Offensive and defensive security are typically viewed as opposite sides of the same fence. On one side, the offensive team aims to prevent attackers from compromising an organization, whereas on the other side the defensive team aims to stop attackers once they are inside. The fence, metaphorically speaking, is the adversary. The adversary’s moves, motives and mindset are the driving force behind the tactics, techniques and procedures (TTPs) of the offensive and defensive teams. Both teams put themselves in the adversaries’ shoes, predicting how they will try to achieve their objectives, and execute strategies to reduce the opportunity for those adversaries to succeed.

With that common ground in mind, IBM Security’s offensive and defensive security teams recently joined forces. X-Force Red is IBM Security’s team of hackers. X-Force Incident Response (IR) is IBM Security’s team of responders, researchers and investigators. While the teams provide offensive and defensive security services, they are now part of one team — X-Force — which is led by Global Managing Partner Charles Henderson. I spoke to Charles about the joint team, and how they will separately maintain autonomy while also providing value as one.

Abby: Thank you for speaking with me, Charles. Let’s begin the discussion with that point. It seems that the objectives for offensive and defensive security clash a bit, with the offensive team doing everything it can to prevent a compromise and the defensive team doing everything it can to stop attackers when there is a compromise. How does putting both teams under one umbrella help overcome this clash?

Charles: It’s important to keep in mind that from an organization’s perspective, you have the best of both worlds. When you look at offensive and defensive capabilities, they are research-driven. The teams dig into adversary motives, attacks in the wild, criminal behaviors and how adversaries are achieving their goals, but from different perspectives. The teams can share that research to gain a more well-rounded profile of the adversary. They can use that research to step inside the shoes of adversaries, understand what they may do and then develop mitigations to stop them. Additionally, while the offensive and defensive teams’ objectives may differ, the kinds of people who take on those roles are similar. Offensive and defensive practitioners are competitive, intellectually curious and driven people. They are driven by this adversarial nature of red versus blue and strive to help organizations conquer the criminal.

Abby: So how does that like-mindedness differentiate a combined offensive and defensive team in the crowded cybersecurity industry?

Charles: It centers around the adversarial component. That’s what makes it interesting. Both teams are dedicated to fighting against someone or something. As the offensive team, we are trying to evade organizations’ defenses, using the same TTPs as attackers. As the defensive team, we are trying to stop attackers in their tracks to minimize potential damage. Other security services and products don’t center around that adversary component. Our deeper understanding of the adversaries and shared drive to beat them is what sets us apart.

Abby: How will the X-Force Red team of hackers and the X-Force IR team of responders remain autonomous if they are operating under the same umbrella?

Charles: Nothing will change regarding delivery. X-Force Red and X-Force IR can co-exist under the same roof while maintaining a separation of deliverables. The biggest change, and it’s a positive one, is in quality. Now that both teams are under one roof, they can share more research and intel, which gives them a stronger view into the enemy. It’s also important to note that the output of our engagements with customers will remain separated. X-Force Red doesn’t need to see the results of the X-Force IR team’s work and vice versa. The teams will only share engagement-specific information if the customer requests it. Otherwise, the firewall between our teams will remain intact. That said, engagement from a customer perspective will be seamless with a unified experience.

Abby: Which kinds of threats are both teams combatting most?

Charles: Ransomware is the biggest one. The team is focused on building playbooks to prepare organizations’ incident response teams to detect and contain ransomware attacks while also performing active threat assessments and threat hunting to help bolster organizations’ defenses. On the offensive side, the team is performing network and application testing and social engineering exercises like phishing and vishing to find vulnerabilities that ransomware attackers could leverage. The team is also performing adversary simulation exercises to simulate ransomware attacks and find gaps in organizations’ incident response programs that would enable an attack to succeed. With all those exercises, organizations can gain a clear understanding of the top risks in their environment and how to reduce the risk of a ransomware or any other kind of attack.

Abby: I have one last question, Charles. From a security leader’s perspective, what would you say is the number one value point for using one partner for offensive and defensive security services?

Charles: I am torn between two. With one partner, you gain a more simplified consumption experience. Everything from contracts to procurement is under one roof, so it makes it easier to procure services and go through the purchasing process. Also, the level of expertise you gain is top notch. Our combined teams include the top-tier talent in hacking, response, research and investigations in the industry. We want to continue helping organizations stay ahead of the adversary and protect their organizations, and this merging of our teams enables us to be more effective in that mission.

Abby: Thank you for your insights, Charles. To our readers, if you are interested in learning more about X-Force, please visit our new homepage and watch our new X-Force video.

Also, on Sept. 29, the X-Force team will be hosting a virtual research-focused event, Red Con 2021. Register to attend and learn about homegrown testing tools, physical break-ins, cloud-focused research and more!

Register here

More from Offensive Security

AI vs. human deceit: Unravelling the new age of phishing tactics

7 min read - Attackers seem to innovate nearly as fast as technology develops. Day by day, both technology and threats surge forward. Now, as we enter the AI era, machines not only mimic human behavior but also permeate nearly every facet of our lives. Yet, despite the mounting anxiety about AI’s implications, the full extent of its potential misuse by attackers is largely unknown. To better understand how attackers can capitalize on generative AI, we conducted a research project that sheds light on…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

When the absence of noise becomes signal: Defensive considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today