Picture this: A group of IBM employees once tailgated their way into a client’s office building carrying a box of doughnuts, their laptops and testing gear. The group found an unoccupied conference room and placed the doughnuts on a table outside, along with a sign that said the group was conducting network testing there.

They managed to work in the office all week — unchallenged and unquestioned — and penetrated the company’s network from the inside, fulfilling their mission. So began another engagement for the IBM X-Force Red team, a unique group of more than 100 security analysts who probe customers’ networks for vulnerabilities.

Cris Thomas, who also goes by the pseudonym Space Rogue, is the global strategy lead at IBM X-Force Red. I recently spoke with him to discuss his work as a penetration testing specialist, his role as a cybersecurity activist in the late 1990s — and the recent reunion of his influential hacking group on Capitol Hill.

Inside Offensive Security

The X-Force Red team doesn’t “just do vulnerability assessment, which is what most folks think of when it comes to offensive security,” according to Thomas. It also uses both automated and manual tools and conducts code reviews and physical security testing.

In other words? The team does exactly what cybercriminals do.

Physical security is perhaps the most popular assessment. This tactic is where a team member tries — with full authorization, of course — to enter a company’s premises and hack its network from the inside, as in the now notorious doughnut example above. When they begin an engagement, members of the team usually find a vulnerability within a day or so.

“We have never been to a client that we haven’t gotten into their network and found something serious,” Thomas said. “While it’s depressing to think that holes are everywhere, it’s a positive thing because we help our customers find and patch these holes and better secure their environments.”

During his time at IBM, Thomas has worked on improving the IBM X-Force Red portal, which customers use to retrieve reports and schedule work for teams. He also worked on a project to expand an internship program.

“There are not a lot of opportunities for offensive security positions at the college level, so we are ramping that up,” Thomas said. “That helps feed our employee pipeline too.”

White Hats Go to Washington

In 1998, Thomas and other members of attacker think tank L0pht Heavy Industries testified to Congress. L0pht is infamous for developing a series of hacking tools, such as Windows NT password crackers and a website called Hacker News Network. The white-hat hacking group also took on numerous consulting projects over the years. (Security firm @Stake acquired the think tank in 2000, and Symantec subsequently acquired @Stake in 2004.)

During their testimony two decades ago, the group warned that computer networks were embarrassingly insecure — and bragged that any one of them could take the entire internet down in only a few minutes thanks to weaknesses in the core Border Gateway Protocol (BGP) routing. (The members even used their hacker names on their nameplates because many of them feared prosecution.)

L0pht Heavy Industries testifying before Congress in 1998. (Photo courtesy of Cris Thomas.)

The Return of the White Hats

Thomas and several L0pht colleagues made headlines again in May 2018 when they reunited on Capitol Hill. The reason for their reunion? The group wanted to talk to Congress about the progress of cybersecurity regulations.

While the group didn’t meet with representatives this time around — and their given names were openly discussed — there was still a serious reason for their reunion. Four of the original members returned to Capitol Hill to say that while security technology has improved, some things haven’t changed.

“Nearly all of what we said 20 years ago still holds true,” said Joe “Kingpin” Grand, another member of the L0pht group. “Yes, there have been improvements, but the general class of problems are the same.” For example, the same 1998 BGP flaws were used in the MEWKit phishing attack in May 2018.

“We have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources,” Thomas testified. “Strong encryption is more prevalent, but we aren’t evenly applying the knowledge of how to make something secure.”

Cris Thomas, who also goes by the pseudonym Space Rogue, testifying before Congress in 2018. (Photo courtesy of Debra Kavaler Wysopal.)

Space Rogue Spreads Security Awareness

In the past 20 years, Thomas has made other visits to Capitol Hill, primarily to brief congressional staffers about technology and security issues.

“Staffers influence the elected representative, so they help to make sure that the basic tech knowledge is available to them,” Thomas said. “I want the representatives to have this knowledge because then they will make the right decisions. That’s regardless of whether they agree with my point of view or not.”

In 2017, Thomas escorted two members of Congress around the show floor of DEF CON, a large hacker convention held annually in Las Vegas. It was an interesting experience for all of them.

“Clearly, there is an obvious knowledge gap with our elected officials, but they have to be experts in almost everything. So, it isn’t fair to expect them to be knowledgeable in technology,” Thomas said.

But did Thomas ever imagine he’d be working at IBM one day?

“Even two years ago, I never thought I would,” he said. “But Steve Ocepek [regional lead of North America at IBM X-Force Red] was the best manager that I have ever worked with, and when he asked me to come work for him at IBM, I took it seriously.”

Listen to the podcast: X-Force Red in Action — Spotlight on Penetration Testing With Space Rogue

More from Security Services

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…

Machine learning operations can revolutionize cybersecurity

4 min read - Machine learning operations (MLOps) refers to the practices and tools employed to streamline the deployment, management and monitoring of machine learning models in production environments. While MLOps is commonly associated with data science and machine learning workflows, its integration with cybersecurity brings new capabilities to detect and respond to threats in real-time. It involves streamlining the deployment and management of machine learning models, enabling organizations to gain insight from vast amounts of data and improve their overall security posture. Defining…

Zero-day attacks are on the rise. Can patches keep up?

4 min read - That latest cyberattack threatening your organization is likely coming from outside the corporate network. According to Mandiant’s M-Trends 2023 report, 63% of breaches came from an outside entity — a considerable rise from 47% the year before. When it comes to how intruders are getting into the network, it depends on the organization’s location. Spearphishing is the top attack vector in Europe, while credential theft-based attacks are the number one type of attack in Asia, Kevin Mandia, Mandiant CEO, told…

The future of SIEM: Embracing predictive analytics

4 min read - Security information and event management (SIEM) is a crucial tool that offers real-time monitoring and analysis of security-related events as well as tracking and logging of security data for compliance or auditing purposes. SIEM plays an important role in identifying security incidents and helping IT and security teams respond effectively. However, as threats become more sophisticated, SIEM solutions must evolve to keep up. The future of SIEM lies in predictive analytics and machine learning, which can help organizations prevent attacks…