The Internet Storm Center (ISC) is composed of approximately 40 volunteer handlers who coordinate intrusion analysts and malware specialists. The ISC acts as an early warning system for the Internet by analyzing submissions from DShield and internet users. The handlers analyze and prioritize incidents, publish diary updates on incidents, and provide lessons learned. The ISC aims to identify, contain, eradicate, recover from and learn from cyber security incidents and threats online.

1. A brief briefing…
The Internet Storm Center
Rick Wanner - ISC Handler
rwanner@isc.sans.org

2. Rick Wanner B. Sc, I.S.P.,
ITCP
Client Technology Manager, Corporate Security at
SaskTel
Masters Student at SANS Technology Institute
(www.sans.edu)
Independent contractor/Volunteer with
SANS/GIAC
ISC Handler since 2008
rwanner@isc.sans.org

3. The Internet Storm Center
• The ISC is composed of approximately 40 volunteer
handlers which coordinate a group of volunteer
intrusion analysts and malware specialists.
• Daily “Handler on Duty”
Daily diary/blog published at http://isc.sans.edu/
The Internet Storm Center acts as a distributed early
warning system for the Internet
The ISC acts as an intermediary with ISPs worldwide.
Sponsored by the SANS Technology Institute
(http://www.sans.edu).

4. ISC = DSHIELD +
Contributors + Handlers
User Logs
DShield Data
ISC Handlers
Reader Reports
From: isc reader
To: handlers@sans.org
Subject: Recent attack.
....

5. Dshield-We want your logs!
The ISCs principal inputs come from
Dshield.org and Internet users
Dshield.org is fueled by log contributions
by Internet users and corporations.
All logs are scrubbed before they are
submitted.
Src IP, src port, destination port

6. Dshield Collection clients
Clients installed on firewalls, IDS, and
gateway routers/firewalls
Developed by SANS and third parties
Log transfer via HTTP or SMTP

7. Role of the Handler
Analysis:
Assign meaning to submissions and data
Correlate between the inputs and known data
Solicit further information from sources
Prioritize each incident
Overall impact
Ability of the ISC to contribute
Number of submissions
Size of the affected user population

8. Role of the Handler, cont…
Incident handling:
Identify
Contain
Eradicate
Recover
Lessons Learned!

9. Diaries are Dynamic
Initial Diary
Observation Worthy?
Immediate publication of
new event to solicit
feedback from readers
Initial Diary and provide the
earliest possible alert.
Additional
Observations Revised
Diaries

10. Other output
FightBack functionality
Send automated abuse on behalf of
users
Very specific attacks only
AS specific reports
Anti-virus distribution list

11. Microsoft Patch Tuesday
Second Tuesday is the top day for visits to
the ISC
What we add:
Overview
Independent rating
History

12. October is Cyber Security
Awareness Month
In 2009, ISC chose securing common ports
and protocols as the theme.
2008, theme was “Incident Handling”
Preparation, Identification, Containment,
Eradication, Recovery, Lessons Learned
2007, ISC published security awareness tips

13. Support the ISC!
Send us your logs:
http://www.dshield.org/howto.html
Read the ISC:
http://isc.sans.edu/
Send us your observations:
http://isc.sans.edu/contact.html
handlers@sans.org
Send us your malware:
http://isc.sans.edu/contact.html

14. Thanks!
Questions??
For future questions please
contact
rwanner@isc.sans.org