Meet Lukas Rist, our new Chief Research Officer

Back in November, the Honeynet Project announced the appointment of a new Chief Research Officer: Lukas Rist took the role after a long and successful tenure by David Watson. The research office will also be supported by Maximilian Hils and Cornelius Aschermann.


Lukas is a German living in Norway: after working on Symantec's malware sandbox solution, he switched to the team running the back-end systems. Among others, he’s responsible for a system analyzing between 500k to one million potentially malicious samples per day, producing the behavioral data used by Symantec analysts for threat hunting.


His initial contribution to the Honeynet Project dates back to 2009, when he started as a Google Summer of Code student, and later joined THP in the same year. Since then he’s been helping as a GSoC mentor and organization admin. The last two years he served on the Board of Directors and helped with the realization of the organization vision and goals. He never stopped developing honeypots though: you might have heard about Glastopf, Conpot and more recently SNARE/TANNER.


We asked Lukas what projects are keeping him busy. “My focus at the moment is on Conpot (an industrial control system honeypot), SNARE/TANNER (a web application honeypot solution) and most recently on Glutton, a low interaction sensor which we use to get an easy overview on what threats are currently prevalent. We also have a myriad of cool projects coming out of our participation in Google Summer of Code:


A bunch of strategic research projects are also active within THP right now, and Lukas has a pretty clear vision of where to lead the Honeynet Project research in the near and mid-term: “Most of our research efforts are driven by tool development or the data we collect with those tools. We are currently revamping our sensor network and the way we collect and store the data we see in our honeypots. This partially drives our research and development direction but also helps us to maintain a corpus of data that we are sharing with other researchers. For example we are seeing a high demand on information describing the threat landscape, especially in the fields Internet of Things and Industrial Security. We hope to participate again in Google Summer of Code in 2017: GSoC has been a great platform for us to drive development and research in our community and it aligns perfectly with our goal to make the security community more accessible for young professionals. We will also continue our efforts to support other researchers with the data we collect, which means driving research into a direction that provides us with a constant stream of new and interesting data.”


To focus the effort, THP research has set clear objectives for 2017: “We have three major goals for next year: the sensor network as a tool to drive internal research and development but also collaboration with other organizations. Participation in Google Summer of Code to continue our role as an incubator organization and proving ground for upcoming security professionals. Lastly, our annual workshop is a major driver for collaboration in our organization: being able to present your research in front of a live audience, discussing your ideas face to face or just writing some code together has been invaluable to us.”


The security community has recently seen a revamped interest for deception and honeypots, so we asked Lukas his opinion on what could be the next development in the field and how the Honeynet Project can contribute to that: “Deception technologies are on the rise again. I'm pretty sure you have heard at least from one of the recent start-ups trying to establish themselves in this market. This field we are working in since more than a decade is today even more interesting and relevant. When the security industry tells you that a breach is inevitable and the time for you to detect an intruder goes into the months, every indicator is worth gold. Deception tools expand your field of view, they can give you that tiny hint that someone unauthorized is collecting intelligence or is traversing your network. Deception allows you to take back some control. You are not following the adversaries actions, patching those vulnerabilities he used, cleaning systems from infections and writing reports. You are the one who makes him scan that web labyrinth for hours, provide him with false information, dilute his intelligence and in general increase the cost of his campaign. You might end up being a rather unattractive target… The Honeynet Project is run by enthusiasm, we have fallen in love with the work we do. As you see in our goals, we are going to keep spreading the fascination, helping others to understand why we volunteer and why they should join us.”


Thanks Lukas and research team, keep up the good work!