ISC History and Overview

Twitter/X: @sans_isc
Mastodon: infosec.exchange/@sans_isc
Bluesky: sansisc.bsky.socal

Part of the SANS Technology Institute, the Internet Storm Center (ISC) stands as a beacon of vigilance and resilience in the ever-evolving landscape of cybersecurity. Born out of necessity in 2001, following the ominous emergence of the Li0n worm, this pivotal institution has transformed into a global force, safeguarding millions against the relentless onslaught of cyber threats.

The genesis of ISC traces back to March 22, 2001, when intrusion detection sensors worldwide identified a surge in probes targeting port 53, the bastion of the Domain Name Service. What started as a trickle soon escalated into a deluge, heralding the advent of a global security incident. In rapid response, a cadre of SANS GIAC-certified intrusion detection experts mobilized, rallying a global community of security practitioners to stem the tide of the impending crisis.

Within 3 hours, the first copy of the nefarious worm code surfaced, a testament to the collective vigilance of the cybersecurity community. Armed with unparalleled expertise, these analysts dissected the worm’s modus operandi, crafting a bespoke program to identify and mitigate its destructive impact. This swift response, bolstered by real-time collaboration and data sharing, epitomized the power of collective action in combating cyber threats.

The watershed moment catalyzed the birth of the SANS Internet Storm Center, an embodiment of the ethos of community-driven cybersecurity. Integrated into the SANS Technology Institute, ISC emerged as a bastion of real-time threat intelligence, galvanizing a global network of cybersecurity practitioners in a relentless pursuit of cyber resilience.

Today, ISC stands as a vanguard against the ever-looming specter of cyber attacks. Armed with millions of intrusion detection log entries from sensors spanning over thousands IP addresses worldwide, ISC serves as the harbinger of new attack trends and emerging threats. Its mission transcends borders, providing authoritative data on cyber attacks across diverse industries and regions worldwide.

Crucially, ISC remains a testament to the power of collaboration and altruism in the realm of cybersecurity. A free service, supported by the SANS Institute and fueled by the dedication of volunteer incident handlers, ISC epitomizes the spirit of community-driven defense. Through its daily diaries, podcasts, and myriad initiatives, ISC serves as an invaluable resource, empowering individuals and organizations to navigate the turbulent seas of cyberspace.

For bachelor’s degree students at the SANS Technology Institute, the ISC is a vital source of experiential learning and hands-on engagement. Interning virtually as apprentice handlers, students in the bachelor’s degree program in applied cybersecurity glean invaluable insights, analyzing threats observed by honeypots they deploy, thereby honing their skills, fortifying their defenses against cyber adversaries, and gaining real-world experience few programs can match.

In the realm of cybersecurity, where threats loom large and vulnerabilities abound, the Internet Storm Center stands as a steadfast sentinel, a testament to the power of collaboration, vigilance, and community-driven defense in safeguarding our digital future.

Behind the Internet Storm Center

The ISC relies on an all-volunteer effort to detect problems, analyze the threat, and disseminate both technical as well as procedural information to the general public. Thousands of sensors that work with most firewalls, intrusion detection systems, home broadband devices, and nearly all operating systems are constantly collecting information about unwanted traffic arriving from the Internet. These devices feed the DShield database where human volunteers as well as machines pour through the data looking for abnormal trends and behavior. The resulting analysis is posted to the ISC's main web page where it can be automatically retrieved by simple scripts or can be viewed in near real time by any Internet user.

In many ways, the ISC parallels the data collection, analysis, and warning system used by weather forecasters. For example, the National Weather Service uses small sensors in as many places as possible to report pressure, wind speed, precipitation and other data electronically to regional weather stations. These local stations provide technical support to maintain the sensors, and they summarize and map the sensor data and display it for local meteorologists. They also forward the summarized data to national weather center or transnational weather analysis centers. If analysts are available to monitor the data, they can provide early warnings of storms in their areas. The national and transnational weather analysis centers summarize and map all the regional data to provide an overall picture of the weather. They monitor the data constantly looking for early evidence of major storms and can provide early warnings whenever possible.

Likewise, the Internet Storm Center uses small software tools to send intrusion detection and firewall logs (after removing identifying information) to the DShield distributed intrusion detection system. The ISC's volunteer incident handlers monitor the constantly changing database to provide early warnings to the community of major new security threats. The ISC also provides feedback to participating analysis centers comparing their attack profiles to those of other centers, and provides notices to ISPs of IP addresses that are being used in widespread attacks. The ISC maintains a very popular daily diary of incident handler’s notes, and can generate custom global summary reports for any Internet user.

The value of the Internet Storm Center is maximized when the sensors are collecting data on attacks touching all corners of the Internet. Because of the vastness of cyberspace it is impossible to instrument the entire Internet. Instead, samples are taken in as many diverse places as possible to create an accurate representation of current Internet activity. Many ISC users send their log data directly to the ISC databases without going through an organizational or local analysis and coordination center. Several large organizations have expressed interest in mirroring the ISC's distributed intrusion detection system, placing sensors at the edges and within their networks to provide early detection of anomalous behavior.

Early Warning

In addition to hundreds of users who monitor the ISC's website and provide some of the best early warnings, the ISC is supported by a core team of expert volunteer incident handlers, making it a virtual organization composed of the top tier of intrusion detection analysts from around the globe.

The all-volunteer team monitors the data flowing into the database using automated analysis and graphical visualization tools and searches for activity that corresponds with broad based attacks. They report their findings to the Internet community through the ISC main web site, directly to ISPs, and via general postings and emails to newsgroups or public information sharing forums.

The team determines whether a possible attack is real and whether it is worth follow-up action. If so, the team can request an immediate email to the 100,000 subscribers to the SANS Security Alert Consensus - an alerting service used primarily by very advanced security- conscious system and network administrators and analysts. The email would ask for data and code from anyone who has hard evidence of the attack.

Once the attack is fully understood, the team determines the level of priority to place on the threat, whether to make a general announcement or simply post it, and whether to get core Internet backbone providers involved so they may consider cutting off traffic to and from sites that may be involved in the attacks.

The ISC maintains a private web site and private reports for each reporting site. Reports include lists of the most recent attacks along with the indications of how many other sites the attackers have targeted, the severity of each attack, and background data about why attackers target specific ports. The web page helps the reporting site manage its intrusion data and keeps track of attacks.

Users can show the results of submissions in a variety of formats including columnar data or pie charts. Data can also be exported in formats usable in other data visualization programs.

Participating with the Internet Storm Center

The ISC uses the DShield distributed intrusion detection system for data collection and analysis. DShield collects data about malicious activity from across the Internet. This data is cataloged and summarized and can be used to discover trends in activity, confirm widespread attacks, or assist in preparing better firewall rules.

Currently the system is tailored to process outputs of simple packet filters. As firewall systems that produce easy to parse packet filter logs are now available for most operating systems, this data can be submitted and used without much effort.

DShield is a free service sponsored by the SANS Institute for the benefit of all Internet users. Participants may sign up for DShield at https://www.dshield.org/register/

You do not have to register up in order to submit firewall logs to DShield. You can submit logs anonymously. But there are benefits to registering. Registered users can

• view the firewall logs they submitted to the DShield database (for the last 30 days.)
• get a confirmation of their own submissions emailed to them after every submission.
• optionally enable Fightback. DShield will forward selected authenticated submissions to the ISP implicated when we detect that you have been attacked. Registered users can see a summary of Fightback abuse messages that have been sent on their behalf.

The Internet Storm Center project succeeds through active participation of people who use firewalls and intrusion detection systems and who understand how sharing the data from those systems is a powerful way to help themselves and the entire Internet community.

If you use a firewall, please submit your logs to the DShield database. You may either download one of our ready to go client programs, write your own, or use our Web Interface to manually submit your firewall logs. Registration is encouraged, but is not required.

All Internet users are welcome to use the information in the DShield reports and database summaries to protect their network from intrusion attempts.