Cyberstorm chasers: The folks who look out for the latest Internet threats

By Bill Brenner, News Writer 24 Jan 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

The Bethesda, Md.-based SANS Internet Storm Center (ISC) has kept a 24-hour-a-day, seven-day-a-week watch over the Internet since its inception in 2001. IT professionals of all stripes volunteer as "handlers" for the center, sifting through reports on the latest worms, viruses, software security holes and other threats.

When trouble comes, they work to provide a detailed analysis of an attack on the ISC Web site, including its geographical reach, potential for destruction and advice for network administrators on how to survive the storm.

In this Q&A, Internet Storm Center founder and CTO Johannes Ullrich talks about the volunteers at the heart of the operation, the bots that keep them awake nights and the center's efforts to strengthen lines of communication to Asia in 2005.

How did the Information Storm Center get started?

Ullrich: It merged out of two other sites. One was Incidents.org, which was started by SANS in 1999 to coordinate Y2K issues. Later, in 2000, I started the DSheild program for the early detection and analysis of Internet attacks. SANS became aware of it and decided that combining the two would make for a good fit. They hired me to undertake it and create the ISC.

You rely on IT professionals who volunteer as "handlers." Describe how the system works.

Ullrich: We have about 35 handlers. They're essentially hand-picked. We decide as a group whether to add someone to the list. One important criteria is diversity. We look at whether that person covers a reach we don't have geographically. Do they speak a language we don't have someone speaking? We have a couple of handlers who work for banks, a couple from smaller businesses and a couple who work for universities. We have a couple of volunteers who are in South America, one is in Belgium, one in Singapore, and one is in Brazil.

How is the average handler shift set up?

Ullrich: Each handler signs up on a sign-up sheet. They pick slots that work best for them. People try to avoid the second Tuesday of each month [Ullrich half-jokingly said this in reference to Patch Tuesday, when Microsoft issues its monthly security patches]. During a shift, the handler of the day is the first one to respond to things that come in on our message list. We get 200 messages a day on our list. People e-mail in issues and the handler on duty tries to respond, to get a sense of how serious a problem is and if others have encountered it. Each handler volunteers for a 24-hour shift. Typically, a handler will not take the day off from their regular job. They might pick a slow day at their job to sign up for a shift. At work, they're constantly checking the message list.

When you think back on all the threats the center has dealt with, which attacks stand out?

Ullrich: Slammer was one of the first ones we dealt with as ISC. Actually, at the very beginning there was Code Red. Sasser and Blaster made for a lot of excitement. These were all cases where reports were coming in from all over the world, from organizations saying they were getting hit badly. That's when we know it's bad. When something larger happens, handlers coordinate to collect information around the world and get the most updated information onto the site.

Of the threats you see every day, which ones worry you the most?

Ullrich: An overall trend we find disturbing is that malware writers are now profit-driven, that it's no longer kids having fun. We see examples every day with things like bots. Bots are not spectacular like some of the worms that make the headlines. They have no names and just make a lot of constant background noise. Tons of variants appear every day and they do a lot of quiet damage in the background. They take over computers without the user knowing it in most cases. They carry dangerous payloads and steal account information. Bots used to come from kids trying to knock each other offline. They had a game called Bot Jousting, where the winner was the one who could last longest without getting knocked down. Now you see corporations that hire people to launch bots to knock down the Web sites of competitors.

Which threats do you think are overly hyped?

Ullrich: A lot of people probably pay too much attention to data on malware that has been stopped at the firewall. You want to know which attacks didn't show up in your log. You want to know about what the firewall didn't catch. If something gets through it doesn't mean your firewall is useless. No device is perfect. But in the end, you don't want to waste too much time studying things that didn't get into your network. Worry about what does get through.

Are there any new features planned for the ISC site?

Ullrich: We are working on a Chinese version of the site. The fundamental idea of ISC is information sharing. We don't want to just be a place where people report information but never get anything back. We're trying to work Asia better into the network than we have in the past. That's a big goal for the next year.

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Security Awareness Training and Internal Threats Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Monitoring program data and internal controls for risk management Software security threats and employee awareness training Twitter risks, Facebook threats trouble security pros Social engineering training could disrupt botnet growth How to write a risk methodology that blends business, security needs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary