security services?

Charles: I am torn between two. With one partner, you gain a more simplified consumption experience. Everything from contracts to procurement is under one roof, so it makes it easier to procure services and go through the purchasing process. Also, the level of expertise you gain is top notch. Our combined teams include the top-tier talent in hacking, response, research and investigations in the industry. We want to continue helping organizations stay ahead of the adversary and protect their organizations, and this merging of our teams enables us to be more effective in that mission.

Abby: Thank you for your insights, Charles. To our readers, if you are interested in learning more about X-Force, please visit our new homepage and watch our new X-Force video.

Also, on Sept. 29, the X-Force team will be hosting a virtual research-focused event, Red Con 2021. Register to attend and learn about homegrown testing tools, physical break-ins, cloud-focused research and more!

Register here

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…