Cyberstorm chasers: The folks who look out for the latest Internet threats

The Bethesda, Md.-based SANS Internet Storm Center (ISC) has kept a 24-hour-a-day, seven-day-a-week watch over the Internet since its inception in 2001. IT professionals of all stripes volunteer as "handlers" for the center, sifting through reports on the latest worms, viruses, software security holes and other threats.

When trouble comes, they work to provide a detailed analysis of an attack on the ISC Web site, including its geographical reach, potential for destruction and advice for network administrators on how to survive the storm.

In this Q&A, Internet Storm Center founder and CTO Johannes Ullrich talks about the volunteers at the heart of the operation, the bots that keep them awake nights and the center's efforts to strengthen lines of communication to Asia in 2005.

How did the Information Storm Center get started?

Ullrich: It merged out of two other sites. One was Incidents.org, which was started by SANS in 1999 to coordinate Y2K issues. Later, in 2000, I started the DSheild program for the early detection and analysis of Internet attacks. SANS became aware of it and decided that combining the two would make for a good fit. They hired me to undertake it and create the ISC.

You rely on IT professionals who volunteer as "handlers." Describe how the system works.

Ullrich: We have about 35 handlers. They're essentially hand-picked. We decide as a group whether to add someone to the list. One important criteria is diversity. We look at whether that person covers a reach we don't have geographically. Do they speak a language we don't have someone speaking? We have a couple of handlers who work for banks, a couple from smaller businesses and a couple who work for universities. We have a couple of volunteers who are in South America, one is in Belgium, one in Singapore, and one is in Brazil.

How is the average handler shift set up?

Ullrich: Each handler signs up on a sign-up sheet. They pick slots that work best for them. People try to avoid the second Tuesday of each month [Ullrich half-jokingly said this in reference to Patch Tuesday, when Microsoft issues its monthly security patches]. During a shift, the handler of the day is the first one to respond to things that come in on our message list. We get 200 messages a day on our list. People e-mail in issues and the handler on duty tries to respond, to get a sense of how serious a problem is and if others have encountered it. Each handler volunteers for a 24-hour shift. Typically, a handler will not take the day off from their regular job. They might pick a slow day at their job to sign up for a shift. At work, they're constantly checking the message list.

When you think back on all the threats the center has dealt with, which attacks stand out?

Ullrich: Slammer was one of the first ones we dealt with as ISC. Actually, at the very beginning there was Code Red. Sasser and Blaster made for a lot of excitement. These were all cases where reports were coming in from all over the world, from organizations saying they were getting hit badly. That's when we know it's bad. When something larger happens, handlers coordinate to collect information around the world and get the most updated information onto the site.

Of the threats you see every day, which ones worry you the most?

Ullrich: An overall trend we find disturbing is that malware writers are now profit-driven, that it's no longer kids having fun. We see examples every day with things like bots. Bots are not spectacular like some of the worms that make the headlines. They have no names and just make a lot of constant background noise. Tons of variants appear every day and they do a lot of quiet damage in the background. They take over computers without the user knowing it in most cases. They carry dangerous payloads and steal account information. Bots used to come from kids trying to knock each other offline. They had a game called Bot Jousting, where the winner was the one who could last longest without getting knocked down. Now you see corporations that hire people to launch bots to knock down the Web sites of competitors.

Which threats do you think are overly hyped?

Ullrich: A lot of people probably pay too much attention to data on malware that has been stopped at the firewall. You want to know which attacks didn't show up in your log. You want to know about what the firewall didn't catch. If something gets through it doesn't mean your firewall is useless. No device is perfect. But in the end, you don't want to waste too much time studying things that didn't get into your network. Worry about what does get through.

Are there any new features planned for the ISC site?

Ullrich: We are working on a Chinese version of the site. The fundamental idea of ISC is information sharing. We don't want to just be a place where people report information but never get anything back. We're trying to work Asia better into the network than we have in the past. That's a big goal for the next year.