Picture this: A group of IBM employees once tailgated their way into a client’s office building carrying a box of doughnuts, their laptops and testing gear. The group found an unoccupied conference room and placed the doughnuts on a table outside, along with a sign that said the group was conducting network testing there.

They managed to work in the office all week — unchallenged and unquestioned — and penetrated the company’s network from the inside, fulfilling their mission. So began another engagement for the IBM X-Force Red team, a unique group of more than 100 security analysts who probe customers’ networks for vulnerabilities.

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s — and the recent reunion of his influential hacking group on Capitol Hill.

Inside Offensive Security

The X-Force Red team doesn’t “just do vulnerability assessment, which is what most folks think of when it comes to offensive security,” according to Thomas. It also uses both automated and manual tools and conducts code reviews and physical security testing.

In other words? The team does exactly what cybercriminals do.

Physical security is perhaps the most popular assessment. This tactic is where a team member tries — with full authorization, of course — to enter a company’s premises and hack its network from the inside, as in the now notorious doughnut example above. When they begin an engagement, members of the team usually find a vulnerability within a day or so.

“We have never been to a client that we haven’t gotten into their network and found something serious,” Thomas said. “While it’s depressing to think that holes are everywhere, it’s a positive thing because we help our customers find and patch these holes and better secure their environments.”

During his time at IBM, Thomas has worked on improving the IBM X-Force Red portal, which customers use to retrieve reports and schedule work for teams. He also worked on a project to expand an internship program.

“There are not a lot of opportunities for offensive security positions at the college level, so we are ramping that up,” Thomas said. “That helps feed our employee pipeline too.”

White Hats Go to Washington

In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years. (Security firm @Stake acquired the think tank in 2000, and Symantec subsequently acquired @Stake in 2004.)

During their testimony two decades ago, the group warned that computer networks were embarrassingly insecure — and bragged that any one of them could take the entire internet down in only a few minutes thanks to weaknesses in the core Border Gateway Protocol (BGP) routing. (The members even used their hacker names on their nameplates because many of them feared prosecution.)

L0pht Heavy Industries testifying before Congress in 1998. (Photo courtesy of Cris Thomas.)

The Return of the White Hats

Thomas and several L0pht colleagues made headlines again in May 2018 when they reunited on Capitol Hill. The reason for their reunion? The group wanted to talk to Congress about the progress of cybersecurity regulations.

While the group didn’t meet with representatives this time around — and their given names were openly discussed — there was still a serious reason for their reunion. Four of the original members returned to Capitol Hill to say that while security technology has improved, some things haven’t changed.

“Nearly all of what we said 20 years ago still holds true,” said Joe “Kingpin” Grand, another member of the L0pht group. “Yes, there have been improvements, but the general class of problems are the same.” For example, the same 1998 BGP flaws were used in the MEWKit phishing attack in May 2018.

“We have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources,” Thomas testified. “Strong encryption is more prevalent, but we aren’t evenly applying the knowledge of how to make something secure.”

Cris Thomas, who also goes by the pseudonym Space Rogue, testifying before Congress in 2018. (Photo courtesy of Debra Kavaler Wysopal.)

Space Rogue Spreads Security Awareness

In the past 20 years, Thomas has made other visits to Capitol Hill, primarily to brief congressional staffers about technology and security issues.

“Staffers influence the elected representative, so they help to make sure that the basic tech knowledge is available to them,” Thomas said. “I want the representatives to have this knowledge because then they will make the right decisions. That’s regardless of whether they agree with my point of view or not.”

In 2017, Thomas escorted two members of Congress around the show floor of DEF CON, a large hacker convention held annually in Las Vegas. It was an interesting experience for all of them.

“Clearly, there is an obvious knowledge gap with our elected officials, but they have to be experts in almost everything. So, it isn’t fair to expect them to be knowledgeable in technology,” Thomas said.

But did Thomas ever imagine he’d be working at IBM one day?

“Even two years ago, I never thought I would,” he said. “But Steve Ocepek [regional lead of North America at IBM X-Force Red] was the best manager that I have ever worked with, and when he asked me to come work for him at IBM, I took it seriously.”

Listen to the podcast: X-Force Red in Action — Spotlight on Penetration Testing With Space Rogue

More from Government

Who Will Be the Next National Cyber Director?

After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

How Much is the U.S. Investing in Cyber (And is it Enough)?

It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

What the New Federal Cybersecurity Act Means for Businesses

On December 21, 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. The risk of quantum-powered password decryption is increasing exponentially. The new legislation is designed to help federal agencies proactively shift to a post-quantum security posture. Agencies have until May 4, 2023, to submit an inventory of potentially vulnerable systems, and the Act directs the Office of Management and Budget (OMB) to prioritize the adoption of post-quantum cryptography standards. For businesses, government efforts to address emerging quantum risks…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…