Lance Spitzner of Honeynet and Securing The Human fame has agreed
to a Thought Leadership interview and we certainly thank him for
UPDATE December 2012. This interview was originally done in 2009,
but a lot has changed since then. So, we are prefixing Lance's
current work to the original interview.
One of the interesting aspects of my honeypot research is I noticed
the cyber threat really changed over time. Around 2005, attackers
began shifting their focus from hacking the computer to hacking the
human. As default installs of computers became more and more secure,
the human became the weakest link. As such, in 2007, I transitioned
from the technical side of security to the human side. I started my
own company specializing in international security awareness
programs. In 2010, my company was acquired by SANS and became what
is known today as SANS
Securing The Human.
I now have what I truly consider the best job in the world. I help
organizations go beyond just compliance and build high-impact
security awareness programs. Most fields in security are relatively
mature (encryption, penetration testing, system hardening,
forensics, etc). However, this is a very exciting time as the human
element is so new, we can break new ground and have a real impact on
an organization's security.
The traditional approach to awareness is broken in so many ways, so
it is a great opportunity to make a difference. For example,
organizations have usually failed to identify which human risks they
need to focus on, how to create engaging content, or even whom they
should be targeting. Creating a high-impact awareness program is
much harder then most people understand, but the return on
investment can be huge. At SANS Securing The Human
we are focused on changing all that.
Lance, how did you get into security in the first place? You were
an Army guy doing tanks, if I recall correctly from the first
"Know Your Enemy:" postings.
Yes, Stephen, my career in information security began in the least
likely of all places, inside an M1A1 Abrams Main Battle Tank. I had
just graduated college and was serving a four year term as an
officer in the United States Army. During college the military paid
for my education through the ROTC (Reserve Officer Training Corps)
program. As a part of this program, I was expected to train with the
military during my fours years at college, then upon graduation
serve another four years with the military. As an officer I was
allowed to choose my top three choices for service with the Army.
Tanks were my first choice and fortunately that is what I got.
Let me get this straight, you chose tanks on purpose, wouldn't
that be sort of confining?
I had always been fascinated with tanks. Most kids who are
interested in the military dream about flying the latest fighter
jets or being on advance navy boats. I loved the idea of speeding 60
mph in a 70 ton monster and firing one of the largest guns in the
world. And that is just what I did. I ended up stationed in Fort
Stewart Georgia with the 24th Infantry Division (now the 3rd
Infantry Division). At that time this was the first and only rapid
deployment force for heavy armor, so we were always training.
I have to tell you, they are impressive. Over twenty years ago, I
got a permit to cut firewood on an Army base. A friend and I were
felling a Locust tree and cutting it up and two tanks flew by on the
dirt road. I never realized just how big they were until I was
twenty feet away. The ground literally shook. Anyway, from tanks to
infosec, what is the next step?
One of the key training programs the US Army has is something called
NTC, or National Training Center. This is hundreds of square miles
of training space in the Mojave Desert. Here you will find an entire
Brigade of mechanized equipment, including tanks, helicopters,
armored personnel carriers and other vehicles. Units spend an entire
month training in this desert, driving hundreds of miles to engage
each other in mock battles. It was an amazing experience, one that I
will never forget. One of the key lessons taught at NTC, and the
military in general, was the need to understand your enemy.
Right! That is a game changer for you, I do know that much, you
are really focused on Know Your Enemy and the first Honeynet book
really did exactly that, put us inside the mindspace of an
Thanks Stephen, if you are going to defend against a threat, you
have to first know who your threat is and how they operate. The Army
even has organizations dedicated to this called military
intelligence, or “The S2”. The military spent a tremendous amount of
resources training me on the threat they expected me to fight. As a
tank officer, I was expected to engage other tanks. As such, I was
taught extensively in Soviet armored tactics. Three tanks to a
platoon, three platoons to a company. I learned how their command
structure was different from our own (it was very top down driven
with NCOs having little control). We crawled around in T-72 tanks,
studied their capabilities (for instance, they had an auto-loading
cannon) and in general learned who our enemy was and how they
operated. It would be these lessons that got me started in
information security and, eventually, honeypots. The key lesson
being, if you are going to defend against a threat, you have to
first know and understand your threat. OK, but somehow we need to get from tanks to security!
You have always exhibited the patience of Job, Stephen, relax! After
serving four years in the military I left the Army and went to
graduate school in Chicago to get my M.B.A. It was here that I got
my interest in information technology, and more specifically
security. While pursuing my degree I started an internship at a
local Sun Microsystems consulting company. It was here I was first
exposed to things like Unix (specifically Solaris), networking,
email, and a variety of other information technologies. This was a
very exciting time for me as I was learning so much. One of newest
technologies at this time was something called a firewall, which
very few people had heard of.
I hear that. One of the things I keep trying to emphasize to my
class is that there was no such thing as a firewall until Marcus
Ranum invented the fool thing. My students seem to think they have
always existed. So, you took an interest in the beast?
Yup, none of the consultants at the company wanted to get involved
in this. As I was the new guy at the company (and the lowest person
on the totem pole), they sent me off to firewall training to become
their new resource in firewalls, and eventually security. I was
quickly installing firewalls all over the country for a variety of
And that gave you your field experience, I take it?
This was a huge learning curve for me. Back then, firewalls were
relatively simple to configure and deploy. However, firewalls would
often break a variety of services on the network. I quickly had to
become an expert in tracking and troubleshooting network activity.
This gave me a lot of expertise in network sniffing, decoding
protocols and analyzing traffic patterns. Also, I learned a great
deal about configuring and hardening operating systems. After about
my fifteenth firewall installation I quickly got tired of going
through the same steps hardening the Solaris operating system. I
developed a simple script to automate the hardening process and I
published a paper explaining and releasing the tool. It was one of
the very first papers and tools on hardening and quickly became far
more successful then I expected. During this time I was working with
Solaris so much that I started communicating with a lot of people at
Sun Microsystems. One thing led to another and I was soon working
with them as a Senior Security Architect. Overall, Sun was a great
place to work. They had at that time (and I firmly believe they
still do) the best environment for geeks and technical work. Working
with all the different engineers was an amazing experience.
Well, I would hazard a guess that Google is the new Sun, but
be that as it may. In the late 90s, you were a significant source
of security publications from the Know Your Enemy site, can you
talk about that a bit?
During that time I started going back to my military roots. The key
lesson being, if I am going to defend against a threat, I have to
first know and understand that threat. Specifically with computers,
who was attacking, how were they attacking, and why? Back in
the late 1990’s there was very little information in this area.
There were only a few publications by security notables, such as Dan
Farmer or Bill Cheswick. As such, I decided to do some of my own
research, but how? I learned about an idea called honeypots,
computers built for the bad guys to attack. But, there were very few
such solutions out there and almost no documentation. As such, I
decided to build and deploy my own.
Build it yourself was the way of things in the 90s, that is
for sure; can you expand on that a bit?
Since I do not have a coding background, developing my own solution
would be almost impossible. But I did know and understand firewalls
and how to analyze network traffic. As such, I decided I would
simply put real computers behind firewalls, let anything inbound but
control what goes outbound. I had no idea if this would be a success
or not, I did not know of anyone else trying it before. My first
deployment was a simple installation of Red Hat Linux 5.0 on my
wife’s dining room table. I configured the firewall to let anything
inbound but nothing outbound. This way attackers could break into it
but would not be able to go back out to the Internet and harm
anyone. I had several concerns. First, how would anyone find the
computer, it had no value and was just connected to the Internet.
Once found, what would they do with it, who were they and why were
they attacking? With no idea of what would happen next, I put
the system online. Within fifteen minutes someone found and hacked
the computer. I was amazed, but I also knew I was on to something.
That is awesome, we are not going to ask what your wife
thought about using the dining room table for the project, what
Over time, I started deploying more honeypots (eventually called
honeynets) and working with a variety of new tools to better control
and capture everything cyber attackers were doing. I quickly learned
that most attacks were not targeted attacks but random attacks,
simply targets of opportunity. Attackers were looking for specific
systems with specific vulnerabilities and automating the
exploitation of the systems. It was very simple back then as most
operating systems were wide open, had no firewalls, and ran many
vulnerable services by default. While most of the lessons learned
back then seem common knowledge today, they were mostly new and
exciting back then. I also began publishing my first papers and
presenting at my first conference. One of my first papers was simply
titled “Know Your Enemy”, it described my findings with honeypots,
specifically how attackers compromised systems and the tools they
used. Today people would find the paper tremendously simplistic and
most likely very boring, ten years ago this was very exciting stuff
as it was all new. I also published one of the first papers
detailing how to setup a honeypot “Honeypots: To Catch A
Hacker”. Also during this time I start speaking at various
organizations, including SANS and Blackhat. I discovered I enjoyed
the human aspect the most about information security, working with
and helping others.
Over time I started working with other experts in the security
community. We were interested in deploying more honeypots and
learning about who was involved in the attacks and why. Back then
this was much simpler, as most attackers used IRC for communication
and coordination of all their activities. Now only could we monitor
their attacks, but their communications between each other. From
these activities the Honeynet Project was born. Originally an
information group started in 1999, over the years the group
formalized it’s structure and activities into the international
research organization it has become. The Honeynet Project is easily
the most exciting and rewarding experience I have ever hard working
with other people. It is now made up of over one hundred volunteers
from all over the world working together to learn more, research new
techniques, develop new tools and coordinate all in the name of
securing the community. To date it has published almost thirty Know
Your Enemy papers, twenty different tools and helped create
technologies people take for granted today. I quickly learned that
the security community is made up of many people far smarter then I
will ever be, which is exciting because you are always learning. You
know, I still have one of those denim shirts, you really did compile
an incredible team. So what are you doing today? Besides helping run
the Honeynet Project, I have also been doing more independent
consulting. I absolutely love working with and helping others,
especially in such a dynamic field as information security. My focus
has been on securing the human, taking my years of experience and
helping organizations secure what is often the weakest link, the
employee. Technology is usually the primary focus of any information
security program as computers, webservers and databases in general
store, process and transfer information. However, employees do the
very same, they store, process and transfer information. Yet the
vast majority of any security budget focuses on the technology, not
the people. This is something I’m hoping to help address.
And, if an organization wants to find you to engage your
services, where should they look?
OK that is really interesting, we like to do something
called a bully pulpit, if you had an opportunity to tell the
community what was on your mind, what would you share?
I’m a big believer in the Marcus Ranum philosophy, whom I consider a
good friend of mine. We will never have perfect security simply
because we do not need perfect security. We will only have good
enough security. I sometimes get frustrated with security
researchers who are simply amazed companies are not installing the
latest kernel security tweak or installing the latest buzz word
security software. They forget that organizations do not exist to be
secure, they exist to get things done. Security is simply a part of
enabling things to get done. For example, we have had crime for
thousands of years, we have not solved it yet and we are not going
to solve it any time soon. In the end we just reduce risk, not
eliminate it. Get over it.
Lance, we really thank you for your time. As we close, can
you share just a bit about Lance the person, what do you do when
you are not behind a computer?
Hah! As for most geeks, there is never enough free time. First,
there are my wife and my two boys. I love spending as much time as
possible with them, from riding bikes and swimming together, to
working in the garden or learning new things. We try to do as much
as possible outdoors. When I do get some personal free time I love
to hit the streets and train on my inline speed skates. I compete in
inline skate marathons. These races are amazing, very similar to a
bike race as you compete in packs with constant breakaways and
sprints. You are wiped at the end, however it is the only thing that
keeps this geek in shape. Thanks Stephen, I really appreciate the
time and opportunity!