Interactive Courses + DFIR NetWars Available During SANS Cyber Security Central in June. Save $300 thru 5/12.

Thought Leaders

Table of Contents

Lance Spitzner, Securing The Human, founder

Stephen Northcutt - November 29th, 2012

Lance Spitzner of Honeynet and Securing The Human fame has agreed to a Thought Leadership interview and we certainly thank him for his time.

UPDATE December 2012. This interview was originally done in 2009, but a lot has changed since then. So, we are prefixing Lance's current work to the original interview.

One of the interesting aspects of my honeypot research is I noticed the cyber threat really changed over time. Around 2005, attackers began shifting their focus from hacking the computer to hacking the human. As default installs of computers became more and more secure, the human became the weakest link. As such, in 2007, I transitioned from the technical side of security to the human side. I started my own company specializing in international security awareness programs. In 2010, my company was acquired by SANS and became what is known today as SANS Securing The Human.

I now have what I truly consider the best job in the world. I help organizations go beyond just compliance and build high-impact security awareness programs. Most fields in security are relatively mature (encryption, penetration testing, system hardening, forensics, etc). However, this is a very exciting time as the human element is so new, we can break new ground and have a real impact on an organization's security.

The traditional approach to awareness is broken in so many ways, so it is a great opportunity to make a difference. For example, organizations have usually failed to identify which human risks they need to focus on, how to create engaging content, or even whom they should be targeting. Creating a high-impact awareness program is much harder then most people understand, but the return on investment can be huge. At SANS Securing The Human we are focused on changing all that.

Original Interview:
Lance, how did you get into security in the first place? You were an Army guy doing tanks, if I recall correctly from the first "Know Your Enemy:" postings.

Yes, Stephen, my career in information security began in the least likely of all places, inside an M1A1 Abrams Main Battle Tank. I had just graduated college and was serving a four year term as an officer in the United States Army. During college the military paid for my education through the ROTC (Reserve Officer Training Corps) program. As a part of this program, I was expected to train with the military during my fours years at college, then upon graduation serve another four years with the military. As an officer I was allowed to choose my top three choices for service with the Army. Tanks were my first choice and fortunately that is what I got.

Let me get this straight, you chose tanks on purpose, wouldn't that be sort of confining?

I had always been fascinated with tanks. Most kids who are interested in the military dream about flying the latest fighter jets or being on advance navy boats. I loved the idea of speeding 60 mph in a 70 ton monster and firing one of the largest guns in the world. And that is just what I did. I ended up stationed in Fort Stewart Georgia with the 24th Infantry Division (now the 3rd Infantry Division). At that time this was the first and only rapid deployment force for heavy armor, so we were always training.

I have to tell you, they are impressive. Over twenty years ago, I got a permit to cut firewood on an Army base. A friend and I were felling a Locust tree and cutting it up and two tanks flew by on the dirt road. I never realized just how big they were until I was twenty feet away. The ground literally shook. Anyway, from tanks to infosec, what is the next step?

One of the key training programs the US Army has is something called NTC, or National Training Center. This is hundreds of square miles of training space in the Mojave Desert. Here you will find an entire Brigade of mechanized equipment, including tanks, helicopters, armored personnel carriers and other vehicles. Units spend an entire month training in this desert, driving hundreds of miles to engage each other in mock battles. It was an amazing experience, one that I will never forget. One of the key lessons taught at NTC, and the military in general, was the need to understand your enemy.

Right! That is a game changer for you, I do know that much, you are really focused on Know Your Enemy and the first Honeynet book really did exactly that, put us inside the mindspace of an attacker.

Thanks Stephen, if you are going to defend against a threat, you have to first know who your threat is and how they operate. The Army even has organizations dedicated to this called military intelligence, or “The S2”. The military spent a tremendous amount of resources training me on the threat they expected me to fight. As a tank officer, I was expected to engage other tanks. As such, I was taught extensively in Soviet armored tactics. Three tanks to a platoon, three platoons to a company. I learned how their command structure was different from our own (it was very top down driven with NCOs having little control). We crawled around in T-72 tanks, studied their capabilities (for instance, they had an auto-loading cannon) and in general learned who our enemy was and how they operated. It would be these lessons that got me started in information security and, eventually, honeypots. The key lesson being, if you are going to defend against a threat, you have to first know and understand your threat.

OK, but somehow we need to get from tanks to security!

You have always exhibited the patience of Job, Stephen, relax! After serving four years in the military I left the Army and went to graduate school in Chicago to get my M.B.A. It was here that I got my interest in information technology, and more specifically security. While pursuing my degree I started an internship at a local Sun Microsystems consulting company. It was here I was first exposed to things like Unix (specifically Solaris), networking, email, and a variety of other information technologies. This was a very exciting time for me as I was learning so much. One of newest technologies at this time was something called a firewall, which very few people had heard of.

I hear that. One of the things I keep trying to emphasize to my class is that there was no such thing as a firewall until Marcus Ranum invented the fool thing. My students seem to think they have always existed. So, you took an interest in the beast?

Yup, none of the consultants at the company wanted to get involved in this. As I was the new guy at the company (and the lowest person on the totem pole), they sent me off to firewall training to become their new resource in firewalls, and eventually security. I was quickly installing firewalls all over the country for a variety of different organizations.

And that gave you your field experience, I take it?

This was a huge learning curve for me. Back then, firewalls were relatively simple to configure and deploy. However, firewalls would often break a variety of services on the network. I quickly had to become an expert in tracking and troubleshooting network activity. This gave me a lot of expertise in network sniffing, decoding protocols and analyzing traffic patterns. Also, I learned a great deal about configuring and hardening operating systems. After about my fifteenth firewall installation I quickly got tired of going through the same steps hardening the Solaris operating system. I developed a simple script to automate the hardening process and I published a paper explaining and releasing the tool. It was one of the very first papers and tools on hardening and quickly became far more successful then I expected. During this time I was working with Solaris so much that I started communicating with a lot of people at Sun Microsystems. One thing led to another and I was soon working with them as a Senior Security Architect. Overall, Sun was a great place to work. They had at that time (and I firmly believe they still do) the best environment for geeks and technical work. Working with all the different engineers was an amazing experience.

Well, I would hazard a guess that Google is the new Sun, but be that as it may. In the late 90s, you were a significant source of security publications from the Know Your Enemy site, can you talk about that a bit?

During that time I started going back to my military roots. The key lesson being, if I am going to defend against a threat, I have to first know and understand that threat. Specifically with computers, who was attacking, how were they attacking, and why? Back in the late 1990’s there was very little information in this area. There were only a few publications by security notables, such as Dan Farmer or Bill Cheswick. As such, I decided to do some of my own research, but how? I learned about an idea called honeypots, computers built for the bad guys to attack. But, there were very few such solutions out there and almost no documentation. As such, I decided to build and deploy my own.

Build it yourself was the way of things in the 90s, that is for sure; can you expand on that a bit?

Since I do not have a coding background, developing my own solution would be almost impossible. But I did know and understand firewalls and how to analyze network traffic. As such, I decided I would simply put real computers behind firewalls, let anything inbound but control what goes outbound. I had no idea if this would be a success or not, I did not know of anyone else trying it before. My first deployment was a simple installation of Red Hat Linux 5.0 on my wife’s dining room table. I configured the firewall to let anything inbound but nothing outbound. This way attackers could break into it but would not be able to go back out to the Internet and harm anyone. I had several concerns. First, how would anyone find the computer, it had no value and was just connected to the Internet. Once found, what would they do with it, who were they and why were they attacking? With no idea of what would happen next, I put the system online. Within fifteen minutes someone found and hacked the computer. I was amazed, but I also knew I was on to something.

That is awesome, we are not going to ask what your wife thought about using the dining room table for the project, what happens next?

Over time, I started deploying more honeypots (eventually called honeynets) and working with a variety of new tools to better control and capture everything cyber attackers were doing. I quickly learned that most attacks were not targeted attacks but random attacks, simply targets of opportunity. Attackers were looking for specific systems with specific vulnerabilities and automating the exploitation of the systems. It was very simple back then as most operating systems were wide open, had no firewalls, and ran many vulnerable services by default. While most of the lessons learned back then seem common knowledge today, they were mostly new and exciting back then. I also began publishing my first papers and presenting at my first conference. One of my first papers was simply titled “Know Your Enemy”, it described my findings with honeypots, specifically how attackers compromised systems and the tools they used. Today people would find the paper tremendously simplistic and most likely very boring, ten years ago this was very exciting stuff as it was all new. I also published one of the first papers detailing how to setup a honeypot “Honeypots: To Catch A Hacker”. Also during this time I start speaking at various organizations, including SANS and Blackhat. I discovered I enjoyed the human aspect the most about information security, working with and helping others.

Over time I started working with other experts in the security community. We were interested in deploying more honeypots and learning about who was involved in the attacks and why. Back then this was much simpler, as most attackers used IRC for communication and coordination of all their activities. Now only could we monitor their attacks, but their communications between each other. From these activities the Honeynet Project was born. Originally an information group started in 1999, over the years the group formalized it’s structure and activities into the international research organization it has become. The Honeynet Project is easily the most exciting and rewarding experience I have ever hard working with other people. It is now made up of over one hundred volunteers from all over the world working together to learn more, research new techniques, develop new tools and coordinate all in the name of securing the community. To date it has published almost thirty Know Your Enemy papers, twenty different tools and helped create technologies people take for granted today. I quickly learned that the security community is made up of many people far smarter then I will ever be, which is exciting because you are always learning. You know, I still have one of those denim shirts, you really did compile an incredible team. So what are you doing today? Besides helping run the Honeynet Project, I have also been doing more independent consulting. I absolutely love working with and helping others, especially in such a dynamic field as information security. My focus has been on securing the human, taking my years of experience and helping organizations secure what is often the weakest link, the employee. Technology is usually the primary focus of any information security program as computers, webservers and databases in general store, process and transfer information. However, employees do the very same, they store, process and transfer information. Yet the vast majority of any security budget focuses on the technology, not the people. This is something I’m hoping to help address.

And, if an organization wants to find you to engage your services, where should they look?


OK that is really interesting, we like to do something called a bully pulpit, if you had an opportunity to tell the community what was on your mind, what would you share?

I’m a big believer in the Marcus Ranum philosophy, whom I consider a good friend of mine. We will never have perfect security simply because we do not need perfect security. We will only have good enough security. I sometimes get frustrated with security researchers who are simply amazed companies are not installing the latest kernel security tweak or installing the latest buzz word security software. They forget that organizations do not exist to be secure, they exist to get things done. Security is simply a part of enabling things to get done. For example, we have had crime for thousands of years, we have not solved it yet and we are not going to solve it any time soon. In the end we just reduce risk, not eliminate it. Get over it.

Lance, we really thank you for your time. As we close, can you share just a bit about Lance the person, what do you do when you are not behind a computer?

Hah! As for most geeks, there is never enough free time. First, there are my wife and my two boys. I love spending as much time as possible with them, from riding bikes and swimming together, to working in the garden or learning new things. We try to do as much as possible outdoors. When I do get some personal free time I love to hit the streets and train on my inline speed skates. I compete in inline skate marathons. These races are amazing, very similar to a bike race as you compete in packs with constant breakaways and sprints. You are wiped at the end, however it is the only thing that keeps this geek in shape. Thanks Stephen, I really appreciate the time and opportunity!