Those of us in the IT industry are very familiar with the terms honeypots, digital forensics, and hackers. Even the general public has heard the terms given the global coverage on identity theft, election hacking, and rampant ransomware attacks in recent years. Back in the mid 1980’s these terms didn’t exist, or at least not with their current definitions. However, one man, Clifford “Cliff” Stoll, who was a fun loving astronomer working at the Lawrence Berkley National Lab at the University of California would become entangled in the unknown web of computer espionage. Partially due to his experiences and lessons, these words evolved into their current meanings.

After starting his new position as a system administrator, Dr. Stoll was given the mundane task of finding an issue with their lab’s existing computer usage tracking software to charge scientists who were abusing their computer resources. What started off as a simple task, evolved into the identification and tracking of a KGB sponsored computer hacker. A hacker who was using Berkley’s computer system as a jump point to various military computer systems on the MILNET.

Thanks to Dr. Stoll’s critical thinking, training in the scientific method and troubleshooting, we have what is regarded as the first documented case of cyber espionage. He documented his story in the book, “The Cuckoo’s Egg”. What I found amazing about this book is not only the way he is able to tell a technical story in a very understandable manner, but also the amount of applicable lessons that can be derived from his experiences. The following are ten real world lessons from “The Cuckoo’s Egg”.

Don’t Count Your Cuckoo’s Eggs Before They Hatch!

Lesson 1: Persistence when first presented with a challenge

If Dr. Stoll didn’t have the persistence to dig deeper into the software error, he would have never found the hacker in his system. He would have never documented all of the locations the hacker was breaking into. The FBI, NSA, AFOSI, CIA and DoD would have continued to be behind the curve in regards to the legitimacy of cyber threats and the need for computer security policies, directives, and centralized information sharing. Persistence leads to knowledge. Knowledge leads to improved decision making. Improved decision making leads to better outcomes.

Lesson 2: Documentation should always be step number one

Thankfully, Dr. Stoll approached his entire ordeal as though it was an experiment. Using the principles he learned from following the scientific method, he knew that any observations without documentation meant that in essence, “it never happened”. Furthermore, it was his documentation which allowed him to get the attention of the various federal agencies mentioned above. Documentation is critical when troubleshooting any type of issue. There are always things that you will miss or forget. It also allows you to do analysis of data over a much longer period of time. Do yourself a favor and start documenting from the jump!

Lesson 3: Critical thinking from the start

Like the previous lesson, another bit of knowledge that should be implemented from the beginning is thinking critically. Dr. Stoll utilized his critical thinking skills when identifying his next course of action once the presence of a hacker was identified. He needed to find:

  • How the hacker was getting in the system
  • How they were elevating privileges
  • What files were they reading, copying, modifying
  • The compromised accounts
  • Where the hacker was going when using Berkley as a jump point
  • When the hacker was accessing the system
  • Where the hacker was coming from

He needed to do all this while not giving any indication that he was aware of the presence of the intruder or there was any monitoring of the system going on. Critically thinking about the problem enabled him to successfully monitor the hacker while being undetectable.

Lesson 4: Use your own skills and background to compliment your IT/Cyber skills

Your skills and experiences are important components to your cybersecurity tool box. Especially so, when faced with challenges that seem outside of your normal lane of expertise. There might not always be a direct correlation as in the case of Dr. Stoll, astronomer ≠ linux admin. However, the skills that made him a scientist (attention to detail, being inquisitive, being methodical, always observing) translated nicely in his endeavor to tracking down the miscreant in his system.

No matter what your background is, there are lessons and experiences that can be applicable in other areas. Even more, they might allow you to view things from a different perspective than those who have only worked in one field!

Lesson 5: Senior leadership buy-in is critical

Again and again, Dr. Stoll would run into challenges from not only his management, but the management of all of the various government agencies (in the US and abroad) he was interacting with. As the story unfolded, each of the groups put up significant resistance that stymied the ability to finally identify, capture, and prosecute the “Hannover Hacker”. He had to get the approval from his university management in regards to:

  • Agreeing that the system had been breached
  • Spending his valuable time monitoring, documenting, coordinating, and warning other agencies about the hacker’s activities
  • Providing continued assistance to the FBI, AFOSI, CIA, NSA, and German authorities at the expense of the university

From the governmental agencies’ perspectives, he had to get buy-in that:

  • He should continue to allow access to his system to be able to monitor the hacker
  • There was enough of a national security threat based off of the targets and compromised systems
  • Some agency needed to take the lead on jurisdiction in order for the case to continue to be investigated
  • There had been enough of a crime committed for FBI to coordinate and issue warrants to the German authorities

Each of these items took a lot of effort and convincing to ensure that progress continued. If any of these items did not get and maintain the support of those in management positions, it could have easily ended the investigation prematurely. In that event, the governments’ systems would have continued to have been penetrated by KGB sponsored hackers. Likewise, there would not have been a call to action to take computer security seriously from a national defense perspective. It is a clear demonstration of the need for senior leadership buy-in.

Lesson 6: Don’t underestimate the data put in front of you

This lessons can be demonstrated in a few ways. Firstly, if Dr. Stoll had not dug into a 75 cent accounting error in thorough way, he nor the government would have known about the hacker. Secondly, over the course of a year, the hacker left tidbits of information that only someone who was analytically looking at the whole picture could use to deduce certain facts about the hacker. Things such as: types of data he was after, usernames he was creating, hours he was active, and configuration mistakes he was making. These data points helped create a profile that would be used in the end to track and capture the hacker. Never underestimate what one piece of information might be. Combined with other pieces, you will be able to find a solution for whatever challenge you are trying to solve.

Lesson 7: Industry lingo can seem like Greek to outsiders, but can contain a lot of useful information

There were multiples times that Dr. Stoll was presented with new information, codes or acronyms which were completely foreign to him. Often he would hilariously feign ignorance on some of the federal agencies numerous acronyms. There were times, however, when learning these new codes or lingo helped provide a clearer picture from a technical perspective.

A perfect example of this was when dealing with the Tymnet engineers and listening to all of the coded language they used to describe the various circuits used on their global packet switching network. At first, it sounded like nonsense to Dr. Stoll. However, after understanding the meanings behind the codes and what the various abbreviations and number stood for, he was able to easily follow along as they were tracing the data connections through the US and over to Europe.

At first pass, industry lingo might not make sense, but it was developed for a reason. Chances are it was created to make things easier to identify and track. If you are unfamiliar with some new lingo, take the time to find out the origin and meaning. It will probably give you a whole new understanding of things in that specific industry.

Lesson 8: The absence of data can tell you just as much as the presence of data

This is similar to the lesson of not underestimating the data put in front of you. The process of deduction via lack of data or evidence can be just as important as putting facts together. This process led to creating a profile about the hacker which turned out to be true. Given some of the characteristics the hacker didn’t display, Dr. Stoll was able deduct the following:

  • The hacker was not, in fact, a student at his university
  • The hacker was not simply looking for the challenge of hacking random universities and organizations due to the specific targets and types of data downloaded
  • He was not the same as some of the other hackers who were familiar with other operating systems (OS’s) that had been hacking other universities
  • He was most likely being paid due to the lack of periods of inaction (i.e. vacation breaks)

Lesson 9: Often you need an outside perspective

This might be the second greatest lesson on this list. There are two prime examples in “The Cuckoo’s Egg”. Firstly, Dr. Stoll provided the outside perspective that the DoD and other government agencies needed to legitimize the threat of cyber attacks. Almost every single organization he contacted ( Mitre, USAF, Army, CIA, NSA, etc.) believed they had solid security principles implemented or that the threat of hacking was not serious enough. He provided the outside perspective both from a technical perspective (as he was logging the attack traffic through his network) as well as an academic perspective outside of the government.

The second example is what led to the capture of the hacker. Dr. Stoll’s wife, Martha, came up with the idea of creating what might have been the internet’s first honeypot. There was a need to maintain the hacker’s connection for a long enough period of time in order to trace the call all the way back to his location in Germany. In order to do so, Martha recommended creating fake documents that would keep the hacker interested for a long enough period of time every time he connected. Not only did this “secret government project” meet the first goal, but KGB contacts that resided in Pittsburg, PA actually sent in a fake contact from to request information about the fake project! Martha’s outside perspective and ingenious trap ended up being exactly what was needed.

Lesson 10: Being the first means having the most opportunities

Lastly, this lesson might be the most important. Dr. Stoll started on what was a routine investigation into some potential malfunctioning accounting software and ended up being the first to track and document cyber espionage. In being the first, he laid the groundwork in some ways for:

  • Passive monitoring
  • Blue team techniques
  • Forensic analysis
  • Honey pots
  • Demonstrating the need for industry wide information sharing on vulnerabilities and cyber hacking campaigns
  • Cross agency collaboration in regards to computer crimes.

He got to use trial and error to figure out which methods worked best, because none of this had really been done or documented before. In doing so, he also encompassed all of the above lessons into this grand endeavor into the cyber unknown. He was not afraid of failing, because what he was doing had not been done yet. Any mis-step would only be used to fortify his path in the direction towards his goal. He realized there was no predetermined right or wrong way. There is freedom in being the first, and fear of the unknown should not stop someone from going down that path for the first time. Being the first means having the most opportunities.

The Wrap Up

I had originally heard of “The Cuckoo’s Egg” when reading a book called “Tribe of Hackers.” It’s a book that interviews 40 of the top cybersecurity professionals in the industry today. An overwhelming majority mentioned Dr. Stoll and his book as either a motivating factor or recommended reading for those interested in cybersecurity.

After reading “The Cuckoo’s Egg”, I couldn’t agree more. It’s an amazing book that really captures the genesis of cybersecurity. Dr. Stoll does a phenomenal job, not only documenting his experiences, but in telling his compelling story in a way only he can. It truly is a must read for those in the IT/Cybersecurity field and for anyone, independently of their career fields, for the applicable lessons offered across the board.


Some great references on Dr. Clifford Stoll, “The Cuckoo’s Egg”, and the other items mentioned above.


Find out more about J.B.C.’s Cyber&Sight™ blog here.