By Terry Sweeney

With Barry Hess, co-manager of the cybersecurity program for Sandia National Laboratories, Sandia, N.M. Hess works with the Active Network Countermeasures, a honeynet of sorts that tracks and categorizes attackers—persons or software—and offers them misinformation to confuse them or send them elsewhere.

This interview originally appeared in the IT Business Edge weekly report Fortifying Network Security. To see a complete listing of IT Business Edge weekly reports or sign up for this free technology intelligence agent, visit

Question: There’s been a fair amount of publicity about honeypots and honeynets. Are online thugs getting smarter about honeynets—either avoiding them, limiting their activities once inside, or trying to foil them somehow?

Hess: After hitting our countermeasures, we’ve seen instances where people have changed their processes or style or type of attack to get more info about our network architecture and other information. No one’s been successful at getting around it—if they get close, we see what they’re seeing and we adapt accordingly. The more sophisticated their attacks get, the more they tell us about themselves. Most attackers may be just ankle-biters, but then we can see this guy’s a big dog and we need to watch him.

Question: What’s the most important or enlightening thing you’ve learned from your use of honeynets?

Hess: We have every worm ever unleashed all the way back to Code Red 1, and we also tend to see precursors for the next [worm or virus] attack because our data acquisition space is so broad. When we see onesies and twosies that don’t match any pattern, we grab them, analyze them, and pass them on to correct authorities.

Question: Are honeynets useful for all sizes of organizations, public or private? What should would-be deployers of honeynets know beforehand in terms of requirements, costs, and administrative overhead?

Hess: Currently you have to know your own network pretty well to take advantage [of honeynet technology]. The next generation we’re researching right now is a box that automatically learns your network, sees worm operation, and takes countermeasures based on what it knows about your network. That’s 12 to 18 months away, but something we’re developing. Right now this technology works very well when the site architecture is very accurately known, but to use it at what we consider a novice level, it needs more research.