Black Hat IBM has used the biggest week on the security calendar to launch and poach heads for its large security, penetration testing and red teaming unit.
Big Blue's new X-Force Red unit is the culmination of nine months fermentation which began in earnest with the hiring of security veteran Charles Henderson. He's had the job of building the new wing from scratch.
More ReadingIBM swings axe through staff, humming contently about cloud and AIPen-test trio crafts 'Datasploit' tool for easy social engineeringStealthy malware infects digitally-signed files without altering hashesWorld's lamest ransomware authors won't answer fake tech support lineHackers unleash smart Twitter phishing tool that snags two in three users
IBM won't reveal the number of staff in its units but Henderson says X-Force Red has bagged more than 100 hackers, based in 23 countries, and plans to extend that figure during the Black Hat and DEF CON Las Vegas hacking conferences.
Some DEF CON staff are the latest to sign on to Big Blue's Red Team.
"The number is going to be far bigger right after these conferences … I want to thank many of our competitors for sending our future hires," a laughing Henderson told The Register.
The unit is positioning itself as an end-to-end testing unit. At the priciest end of its services is a kind of set-and-forget managed penetration testing and red team offering in which IBM will handle scoping, testing, and assist with remediation and training on a subscription basis.
X-Force Red's four focus areas:
Application – Penetration testing and source code review to identify security vulnerabilities in web, mobile, terminal, mainframe, and middleware platforms.
Network – Penetration testing of internal, external, wireless, and other radio frequencies
Hardware – Verifying the security between the digital and physical realms by testing internet of things, wearable devices, point-of-sale systems, ATMs, automotive systems, and self-checkout kiosks
Human – Performing simulations of phishing campaigns, social engineering, ransomware, and physical security violations to determine risks of human behaviour.
Henderson would not say how many staff he intends to hire, but like so many consultancies in the industry the recruitment effort is never-ending.
Talented hackers' concerns often transcend paychecks, instead focusing on organisations with cool cultures, diverse and challenging work, and permission to attend hacking conferences.
To that end, Henderson is promising the ability to hack Fortune-listed companies and to test the security chops of big-ticket emerging technology many months before release.
Red teaming assignments should entertain the social engineering-inclined penetration testers. Henderson expects strong demand for the no-holds-barred hacking tests knocking back this writer's suggestions that the assignments are only suited for already patched, hardened, and security-savvy organisations.
"Increasingly our clients are interested in seeing [security testing and programs] under one pane of glass," Henderson says. "Red teaming becomes part of an entire diagnostic program."
Hacking conferences are always a hot bed of recruitment, and Big Blue has given consultancy directors yet another reason to sweat out the week. ®