Fighting the new electronic war
Former tank officer Lance Spitzner has another kind of target in his gunsights: the Internet intruder.
These days, Spitzner, a senior engineer at Sun Microsystems, works with a different sort of hardware as he puts a new enemy in his sights. As the founder of The Honeynet Project, he helps the project's members create networks of computers that act as mousetraps, luring in network attackers so administrators can study their tactics.
Honeypots have been around for a while. Such applications run on a single server and try to emulate a computer, or network, to trap an attacker. Honeynets are more complex, consisting of several computers, a router and a firewall, and furnish an even better illusion of reality.
For Spitzner, it's about fighting the same fight in a different way. "Now I fight the bad guys with packets, as opposed to 120mm SABOT rounds," he says on his Web site. Last week, The Honeynet Project released a paper outlining the considerations in building a better electronic mousetrap, with a book to follow.
Spitzner talked in a recent interview about his tenure with the Army, The Honeynet Project, and the project's future.
Q: How'd you get into security?
A: That's a good question. I left the Army in 1996 (where he was part of the 24th Infantry Division rapid-deployment force at Fort Stewart, Ga.). I wanted to go into information technology.
I thought I wanted to be a manager, so I went to grad school and got my graduate degree. But while I was getting my MBA--you know, I hate accounting, I hate finance, I hate marketing, I hate managing--but I was getting my MBA.
So I started off as an intern at a local consulting company where I was a know-nothing geek, adding users and stuff like that. They needed someone to go to firewall training, and all the consultants were busy billing. So they asked me if I wanted to learn firewalls. Yeah. And boom! I just loved it, and from then on I just went running with it. It's really cool, you know. In the Army I was fighting the bad guys, and in the world of security you're fighting the bad guys.
When did all this happen?
I probably started doing the geek stuff in 1997.
How did you start The Honeynet Project?
That started in February of 1999. It was the thing I wanted to do once I got the feel for security. I found a lot of information on the black-hat tools, and the exploits--this exploit does this, this tool does that--but very little about how they used the tools, what they do once they exploit a system, or what their motives are.
(Editor's note: "Black hats" are people who use their knowledge of computer security to break into computer systems. Their foils are "white hats," people who use their knowledge to improve computer security.)
In the military, intelligence on the bad guys is very critical. So when I was in the Army and I was in tanks, I knew what the Soviet tactics were. I crawled around in their tanks. I knew the range of their systems, the range of their artillery, their systems--all because you had to know this stuff to fight the enemy.
However, this kind of intelligence didn't exist for the black-hat community, so I wanted to learn how it would work. So in February of '99, I just set up a box in my apartment. I just said, "You know what, I will just watch somebody hack it." I didn't think anybody was going to hack it; I really didn't think it was going to work...because nothing like this had really been tried. There have been honeypots, but they are all about emulating servers or special toolkits. So I threw it up on my dining room table, and the thing was hacked 15 minutes later. I didn't learn anything from that one, because the guy caught on right away and totally blew away the hard drive.
Did you have anything on there to detect an attack?
No. The problem was, I put it behind my firewall but I was really scared so I didn't let out anything outbound. The guy came in, tried to do something outbound, realized he couldn't, figured something was fishy, and blew away the hard drive. I lost everything. But you know, I kept making mistakes and learning, learning.
Who did you bring on in the beginning?
Just really close friends to help out. It wasn't like, oh, I was going to form this project and call it The Honeynet Project and stuff. It was kind of like, let's just learn and sees where it takes us. And that is still true today. It's not like I have specific goals and timelines. We just keep going and learning.
Marty Roesch (the creator of Snort, an open-source intrusion-detection system widely used by techies as well as corporations) was one of the first guys. I think RFP ("Rain Forest Puppy," a well-known bug finder) was one of the first guys. We are always progressively growing.
Don't some of the people you have on there straddle both sides of the fence?
(Laughing) I like to put it this way: We have reformed black hats on the team. I leave it up to you to decide just how reformed. But they are a valuable source of information. The reformed black hats, a lot of time they are the most curious guys. They want to learn. That's what it's all about: learning. Some of the most valuable people on the project are what you would call reformed black hats.
So how many honeynets do you have going right now?
Honeypots or honeynets? Right now, I have unplugged the honeynet at home. I have four to six systems running. The reason is that it has been up for a couple years right now, and all the bad guys know it. However, we have a couple of very large ISPs that want to help us with the research. What we will do now is move the honeynets to large ISPs, so when a honeynet gets whacked, we can change IPs and we can change DNS because they are working with us. And the government is starting to get interested, as is the military. So we are starting to work with them and they are setting up their own honeynets as well.
So the honeypot vs. a honeynet is just one system vs. many?
Totally different. There are two big differences: Generally, a honeypot's goal is deception or learning--deception in that bad guys play around in the honeypot, wasting time and not attacking real systems. A honeypot gets whacked, then boom! Then alert, alert, alert! Someone has attacked a system who shouldn't have.
Our goal is totally research. We don't care about getting alerted because the traffic goes on a honeynet. A honeynet is a multitude of systems. But even more important, they are production systems. Anybody can take a system from their production network and drop it in their honeynet, whereas a honeypot is an emulated system or an emulated vulnerability.
We choose default installations because we want to create awareness in the community: "Folks, look how vulnerable the default installation can be!" The problem is that it is actually really easy to capture information. It is easy to set up an intrusion-detection system and capture an alert. But it is really hard to code the analysis. So the purpose is to help the security community to take information and figure out what happened.
What about The Forensic Challenge?
There are two purposes. My purpose was to help the community learn how to do the forensics analysis. But (fellow Honeynet Project member) Dave Dittrich took it and did so much more with it. Now the entire law enforcement community has the images where they can go, "OK, how can we prosecute in this case?" They are not going to do that, because if they were to try and prosecute this individual, they wouldn't be able to talk about it publicly.
Do you think companies will put a honeynet in every corporate LAN?
If you want to catch people, a honeynet might be too much trouble. A honeynet can be really involved. This will not solve all your security problems. If you want a secure environment, secure the host. Install your patches. Turn off things you don't need. Install a good firewall. Use best practices. Then, this might be a good source of additional information.
(Government) organizations might get more out of it. Let's say the Department of Energy is being targeted by China or Russia, trying to get the nuclear secrets. Then maybe a honeynet could be used where we let (them) come in and hack. We learn where they are coming from and who is involved. They come in, they fool around and then they leave--and you've learned their tools and their tactics. Maybe you learn in detail how they are hacking your systems so you can protect your other systems.
