http://news.cnet.com/news/0-1014-201-5784065-0.html?tag=bt_pr
By Robert Lemos
Special to CNET News.com
May 1, 2001, 12:00 p.m. PT
In 1992, Lance Spitzner joined the U.S. Army with a single goal in
mind: to become a tank officer. Ever since childhood, he had loved
learning about tanks, and the Army gave him an opportunity to get
up-close and personal with gun turrets, grease and mechanized warfare.
These days, Spitzner, a senior engineer at Sun Microsystems, works
with a different sort of hardware as he puts a new enemy in his
sights. As the founder of The Honeynet Project, he helps the project's
members create networks of computers that act as mousetraps, luring in
network attackers so administrators can study their tactics.
Honeypots have been around for a while. Such applications run on a
single server and try to emulate a computer, or network, to trap an
attacker. Honeynets are more complex, consisting of several computers,
a router and a firewall, and furnish an even better illusion of
reality.
For Spitzner, it's about fighting the same fight in a different way.
"Now I fight the bad guys with packets, as opposed to 120mm SABOT
rounds," he says on his Web site. Last week, The Honeynet Project
released a paper outlining the considerations in building a better
electronic mousetrap, with a book to follow.
Spitzner talked in a recent interview about his tenure with the Army,
The Honeynet Project, and the project's future.
Q: How'd you get into security?
A: That's a good question. I left the Army in 1996 (where he was part
of the 24th Infantry Division rapid-deployment force at Fort Stewart,
Ga.). I wanted to go into information technology. I thought I wanted
to be a manager, so I went to grad school and got my graduate degree.
But while I was getting my MBA--you know, I hate accounting, I hate
finance, I hate marketing, I hate managing--but I was getting my MBA.
So I started off as an intern at a local consulting company where I
was a know-nothing geek, adding users and stuff like that. They needed
someone to go to firewall training, and all the consultants were busy
billing. So they asked me if I wanted to learn firewalls. Yeah. And
boom! I just loved it, and from then on I just went running with it.
It's really cool, you know. In the Army I was fighting the bad guys,
and in the world of security you're fighting the bad guys.
When did all this happen?
I probably started doing the geek stuff in 1997.
How did you start The Honeynet Project?
That started in February of 1999. It was the thing I wanted to do once
I got the feel for security. I found a lot of information on the
black-hat tools, and the exploits--this exploit does this, this tool
does that--but very little about how they used the tools, what they do
once they exploit a system, or what their motives are.
(CNet Editor's note: "Black hats" are people who use their knowledge
of computer security to break into computer systems. Their foils are
"white hats," people who use their knowledge to improve computer
security.)
In the military, intelligence on the bad guys is very critical. So
when I was in the Army and I was in tanks, I knew what the Soviet
tactics were. I crawled around in their tanks. I knew the range of
their systems, the range of their artillery, their systems--all
because you had to know this stuff to fight the enemy.
However, this kind of intelligence didn't exist for the black-hat
community, so I wanted to learn how it would work. So in February of
'99, I just set up a box in my apartment. I just said, "You know what,
I will just watch somebody hack it." I didn't think anybody was going
to hack it; I really didn't think it was going to work...because
nothing like this had really been tried. There have been honeypots,
but they are all about emulating servers or special toolkits. So I
threw it up on my dining room table, and the thing was hacked 15
minutes later. I didn't learn anything from that one, because the guy
caught on right away and totally blew away the hard drive.
Did you have anything on there to detect an attack?
No. The problem was, I put it behind my firewall but I was really
scared so I didn't let out anything outbound. The guy came in, tried
to do something outbound, realized he couldn't, figured something was
fishy, and blew away the hard drive. I lost everything. But you know,
I kept making mistakes and learning, learning.
Who did you bring on in the beginning?
Just really close friends to help out. It wasn't like, oh, I was going
to form this project and call it The Honeynet Project and stuff. It
was kind of like, let's just learn and sees where it takes us. And
that is still true today. It's not like I have specific goals and
timelines. We just keep going and learning.
Marty Roesch (the creator of Snort, an open-source intrusion-detection
system widely used by techies as well as corporations) was one of the
first guys. I think RFP ("Rain Forest Puppy," a well-known bug finder)
was one of the first guys. We are always progressively growing.
Don't some of the people you have on there straddle both sides of the
fence?
(Laughing) I like to put it this way: We have reformed black hats on
the team. I leave it up to you to decide just how reformed. But they
are a valuable source of information. The reformed black hats, a lot
of time they are the most curious guys. They want to learn. That's
what it's all about: learning. Some of the most valuable people on the
project are what you would call reformed black hats.
So how many honeynets do you have going right now?
Honeypots or honeynets? Right now, I have unplugged the honeynet at
home. I have four to six systems running. The reason is that it has
been up for a couple years right now, and all the bad guys know it.
However, we have a couple of very large ISPs that want to help us with
the research. What we will do now is move the honeynets to large ISPs,
so when a honeynet gets whacked, we can change IPs and we can change
DNS because they are working with us. And the government is starting
to get interested, as is the military. So we are starting to work with
them and they are setting up their own honeynets as well.
So the honeypot vs. a honeynet is just one system vs. many?
Totally different. There are two big differences: Generally, a
honeypot's goal is deception or learning--deception in that bad guys
play around in the honeypot, wasting time and not attacking real
systems. A honeypot gets whacked, then boom! Then alert, alert, alert!
Someone has attacked a system who shouldn't have.
Our goal is totally research. We don't care about getting alerted
because the traffic goes on a honeynet. A honeynet is a multitude of
systems. But even more important, they are production systems. Anybody
can take a system from their production network and drop it in their
honeynet, whereas a honeypot is an emulated system or an emulated
vulnerability.
We choose default installations because we want to create awareness in
the community: "Folks, look how vulnerable the default installation
can be!" The problem is that it is actually really easy to capture
information. It is easy to set up an intrusion-detection system and
capture an alert. But it is really hard to code the analysis. So the
purpose is to help the security community to take information and
figure out what happened.
What about The Forensic Challenge?
There are two purposes. My purpose was to help the community learn how
to do the forensics analysis. But (fellow Honeynet Project member)
Dave Dittrich took it and did so much more with it. Now the entire law
enforcement community has the images where they can go, "OK, how can
we prosecute in this case?" They are not going to do that, because if
they were to try and prosecute this individual, they wouldn't be able
to talk about it publicly.
Do you think companies will put a honeynet in every corporate LAN?
If you want to catch people, a honeynet might be too much trouble. A
honeynet can be really involved. This will not solve all your security
problems. If you want a secure environment, secure the host. Install
your patches. Turn off things you don't need. Install a good firewall.
Use best practices. Then, this might be a good source of additional
information.
(Government) organizations might get more out of it. Let's say the
Department of Energy is being targeted by China or Russia, trying to
get the nuclear secrets. Then maybe a honeynet could be used where we
let (them) come in and hack. We learn where they are coming from and
who is involved. They come in, they fool around and then they
leave--and you've learned their tools and their tactics. Maybe you
learn in detail how they are hacking your systems so you can protect
your other systems
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Wed May 2 03:54 CDT 2001