Offensive and defensive security are typically viewed as opposite sides of the same fence. On one side, the offensive team aims to prevent attackers from compromising an organization, whereas on the other side the defensive team aims to stop attackers once they are inside. The fence, metaphorically speaking, is the adversary. The adversary’s moves, motives and mindset are the driving force behind the tactics, techniques and procedures (TTPs) of the offensive and defensive teams. Both teams put themselves in the adversaries’ shoes, predicting how they will try to achieve their objectives, and execute strategies to reduce the opportunity for those adversaries to succeed.
With that common ground in mind, IBM Security’s offensive and defensive security teams recently joined forces. X-Force Red is IBM Security’s team of hackers. X-Force Incident Response (IR) is IBM Security’s team of responders, researchers and investigators. While the teams provide offensive and defensive security services, they are now part of one team — X-Force — which is led by Global Managing Partner Charles Henderson. I spoke to Charles about the joint team, and how they will separately maintain autonomy while also providing value as one.
Abby: Thank you for speaking with me, Charles. Let’s begin the discussion with that point. It seems that the objectives for offensive and defensive security clash a bit, with the offensive team doing everything it can to prevent a compromise and the defensive team doing everything it can to stop attackers when there is a compromise. How does putting both teams under one umbrella help overcome this clash?
Charles: It’s important to keep in mind that from an organization’s perspective, you have the best of both worlds. When you look at offensive and defensive capabilities, they are research-driven. The teams dig into adversary motives, attacks in the wild, criminal behaviors and how adversaries are achieving their goals, but from different perspectives. The teams can share that research to gain a more well-rounded profile of the adversary. They can use that research to step inside the shoes of adversaries, understand what they may do and then develop mitigations to stop them. Additionally, while the offensive and defensive teams’ objectives may differ, the kinds of people who take on those roles are similar. Offensive and defensive practitioners are competitive, intellectually curious and driven people. They are driven by this adversarial nature of red versus blue and strive to help organizations conquer the criminal.
Abby: So how does that like-mindedness differentiate a combined offensive and defensive team in the crowded cybersecurity industry?
Charles: It centers around the adversarial component. That’s what makes it interesting. Both teams are dedicated to fighting against someone or something. As the offensive team, we are trying to evade organizations’ defenses, using the same TTPs as attackers. As the defensive team, we are trying to stop attackers in their tracks to minimize potential damage. Other security services and products don’t center around that adversary component. Our deeper understanding of the adversaries and shared drive to beat them is what sets us apart.
Abby: How will the X-Force Red team of hackers and the X-Force IR team of responders remain autonomous if they are operating under the same umbrella?
Charles: Nothing will change regarding delivery. X-Force Red and X-Force IR can co-exist under the same roof while maintaining a separation of deliverables. The biggest change, and it’s a positive one, is in quality. Now that both teams are under one roof, they can share more research and intel, which gives them a stronger view into the enemy. It’s also important to note that the output of our engagements with customers will remain separated. X-Force Red doesn’t need to see the results of the X-Force IR team’s work and vice versa. The teams will only share engagement-specific information if the customer requests it. Otherwise, the firewall between our teams will remain intact. That said, engagement from a customer perspective will be seamless with a unified experience.
Abby: Which kinds of threats are both teams combatting most?
Charles: Ransomware is the biggest one. The team is focused on building playbooks to prepare organizations’ incident response teams to detect and contain ransomware attacks while also performing active threat assessments and threat hunting to help bolster organizations’ defenses. On the offensive side, the team is performing network and application testing and social engineering exercises like phishing and vishing to find vulnerabilities that ransomware attackers could leverage. The team is also performing adversary simulation exercises to simulate ransomware attacks and find gaps in organizations’ incident response programs that would enable an attack to succeed. With all those exercises, organizations can gain a clear understanding of the top risks in their environment and how to reduce the risk of a ransomware or any other kind of attack.
Abby: I have one last question, Charles. From a security leader’s perspective, what would you say is the number one value point for using one partner for offensive and defensive security services?
Charles: I am torn between two. With one partner, you gain a more simplified consumption experience. Everything from contracts to procurement is under one roof, so it makes it easier to procure services and go through the purchasing process. Also, the level of expertise you gain is top notch. Our combined teams include the top-tier talent in hacking, response, research and investigations in the industry. We want to continue helping organizations stay ahead of the adversary and protect their organizations, and this merging of our teams enables us to be more effective in that mission.
Abby: Thank you for your insights, Charles. To our readers, if you are interested in learning more about X-Force, please visit our new homepage and watch our new X-Force video.
Also, on Sept. 29, the X-Force team will be hosting a virtual research-focused event, Red Con 2021. Register to attend and learn about homegrown testing tools, physical break-ins, cloud-focused research and more!