Johannes Ullrich | The good guys have to cooperate

The Internet Storm Center, created by the SANS Institute, works with Internet service providers to defend against the most malicious attacks.Johannes Ullrich has been with the ISC since the beginning and is now its chief technology officer. He tracks threats to the Internet infrastructure by correlating firewall and intrusion-detection system logs from contributors worldwide. He developed the collection engine for the system, Dshield.org, which serves as an early warning system for high-profile threats.Ullrich holds a bachelor's degree in physics from Universitat Wurzburg, Germany, and both a master's and doctorate in physics from the State University at Albany, N.Y. Before joining SANS, he worked as a lead support engineer for a Web development company and as a research physicist.Ullrich was named one of the 50 most powerful people in the networking industry by Network World in 2004.Although SANS Institute is based in Bethesda, Md., he and his wife just moved to Jacksonville, Fla., from the Boston area; one of the joys of working on Internet-based problems is that one's home can be anywhere. He spoke recently with GCN senior writer Patience Wait.Ullrich: We call it a cooperative network security system. It's basically run by about 40 handlers, who are hand-picked security experts. One of the main criteria is diversity'different geography, industries and such. Forty is about the size we like.We receive reports of security events. We have the DShield database, volunteers submitting their data logs. We also receive e-mails, a contact form that allows people to submit observations in general. We basically review these reports and try to contact whoever submitted them if we need to find out more.Ullrich: There are about 2,000 right now. They range anywhere from the home user with cable IT to universities and companies. We don't have any government agencies that are submitting logs; we had some non-U.S. agencies that were submitting logs. A couple of our handlers work for the government or have worked for the government in the past.[The users] are all part of a big mailing list. Each handler picks a day a month to be the designated handler for the day. They coordinate any response that's necessary.Ullrich: I'm working for the SANS Institute. Running the ISC is part of my role, and I'm also coordinating other research activities, such as the GIAC [Global Information Assurance Certification], as part of my responsibilities. I also work as a handler. Though handlers are on call for 24 hours, you're not expected to stay up all 24 hours. Given that most of our audience is U.S.-based, typically the incoming reports are somewhat synchronized.Ullrich: Distributed''distributed shield' to protect systems. Originally it was set up kind of for home users, then expanded.Ullrich: They don't want to identify their own networks, because the logs we receive may provide information about their security posture, what kinds of attacks they reject, [or] there may be internal privacy regulations. They kind of benefit even if they don't submit any logs.Ullrich: It's on a case-by-case basis; it's more or less informal. We don't have any written agreements with anybody. ... Like with government agencies, we do have a couple of handlers working for ISPs, that helps with our contacts ... to have ISPs exchanging information.Ullrich: Green? That nothing unusual is happening. Attacks are going on all the time, so we try to stay away from that model'it would always be yellow or orange. We usually require some immediate action if the [information condition] changes. We do have an RSS feed where people can get alerts. People wrote a couple of little applications to get notifications.Ullrich: Over the last couple of years these attacks have become more and more commercialized. The intent of the attacks is becoming money rather than notoriety, [and] they're becoming more sophisticated. Denial-of-service attacks changed focus. They used to be more retaliatory'you don't like somebody, you knock them off the 'Net'but these days, it's either a competitor or extortion.Online gambling sites are targets. They have less means to fight against the attacks because U.S. network providers aren't allowed to help them. There have been a couple of cases where U.S. security consultants have been charged with helping online gaming. That's one of the fundamental issues, where the concept of nation-state conflicts with the nature of the Internet.All along, the attacks have sort of come from the same countries. We see the attacks being coordinated [from] the United States, Korea, Europe. Overall, when we trace them back and look at the financial attacks, a lot trace back to Eastern Europe. And there seems to be quite a good number from Asia, China, though we can't tell if they're relays or actually originating there.Ullrich: One thing I'm hoping to do soon is internationalize it more, offer it in different languages. We already have handlers worldwide, but our users are in the U.S. and Europe. I want to find ways to better include Asia.Ullrich: The big message is: What you really have to do to achieve better security is cooperate. One of the big problems in security is that a lot of [organizations] believe in security through obscurity'if you don't share, you can stay [below the radar]. The bad guys benefit from [their own] cooperation; a lot of the hacker community shares tools. So to fight this, we have to learn to share more efficiently than the bad guys, share our methods. That's really the big motivation behind the shield.Ullrich: That's something that Alan Paller of SANS came up with. Originally it was Storm Watch, but the name was already used by a security company. It's like having sensors all over the Internet.Ullrich: I am paid by SANS, and there's a consultant who does some of our software. One thing people are asking is to visit the Storm Center. But there is no real physical location, just a list of distributed handlers all over the world. There is a server closet that all our servers are in, but there's no big screen. I'm wondering whether that's really a spectator sport'it's not really impressive to watch someone sitting in front of a monitor.Ullrich: There are a number of ways we disseminate our results. We have an e-mail discussion list, and there's . We also have monthly webcasts, the day after the Tuesday that Microsoft releases its patches. That's usually handled by myself or [another handler] and a vendor that's sponsoring the webcast. That second part changes from month to month.