Security

Security expert uses honeynets to detect blackhat methods and motivations

Take a look at how Security Guru Lance Spritzner started the HoneyNet Project to study the methods of hackers.


If terrorists can blow up the World Trade Center and destroy part of the Pentagon, they can just as easily launch a surprise attack on critical computer networks. The United States would come to a standstill. Security experts should not discount this avenue of destruction.

So speculates Lance Spritzner, a self-confessed geek fascinated with network security. Spritzner has built a career out of stopping technology’s bad guys. His focus now is the frightening reality that cyberspace is one of the many fronts that terrorists can—and probably will—target.

The path to a security career
Lance Spritzner’s circuitous route to networking guru began with his interest in military strategies and tactics, which he attributes to a four-year stint in the Army as a tank officer in the Rapid Deployment Force. After that, he tried his hand at getting an MBA, which turned out to be a mistake.

“I hated economics, finance, accounting, and statistics,” Spritzner said. “An MBA wasn’t for me.”

It was during his MBA work, however, that he discovered an interest in technology. A self-taught firewall expert, Spritzner began working on security problems. He worked for two Chicago consulting firms before he joined Sun Microsystems as a senior security architect. By the time he joined Sun, he had become a specialist in network security, especially in the area of firewalls.

After putting in 10-hour days at Sun, he spent his nights creating networks and firewalls at home, which he then tried to hack. He quickly learned how difficult it was to build an impenetrable firewall. If he could break into his own networks, hackers could too. The big questions Spritzner tried to answer were how and why intruders were doing it.

The best defense...
Spritzner sees his quest to master the intricacies of network security as an extension of his military training.

“There are a lot of similarities between fighting bad guys in tanks and fighting them in cyberspace,” he explained. “Defending a hill and defending a network are pretty much the same thing. Only the weapons are different. The goal is to track and get intelligence on the offenders.”

One way to do it, according to Spritzner, is by putting up firewall systems and by monitoring intruders' attempts to hack them.

“I analyzed the [hacking] process so I could figure out what kind of sniffers to use,” he added.

Therein lies the genesis of his Honeynet Project Web site, which he and a few colleagues officially launched in 2000. Honeynets—different from traditional honeypots, which are designed with intentional vulnerabilities—are installed inside firewalls and are designed to mimic the systems that intruders would like to crack. If honeynets are successful, intruders will have no idea they are being tricked and monitored. By using honeynets to gather information, the project aims to, as the Web site explains, "learn the tools, tactics, and motives of the blackhat community and share those lessons learned."

Learn about honeypots and honeynets
For more details on what a traditional honeypot does, check out these TechRepublic articles: "Enhance intrusion detection with a honeypot" "Catching hackers in the act with honeypots" To get a better idea of the design and goal of a honeynet, read these articles from LinuxSecurity.com and CNET: "Know your enemy: Honeynets" "Honeynet project sweetens hacker bait"

“If an intruder can attack a honeynet, he or she can also take out the White House computer network,” Spritzner said. “It’s all about data capture and data control. By capturing data, we learn a great deal about the intruders.”

Learning about the intruders is critical because cyberattacks are so simple to launch and are therefore likely.

“Terrorists can do a lot of damage with just a few resources,” Spritzner explained. “Training someone to fly a plane into a building requires a lot more training than teaching someone how the Internet works. All you need is one dial-up account."

Spritzner said that America’s dependence upon the Internet makes it easier for terrorists to exploit this weakness. He suggested that with automated systems, intruders can work fast, and could, for example, launch a worm that would do significant damage before it could be detected and stopped.

“Worms could capture top-secret documents, send them somewhere for collection, and then delete them,” he said. “Technologists have been talking about stealth worms for years. For all we know, they’re already out there.”

Spritzner paints a gloomy picture. Yet a cyberattack can be prevented, he said, by developing a better means of gathering intelligence on potential threats to provide better detection and prevention.

Finding more obsessive researchers like Spritzner wouldn’t be a bad idea either.

Editor's Picks

Free Newsletters, In your Inbox