Last Updated: 2010-01-03 01:27:24 UTC
by Marcus Sachs (Version: 1)
As many of our long-time readers are aware, the SANS Internet Storm Center evolved from an initiative launched by the SANS Institute in December 1999 in support of the US government's concern that hackers might take advantage of the Y2K rollover confusion by launching attacks against critical systems while system administrators were tied up solving Y2K date problems. Since we are now over ten years old I thought I would dig up some of the old web pages and archived files, then post this diary to tell a bit of the story. I hope you enjoy the trip down memory lane!
Here is the text of a letter sent to the SANS community by Stephen Northcutt that got everything started:
From: The SANS Institute <firstname.lastname@example.org>
Sent: Mon, 20 Dec 1999 7:52 PM
Subject: SANS Flash: Y2K Real-time Info Center
SANS Flash Advisory:
SANS and the National Y2K Information Coordination Center (ICC) Request Your Assistance on Intrusion Detection Over The Next Two Weeks
Hello, I am Stephen Northcutt, Intrusion Detection Program Manager for SANS. I am writing to request your help.
Several of us recently learned that we will not be spending New Year's Eve at parties (as, I expect, many of you won't). Instead, several SANS Institute faculty members and additional analysts will be cooperating to analyze network traces in support of the cyber assurance cell of the US Government's National Y2K Information Coordination Center in Washington, D.C. The success of this program depends heavily on the active participation of the entire community.
SANS's role is to isolate network traffic traces that represent attacks, find the malicious code, and get the word out to people who can block it -- all in real time. It was our community's work in stopping the RingZero traffic that led the government to request this assistance from the SANS community.
I'm writing you this week since December 24th usually marks the peak of hacker activity over the holidays.
We can't do this without your help. We are asking that you let us know about any intruder-type traffic that you see any time from now through January 5, 2000. Please help by sending suspicious network and log files to <email@example.com>.
We will be establishing a web page (http://www.sans.org/y2k.htm) and have established real-time e-mail notification list for those who will be on duty during the rollover. If you prefer frequent e-mail updates about newly observed security problems to checking the web page(s), send an empty mail message to <firstname.lastname@example.org> and you will be added to the mailing list (whose names will be destroyed on January 5, 2000). A reply to your request will be issued instantly if the list-add is successful.
The Global Incident Analysis Center (GIAC) was launched the next day on December 21, 1999. The original GIAC pages and the Y2K effort are no longer available on SANS' website, but thanks to the good people at the Internet Archive, we can still see what was going on back then. Unfortunately there are no archived pages of the GIAC from December 1999. Here is what GIAC looked like early in 2000:
Here are the archives of the Y2K project:
Here is an archive of Stephen Northcutt's appeal to readers in the letter above, but with more information about what SANS planned to do:
And for those of use who were manning other watches at the time (I was on duty at the JTF-CND then, and stood watch on the shift that went from 6 PM on December 31st to 6 AM on January 1st) who could forget the "Stutzmann Report" that was issued daily by Jeff Stutzmann?
In 2001 the initials "GIAC" were adopted by the SANS Global Information Assurance Certification program and "incidents.org" was spun off as the site where analysis of threats and events could be found. Here is the note on the GIAC website notifying everybody that we were moving to incidents.org:
Here is the original incidents.org web site:
Within a few weeks, incidents.org got its legs and the new website began to take on a more complete look:
As a result of the work done on the Li0n worm, the term "Internet Storm Watch" was chosen as the name of the all-volunteer service that SANS was running. It was later changed to "Internet Storm Center" which is what has been in use since then. If you poke around some of those archived pages you'll see an occasional reference to the Internet Storm Watch. Eventually we started using "isc.sans.org" as our URL rather than "incidents.org". Here's what we looked like then:
Since its inception as GIAC and then later as incidents.org we've been using the "diary" format to report on what we've been seeing and analyzing (we don't write blogs, we write diaries!) Near the end of 2003 we started the Handler of the Day (HOD) concept where each of the volunteer handlers would take 24-hour shifts, changing at 0000UTC each day. Our handlers live all around the world, which means that 24 hours a day one of them is awake and watching for emerging Internet security events. While only one handler at a time is the HOD, each of us can create a diary entry anytime we see something unusual happening. We maintain our own private chat room where we can coordinate things behind the scenes, and we have an internal set of web pages where we sign up for HOD shifts, keep contact information, have our own set of FAQs, etc.
Two other projects happening back in the early days were the Consensus Incident Database (CID) and the Intrusion Detection FAQs. The CID was an effort to bring together logs from lots of sensors around the world so that analysts could correlate events happening beyond their own firewalls. Here is an FAQ page that explained the project:
Johannes Ullrich's DShield project merged with this effort in 2001, here is an early archive of dshield.org:
The IDFAQ project attempted to provide a one-stop location of everything you ever wanted to know about detecting intrusions. While a bit dated, the old FAQ site still has lots of useful information:
I hope this bit of history will help explain where we came from and what was going on in the early years. Since 2003 we've been maintaining an archive of all of our diaries so it's a bit easier now to go back and recreate what was happening in previous years.
I must say that the 35 or so volunteer handlers we have are some of the best on the planet, and we are supported by hundreds of loyal readers and people who continue to submit their own analysis of things they are seeing around the Internet. While the threats and vulnerabilities have changed a lot over the past ten years, the cooperative spirit behind the SANS Internet Storm Center has remained steady and strong. Thanks to all who support this effort, and we are all looking forward to continuing the collaboration in the new decade.
Marcus H. Sachs
Director, SANS Internet Storm Center
Last Updated: 2010-01-02 15:20:31 UTC
by Marcus Sachs (Version: 2)
Karl sent us a note about date parsing issues in Spamassassin. I thought we fixed all of these problems ten years ago when we went through the Y2K transition. Apparently not. More details are at these URLs:
Thanks for the info Karl!
In addition to the comments below, one of our readers sent in this note:
Run "saupdate" or create the following line in your local.cf file:
score FH_DATE_PAST_20XX 0
You can learn about sa-update here:
The sa-update path is preferred.
Thanks for the comments Joanne!
Marcus H. Sachs
Director, SANS Internet Storm Center