Interview with Lukas Rist, creator of Conpot ICS honeypot and speaker at the Honeynet Workshop 2015

24 Apr 2015 Leon van der Eijk conpot workshop

Lukas Rist is a software engineer with Blue Coat Norway where he develops behavioral malware analysis systems. In his spare time, he works on web application and ICS/SCADA honeypots and botnet monitoring tools under the umbrella of the Honeynet Project where he is also a Director. He recently developed an interest in deployment automation, ephemeral file systems and exotic industrial communication protocols.

1) What was your motivation to enter Information Security field, and who inspired and helped you along the way?

My gateway drug to information security was my involvement with The Honeynet Project. Getting pulled in by my fascination, experiencing the fulfillment of creating something useful and being able to work in this field, I eventually decided to leave my previous paths and to enjoy full time what used to be a hobby. I got a lot of inspiration from the concept of open source and how people collaborate in The Honeynet Project. When you work in information security, you are constantly surrounded by people who are better at something than you, if you can keep this state you will never run out of inspiration.

2) How do keep yourself motivated in this line of work and how do you handle the competition & failures?

The competition and my own and others failures keep me motivated. There is nothing else capable to make me stare at a screen for hours than an unsolved problem that seemed very simple at first.

3) Why is Global Honeynet Project important and why should people support this cause?

For me The Honeynet Project is a unique collaborative group of experts which all have the goal to share, create and discuss. If the fact, that we have spent the last decade developing open source tools and sharing our findings is not convincing enough, have a look at the all the people that got a chance in this industry after being involved with The Honeynet Project.

4) What is your talk about and why people should join the event?

I am going to talk about Conpot, an ICS honeypot designed to get an insight into the threats an internet connected industrial system might face. If the promise of seeing me talking enthusiastically about deceiving the bad guys isn’t enough, then I recommend to come anyway and get inspired as I do. I always leave the workshop with new ideas, feedback on my work, new collaborations and fresh energy to spend the next 356 nights hunkering over my keyboard. I also heard there will be some home made beer this year…

5) What Security issues are being exploited and how to counter them?

Last year when I was doing this interview, I quoted Will Durant: “So the story of man runs in a dreary circle, because he is not yet master of the earth that holds him.” Information security is in the same situation and I still wouldn’t call it a dreary story, but we definitely see repeating issues that we haven’t solved yet or maybe never will. The adversaries, their targets and the means used may change, but I assume the fundamental causes will stay the same for some time, be it the human, lack of resources or pure ignorance. Just look at industrial security, people are currently starting to deploy network monitoring and they are scared shitless that something might break. If we want to change something, we need to get into a mindset in which security comes as natural as QA or availability and where we are prepared to be breached instead of hoping for invulnerability.

6) How does your talk impact today’s security scenario?

With this specific honeypot we are trying to introduce an old technology into the industrial sector. The concept is not new but the adoption merely goes beyond security research. Honeypots are able to give us insight into rogue activities and their passive presence can reduce the reservation towards security tools in a productive network. With the data collected using a honeypot, we can get an insight into the methods and technology used by the adversaries. We can react faster on new emerging threats and increase a systems protection before it becomes a target. A honeypot also acts as a decoy and gives you a time advantage while the adversary spends time figuring out that he just stepped into a trap.

7) What are the gaps in today’s security methods?

From my perspective the reluctance of people to change, the lack of professionalism, the fact that security is a cost factor and an unbelievable lethargic vulnerability life-cycle. While those issues are not directly security methods, they render most solutions useless even if they would cover everything.

8) What are your suggestions for upcoming professionals?

Get involved, contribute to open source projects, make your own tools open source, show that you care and ask many questions. Learn fast from your mistakes and remember advise. I used to write down every time I made a mistake just to remember them better and to not make them again. Trust is an important factor in this community, get in contact with people, try to attend conferences and workshops to meet people face to face. Use information sources like mailing lists, hackernews, reddit and twitter to stay up to date and to participate in discussions. Save the talking for your forties, write code now, provide solutions and don’t be afraid to be wrong.