Picture this: A group of IBM employees once tailgated their way into a client’s office building carrying a box of doughnuts, their laptops and testing gear. The group found an unoccupied conference room and placed the doughnuts on a table outside, along with a sign that said the group was conducting network testing there.

They managed to work in the office all week — unchallenged and unquestioned — and penetrated the company’s network from the inside, fulfilling their mission. So began another engagement for the IBM X-Force Red team, a unique group of more than 100 security analysts who probe customers’ networks for vulnerabilities.

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s — and the recent reunion of his influential hacking group on Capitol Hill.

Inside Offensive Security

The X-Force Red team doesn’t “just do vulnerability assessment, which is what most folks think of when it comes to offensive security,” according to Thomas. It also uses both automated and manual tools and conducts code reviews and physical security testing.

In other words? The team does exactly what cybercriminals do.

Physical security is perhaps the most popular assessment. This tactic is where a team member tries — with full authorization, of course — to enter a company’s premises and hack its network from the inside, as in the now notorious doughnut example above. When they begin an engagement, members of the team usually find a vulnerability within a day or so.

“We have never been to a client that we haven’t gotten into their network and found something serious,” Thomas said. “While it’s depressing to think that holes are everywhere, it’s a positive thing because we help our customers find and patch these holes and better secure their environments.”

During his time at IBM, Thomas has worked on improving the IBM X-Force Red portal, which customers use to retrieve reports and schedule work for teams. He also worked on a project to expand an internship program.

“There are not a lot of opportunities for offensive security positions at the college level, so we are ramping that up,” Thomas said. “That helps feed our employee pipeline too.”

White Hats Go to Washington

In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years. (Security firm @Stake acquired the think tank in 2000, and Symantec subsequently acquired @Stake in 2004.)

During their testimony two decades ago, the group warned that computer networks were embarrassingly insecure — and bragged that any one of them could take the entire internet down in only a few minutes thanks to weaknesses in the core Border Gateway Protocol (BGP) routing. (The members even used their hacker names on their nameplates because many of them feared prosecution.)

L0pht Heavy Industries testifying before Congress in 1998. (Photo courtesy of Cris Thomas.)

The Return of the White Hats

Thomas and several L0pht colleagues made headlines again in May 2018 when they reunited on Capitol Hill. The reason for their reunion? The group wanted to talk to Congress about the progress of cybersecurity regulations.

While the group didn’t meet with representatives this time around — and their given names were openly discussed — there was still a serious reason for their reunion. Four of the original members returned to Capitol Hill to say that while security technology has improved, some things haven’t changed.

“Nearly all of what we said 20 years ago still holds true,” said Joe “Kingpin” Grand, another member of the L0pht group. “Yes, there have been improvements, but the general class of problems are the same.” For example, the same 1998 BGP flaws were used in the MEWKit phishing attack in May 2018.

“We have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources,” Thomas testified. “Strong encryption is more prevalent, but we aren’t evenly applying the knowledge of how to make something secure.”

Cris Thomas, who also goes by the pseudonym Space Rogue, testifying before Congress in 2018. (Photo courtesy of Debra Kavaler Wysopal.)

Space Rogue Spreads Security Awareness

In the past 20 years, Thomas has made other visits to Capitol Hill, primarily to brief congressional staffers about technology and security issues.

“Staffers influence the elected representative, so they help to make sure that the basic tech knowledge is available to them,” Thomas said. “I want the representatives to have this knowledge because then they will make the right decisions. That’s regardless of whether they agree with my point of view or not.”

In 2017, Thomas escorted two members of Congress around the show floor of DEF CON, a large hacker convention held annually in Las Vegas. It was an interesting experience for all of them.

“Clearly, there is an obvious knowledge gap with our elected officials, but they have to be experts in almost everything. So, it isn’t fair to expect them to be knowledgeable in technology,” Thomas said.

But did Thomas ever imagine he’d be working at IBM one day?

“Even two years ago, I never thought I would,” he said. “But Steve Ocepek [regional lead of North America at IBM X-Force Red] was the best manager that I have ever worked with, and when he asked me to come work for him at IBM, I took it seriously.”

Listen to the podcast: X-Force Red in Action — Spotlight on Penetration Testing With Space Rogue

More from Security Services

39% of MSPs report major setbacks when adapting to advanced security technologies

4 min read - SOPHOS, a leading global provider of managed security solutions, has recently released its annual MSP Perspectives report for 2024. This most recent report provides insights from 350 different managed service providers (MSPs) across the United States, United Kingdom, Germany and Australia on modern cybersecurity tools solutions. It also documents newly discovered risks and challenges in the industry.Among the many findings of this most recent report, one of the most concerning trends is the difficulties MSPs face when adapting their service…

A decade of global cyberattacks, and where they left us

5 min read - The cyberattack landscape has seen monumental shifts and enormous growth in the past decade or so.I spoke to Michelle Alvarez, X-Force Strategic Threat Analysis Manager at IBM, who told me that the most visible change in cybersecurity can be summed up in one word: scale. A decade ago, “'mega-breaches' were relatively rare, but now feel like an everyday occurrence.”A summary of the past decade in global cyberattacksThe cybersecurity landscape has been impacted by major world events, especially in recent years.…

How a new wave of deepfake-driven cyber crime targets businesses

5 min read - As deepfake attacks on businesses dominate news headlines, detection experts are gathering valuable insights into how these attacks came into being and the vulnerabilities they exploit. Between 2023 and 2024, frequent phishing and social engineering campaigns led to account hijacking and theft of assets and data, identity theft, and reputational damage to businesses across industries. Call centers of major banks and financial institutions are now overwhelmed by an onslaught of deepfake calls using voice cloning technology in efforts to break…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today