Computer 10: Lesson 10 - Online Crimes and Hazards
Internet Storm Center briefing 20100513
1. A brief briefing…
The Internet Storm Center
Rick Wanner - ISC Handler
rwanner@isc.sans.org
2. Rick Wanner B. Sc, I.S.P.,
ITCP
Client Technology Manager, Corporate Security at
SaskTel
Masters Student at SANS Technology Institute
(www.sans.edu)
Independent contractor/Volunteer with
SANS/GIAC
ISC Handler since 2008
rwanner@isc.sans.org
3. The Internet Storm Center
• The ISC is composed of approximately 40 volunteer
handlers which coordinate a group of volunteer
intrusion analysts and malware specialists.
• Daily “Handler on Duty”
Daily diary/blog published at http://isc.sans.edu/
The Internet Storm Center acts as a distributed early
warning system for the Internet
The ISC acts as an intermediary with ISPs worldwide.
Sponsored by the SANS Technology Institute
(http://www.sans.edu).
4. ISC = DSHIELD +
Contributors + Handlers
User Logs
DShield Data
ISC Handlers
Reader Reports
From: isc reader
To: handlers@sans.org
Subject: Recent attack.
....
5. Dshield-We want your logs!
The ISCs principal inputs come from
Dshield.org and Internet users
Dshield.org is fueled by log contributions
by Internet users and corporations.
All logs are scrubbed before they are
submitted.
Src IP, src port, destination port
6. Dshield Collection clients
Clients installed on firewalls, IDS, and
gateway routers/firewalls
Developed by SANS and third parties
Log transfer via HTTP or SMTP
7. Role of the Handler
Analysis:
Assign meaning to submissions and data
Correlate between the inputs and known data
Solicit further information from sources
Prioritize each incident
Overall impact
Ability of the ISC to contribute
Number of submissions
Size of the affected user population
8. Role of the Handler, cont…
Incident handling:
Identify
Contain
Eradicate
Recover
Lessons Learned!
9. Diaries are Dynamic
Initial Diary
Observation Worthy?
Immediate publication of
new event to solicit
feedback from readers
Initial Diary and provide the
earliest possible alert.
Additional
Observations Revised
Diaries
10. Other output
FightBack functionality
Send automated abuse on behalf of
users
Very specific attacks only
AS specific reports
Anti-virus distribution list
11. Microsoft Patch Tuesday
Second Tuesday is the top day for visits to
the ISC
What we add:
Overview
Independent rating
History
12. October is Cyber Security
Awareness Month
In 2009, ISC chose securing common ports
and protocols as the theme.
2008, theme was “Incident Handling”
Preparation, Identification, Containment,
Eradication, Recovery, Lessons Learned
2007, ISC published security awareness tips
13. Support the ISC!
Send us your logs:
http://www.dshield.org/howto.html
Read the ISC:
http://isc.sans.edu/
Send us your observations:
http://isc.sans.edu/contact.html
handlers@sans.org
Send us your malware:
http://isc.sans.edu/contact.html
14. Thanks!
Questions??
For future questions please
contact
rwanner@isc.sans.org