[ISN] Fighting the new electronic war

From: InfoSec News (isnat_private)
Date: Tue May 01 2001 - 17:41:30 PDT

  • Next message: InfoSec News: "[ISN] FBI Blasts Reluctant Hackees"

    By Robert Lemos
    Special to CNET News.com
    May 1, 2001, 12:00 p.m. PT
    In 1992, Lance Spitzner joined the U.S. Army with a single goal in
    mind: to become a tank officer. Ever since childhood, he had loved
    learning about tanks, and the Army gave him an opportunity to get
    up-close and personal with gun turrets, grease and mechanized warfare.
    These days, Spitzner, a senior engineer at Sun Microsystems, works
    with a different sort of hardware as he puts a new enemy in his
    sights. As the founder of The Honeynet Project, he helps the project's
    members create networks of computers that act as mousetraps, luring in
    network attackers so administrators can study their tactics.
    Honeypots have been around for a while. Such applications run on a
    single server and try to emulate a computer, or network, to trap an
    attacker. Honeynets are more complex, consisting of several computers,
    a router and a firewall, and furnish an even better illusion of
    For Spitzner, it's about fighting the same fight in a different way.
    "Now I fight the bad guys with packets, as opposed to 120mm SABOT
    rounds," he says on his Web site. Last week, The Honeynet Project
    released a paper outlining the considerations in building a better
    electronic mousetrap, with a book to follow.
    Spitzner talked in a recent interview about his tenure with the Army,
    The Honeynet Project, and the project's future.
    Q: How'd you get into security?
    A: That's a good question. I left the Army in 1996 (where he was part
    of the 24th Infantry Division rapid-deployment force at Fort Stewart,
    Ga.). I wanted to go into information technology.  I thought I wanted
    to be a manager, so I went to grad school and got my graduate degree.
    But while I was getting my MBA--you know, I hate accounting, I hate
    finance, I hate marketing, I hate managing--but I was getting my MBA.
    So I started off as an intern at a local consulting company where I
    was a know-nothing geek, adding users and stuff like that. They needed
    someone to go to firewall training, and all the consultants were busy
    billing. So they asked me if I wanted to learn firewalls. Yeah. And
    boom! I just loved it, and from then on I just went running with it.
    It's really cool, you know. In the Army I was fighting the bad guys,
    and in the world of security you're fighting the bad guys.
    When did all this happen?
    I probably started doing the geek stuff in 1997.
    How did you start The Honeynet Project?
    That started in February of 1999. It was the thing I wanted to do once
    I got the feel for security. I found a lot of information on the
    black-hat tools, and the exploits--this exploit does this, this tool
    does that--but very little about how they used the tools, what they do
    once they exploit a system, or what their motives are.
    (CNet Editor's note: "Black hats" are people who use their knowledge
    of computer security to break into computer systems. Their foils are
    "white hats," people who use their knowledge to improve computer
    In the military, intelligence on the bad guys is very critical. So
    when I was in the Army and I was in tanks, I knew what the Soviet
    tactics were. I crawled around in their tanks. I knew the range of
    their systems, the range of their artillery, their systems--all
    because you had to know this stuff to fight the enemy.
    However, this kind of intelligence didn't exist for the black-hat
    community, so I wanted to learn how it would work. So in February of
    '99, I just set up a box in my apartment. I just said, "You know what,
    I will just watch somebody hack it." I didn't think anybody was going
    to hack it; I really didn't think it was going to work...because
    nothing like this had really been tried. There have been honeypots,
    but they are all about emulating servers or special toolkits. So I
    threw it up on my dining room table, and the thing was hacked 15
    minutes later. I didn't learn anything from that one, because the guy
    caught on right away and totally blew away the hard drive.
    Did you have anything on there to detect an attack?
    No. The problem was, I put it behind my firewall but I was really
    scared so I didn't let out anything outbound. The guy came in, tried
    to do something outbound, realized he couldn't, figured something was
    fishy, and blew away the hard drive. I lost everything. But you know,
    I kept making mistakes and learning, learning.
    Who did you bring on in the beginning?
    Just really close friends to help out. It wasn't like, oh, I was going
    to form this project and call it The Honeynet Project and stuff. It
    was kind of like, let's just learn and sees where it takes us. And
    that is still true today. It's not like I have specific goals and
    timelines. We just keep going and learning.
    Marty Roesch (the creator of Snort, an open-source intrusion-detection
    system widely used by techies as well as corporations) was one of the
    first guys. I think RFP ("Rain Forest Puppy," a well-known bug finder)
    was one of the first guys. We are always progressively growing.
    Don't some of the people you have on there straddle both sides of the
    (Laughing) I like to put it this way: We have reformed black hats on
    the team. I leave it up to you to decide just how reformed. But they
    are a valuable source of information. The reformed black hats, a lot
    of time they are the most curious guys. They want to learn. That's
    what it's all about: learning. Some of the most valuable people on the
    project are what you would call reformed black hats.
    So how many honeynets do you have going right now?
    Honeypots or honeynets? Right now, I have unplugged the honeynet at
    home. I have four to six systems running. The reason is that it has
    been up for a couple years right now, and all the bad guys know it.
    However, we have a couple of very large ISPs that want to help us with
    the research. What we will do now is move the honeynets to large ISPs,
    so when a honeynet gets whacked, we can change IPs and we can change
    DNS because they are working with us. And the government is starting
    to get interested, as is the military. So we are starting to work with
    them and they are setting up their own honeynets as well.
    So the honeypot vs. a honeynet is just one system vs. many?
    Totally different. There are two big differences: Generally, a
    honeypot's goal is deception or learning--deception in that bad guys
    play around in the honeypot, wasting time and not attacking real
    systems. A honeypot gets whacked, then boom! Then alert, alert, alert!
    Someone has attacked a system who shouldn't have.
    Our goal is totally research. We don't care about getting alerted
    because the traffic goes on a honeynet. A honeynet is a multitude of
    systems. But even more important, they are production systems. Anybody
    can take a system from their production network and drop it in their
    honeynet, whereas a honeypot is an emulated system or an emulated
    We choose default installations because we want to create awareness in
    the community: "Folks, look how vulnerable the default installation
    can be!" The problem is that it is actually really easy to capture
    information. It is easy to set up an intrusion-detection system and
    capture an alert. But it is really hard to code the analysis. So the
    purpose is to help the security community to take information and
    figure out what happened.
    What about The Forensic Challenge?
    There are two purposes. My purpose was to help the community learn how
    to do the forensics analysis. But (fellow Honeynet Project member)
    Dave Dittrich took it and did so much more with it. Now the entire law
    enforcement community has the images where they can go, "OK, how can
    we prosecute in this case?" They are not going to do that, because if
    they were to try and prosecute this individual, they wouldn't be able
    to talk about it publicly.
    Do you think companies will put a honeynet in every corporate LAN?
    If you want to catch people, a honeynet might be too much trouble. A
    honeynet can be really involved. This will not solve all your security
    problems. If you want a secure environment, secure the host. Install
    your patches. Turn off things you don't need. Install a good firewall.
    Use best practices. Then, this might be a good source of additional
    (Government) organizations might get more out of it. Let's say the
    Department of Energy is being targeted by China or Russia, trying to
    get the nuclear secrets. Then maybe a honeynet could be used where we
    let (them) come in and hack. We learn where they are coming from and
    who is involved. They come in, they fool around and then they
    leave--and you've learned their tools and their tactics. Maybe you
    learn in detail how they are hacking your systems so you can protect
    your other systems
    ISN is hosted by SecurityFocus.com
    To unsubscribe email LISTSERVat_private with a message body of

    This archive was generated by hypermail 2b30 : Wed May 02 2001 - 01:47:06 PDT