internet storm center briefing 20100513
Post on 09-Jun-2015
459 Views
Preview:
TRANSCRIPT
Rick Wanner - ISC Handler
rwanner@isc.sans.org
A brief briefing…
The Internet Storm Center
Rick Wanner B. Sc, I.S.P.,
ITCPClient Technology Manager, Corporate Security at
SaskTel
Masters Student at SANS Technology Institute
(www.sans.edu)
Independent contractor/Volunteer with
SANS/GIAC
ISC Handler since 2008
rwanner@isc.sans.org
The Internet Storm Center
• The ISC is composed of approximately 40 volunteer
handlers which coordinate a group of volunteer
intrusion analysts and malware specialists.
• Daily “Handler on Duty”
Daily diary/blog published at http://isc.sans.edu/
The Internet Storm Center acts as a distributed early
warning system for the Internet
The ISC acts as an intermediary with ISPs worldwide.
Sponsored by the SANS Technology Institute
(http://www.sans.edu).
ISC = DSHIELD +
Contributors + Handlers
From: isc reader
To: handlers@sans.org
Subject: Recent attack.
....
DShield Data
Reader Reports
ISC Handlers
User Logs
Dshield-We want your logs!
The ISCs principal inputs come from
Dshield.org and Internet users
Dshield.org is fueled by log contributions
by Internet users and corporations.
All logs are scrubbed before they are
submitted.
Src IP, src port, destination port
Dshield Collection clients
Clients installed on firewalls, IDS, and
gateway routers/firewalls
Developed by SANS and third parties
Log transfer via HTTP or SMTP
Role of the Handler
Analysis:
Assign meaning to submissions and data
Correlate between the inputs and known data
Solicit further information from sources
Prioritize each incident
Overall impact
Ability of the ISC to contribute
Number of submissions
Size of the affected user population
Role of the Handler, cont…
Incident handling:
Identify
Contain
Eradicate
Recover
Lessons Learned!
Diaries are Dynamic
RevisedDiaries
Initial Diary
DiaryWorthy?
Initial Observation
AdditionalObservations
Immediate publication of new event to solicit feedback from readers and provide the earliest possible alert.
Other output
FightBack functionality
Send automated abuse on behalf of
users
Very specific attacks only
AS specific reports
Anti-virus distribution list
Microsoft Patch Tuesday
Second Tuesday is the top day for visits to
the ISC
What we add:
Overview
Independent rating
History
October is Cyber Security
Awareness Month
In 2009, ISC chose securing common ports
and protocols as the theme.
2008, theme was “Incident Handling”
Preparation, Identification, Containment,
Eradication, Recovery, Lessons Learned
2007, ISC published security awareness tips
Support the ISC!
Send us your logs:
http://www.dshield.org/howto.html
Read the ISC:
http://isc.sans.edu/
Send us your observations:
http://isc.sans.edu/contact.html
handlers@sans.org
Send us your malware:
http://isc.sans.edu/contact.html
Thanks!
Questions??
For future questions please
contact
rwanner@isc.sans.org
top related