Internet Storm Center
Encyclopedia
The Internet Storm Center (ISC) is a program of the SANS Technology Institute, a branch of the SANS Institute
SANS Institute
The SANS Institute is a private US company that specializes in internet security training. It was founded in 1989, provides computer security training, professional certification through Global Information Assurance Certification , and a research archive - the SANS Reading Room...
which monitors the level of malicious activity on the Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
, particularly with regards to large-scale infrastructure events.
The ISC evolved from "Incidents.org", a site
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
initially founded by the SANS Institute to assist in the
public-private sector cooperation during the Y2K cutover. In 2000, Incidents.org started to cooperate with DShield
DShield
DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers world wide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center . It was officially launched end of November 2000 by...
to create a Consensus Incidents Database (CID). It collected security information from cooperating sites and agencies for mass analysis.
On March 22, 2001, the SANS CID was responsible for the early detection of the "Lion" worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
attacks on various facilities. The quick warning and counter-efforts organized by the CID were instrumental in controlling the damage done by this worm, which otherwise might have been considerably worse.
Later, DShield
DShield
DShield is a community-based collaborative firewall log correlation system. It receives logs from volunteers world wide and uses them to analyze attack trends. It is used as the data collection engine behind the SANS Internet Storm Center . It was officially launched end of November 2000 by...
was integrated closer into incidents.org as the SANS Institute started to sponsor DShield. The CID was renamed the "Internet Storm Center" in acknowledgement of the way it uses the distributed sensor network similar to the way a weather
Weather
Weather is the state of the atmosphere, to the degree that it is hot or cold, wet or dry, calm or stormy, clear or cloudy. Most weather phenomena occur in the troposphere, just below the stratosphere. Weather refers, generally, to day-to-day temperature and precipitation activity, whereas climate...
reporting center will detect and track an atmospheric storm
Storm
A storm is any disturbed state of an astronomical body's atmosphere, especially affecting its surface, and strongly implying severe weather...
and provide warnings. Since that time the ISC has expanded its monitoring operations; its website
Website
A website, also written as Web site, web site, or simply site, is a collection of related web pages containing images, videos or other digital assets. A website is hosted on at least one web server, accessible via a network such as the Internet or a private local area network through an Internet...
cites a figure of over twenty million "intrusion detection log entries" per day. It continues to provide analyses and alerts of security threats to the Internet community.
During the last hours of 2005 and the first weeks of 2006, the Internet Storm Center went to its longest period at the time to "yellow" on the Infocon for the WMF vulnerability
Windows Metafile vulnerability
The Windows Metafile vulnerability is a security vulnerability in Microsoft Windows NT-based operating systems which has been used in a variety of exploits since late December 2005. The vulnerability was first discussed in the computer security community around 26 and December 27, 2005, with the...
.
The most prominent feature of the ISC is a daily "Handler Diary" which is prepared by one of the 40 volunteer incident handlers and summarized the events of the day. It frequently is the first public source for new attack trends and actively facilitates cooperation by soliciting more information to understand particular attacks better.
The Internet Storm Center is currently staffed with approximately 40 volunteers, representing 8 countries and many industries.
Notable members
- Director of the ISC: Marcus SachsMarcus SachsMarcus H. Sachs is the executive director of government affairs for national security and cyber policy at Verizon in Washington, D.C.-Birth and education:...
- Chief Technical Officer: Johannes UllrichJohannes UllrichJohannes Ullrich is the founder of DShield. DShield is now part of the SANS Internet Storm Center which he leads since it was created from Incidents.org and DShield back in 2001. In 2005, he was named one of the 50 most powerful people in Networking by Network World Magazine...
- Handler Tom ListonTom ListonTom Liston is a senior analyst for the Washington, D.C.-based network security consulting firm, InGuardians, Inc.He is the author of the first network tarpit, the open source LaBrea. He was a finalist for eWeek and PC Magazine’s "Innovations In Infrastructure" award in 2002 for LaBrea...