Dr. Johannes Ullrich and the SANS Internet Storm Center

September 24, 2018 • Amanda McKeon

The SANS Institute is a well-known and respected cooperative research and education organization. Since its founding in 1989, it’s worked with over 165,000 security professionals around the world, providing training and certification. It also provides free access to a huge library of research documents about information security, and it runs the Internet Storm Center, which it describes as the internet’s early warning system.

Our guest today is Dr. Johannes Ullrich, and he’s responsible for that early warning system. He’s a popular public speaker and host of the ISC StormCast daily podcast, a daily briefing of cybersecurity news that professionals around the world rely on to stay up to date.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello, everyone, and thanks for joining us for episode 75 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

The SANS Institute is a well-known and respected cooperative research and education organization. Since its founding in 1989, its worked with over 165,000 security professionals around the world, providing training and certification. It also provides free access to a huge library of research documents about information security, and it runs the Internet Storm Center, which it describes as the internet’s early warning system.

Our guest today is Dr. Johannes Ullrich, and he’s responsible for that early warning system. He’s a popular public speaker and host of the ISC StormCast daily podcast, a daily briefing of cybersecurity news that professionals around the world rely on to stay up to date. Stay with us.

Dr. Johannes Ullrich:

I grew up originally in Germany and came to the U.S. as a graduate student, originally studying physics. And really what got me into cybersecurity was just the fact that doing physics — I was actually doing a lot of x-ray work — I created a lot of software and remote control experiments, and at one point, well, I wanted to control these experiments from home.

This was in the mid-’90s. I got one of the first cable modems back then and built my own router with a little Linux box. The problem back then was, if you set up Linux, it wasn’t just open source. It was also an open mail by default. So of course, a couple of weeks later, I got the phone call from my ISP that I was sending a lot of spam. I guess like anybody in security, you get into security after your first incident.

Dave Bittner:

Right.

Dr. Johannes Ullrich:

And that got me interested into, “What is spam? How does it all work?” I learned about firewall rules and all of that. So the second mistake I guess I made, which is a mistake that most people don’t make, is I actually started to look at my logs. And I realized that there are all these people out there all across the world that try to get into my system for no apparent reason. I did some pretty cool research, I thought, but as a typical researcher, I was happy if people read my papers and such, so it wasn’t anything secret or such. That then got me more into security. I started the system called DShield.org around 2000, where basically, I decided with a couple of friends, “Hey, let’s share our logs and try to figure out what this is all about, who’s looking for our data, and why are they doing it.” So that got me more into security and the industry.

Dave Bittner:

Yeah. You have your PhD in physics. How does your training in physics … Does that at all inform how you approach things in cybersecurity?

Dr. Johannes Ullrich:

I think it does in the sense that I like data-driven approaches, where I try to look for proof that a certain protection method works or doesn’t work. So that was also the idea behind DShield, to collect data. What are the attacks that actually matter? How do I figure out if an attack is targeted or not targeted? A lot of this is based around data analysis and a more scientific approach, I guess, to security.

Dave Bittner:

Yeah. Now, share with us the work that you do with SANS.

Dr. Johannes Ullrich:

Yeah, so SANS has evolved out of this DShield project. At the same time, SANS had a system called Instance. Instance.org essentially collected emails and reports from the industry about what people were seeing in their networks. So when I was hired for SANS, I just combined what DShield was and what Instance.org was to this new thing, the Internet Storm Center. The Internet Storm Center … Well, I describe it as just a collaborative information-sharing community for security where people can tell us what they’re seeing. We try to make sense of it, or we just ask with our posts at the public, “Hey, what do you think about this? What’s your own experience with this particular threat?” So in addition to that, I’m responsible for the research part of SANS. SANS also has a graduate school, the SANS Tech Institute, and I’m running the research program of that, which is mostly our students writing research papers.

Dave Bittner:

Now, you also are the host of the Internet Storm Center podcast. Can you share with us what’s behind that? What prompted you to start that? You’ve been quite successful with that.

Dr. Johannes Ullrich:

Yeah. The idea came out of a conversation with a colleague — “How do you spend the time in your commute?” But this was a few years back, where podcasts had just started coming up. And what I found is that a lot of the podcasts are either too long or too noisy in the sense that there is a lot of chatter about nothing, more or less. So I figured, “Well, can we do something more relevant and shorter?” So I came up with the idea. Why not do a quick, five-minute daily news summary? And this was also built around, well, five minutes. That’s something I can actually do every day. So basically, in the evening usually, I sit down and just talk for five minutes about what happened that day, what I thought was relevant for people’s morning commute. That’s how it is essentially timed. The idea is to make you sound smarter when you show up at work, because you already know about some of the things that may come up during the day.

Dave Bittner:

We want to talk about threat intelligence, so I’m wondering, what is your take on threat intelligence, the current state of things, and how it fits into how people better defend themselves?

Dr. Johannes Ullrich:

Threat intelligence is this huge space, and everybody conceives something a little bit different when thinking about threat intelligence. There’s this joke that when SANS first offered a threat intelligence class, I was saying, “Hey, are you talking just about reading RSS feeds for five days?” That’s not what threat intelligence is. Threat intelligence is about understanding the attacker better. That’s what it’s supposed to do. Now, there are different ways to understand your attacker better. Part of it is learning from attacks others observe. That’s what people think of the most when I talk about threat intelligence — so, getting the reports about attacks that affect others, then looking for similar attacks in your environment that you may have missed before.

I think another important part of threat intelligence that’s often missed, I find, is learning from incidents in your own environment. If you find that compromised system in your environment, figure out how to find more systems like that. That’s, of course, a question people always hate to ask, but if you find one system in your network that’s compromised, there are probably others that had the same vulnerability, or the same attacker was interested in them. So don’t forget to ask that question, and then try to close the loop with your SOC, with your security analysts, the incident handlers that talk to these security analysts, and tell them, “Hey, these are the artifacts that you probably want to look for in order to find more compromised systems.”

Dave Bittner:

Now, what sort of advice do you have for folks who are looking to start using threat intelligence? What’s the best way for them to shop around and figure out what’s best for them?

Dr. Johannes Ullrich:

Well, I think you have to first consider, where are your gaps? What do you not know about attacks that you’re currently experiencing? Then try to find a vendor, an organization, that can help you with that. Another issue with this … It should be somewhat relevant to your business, to the type of network you are running. What usually works pretty well are industry-specific sharing organizations, because if you are, let’s say, a bank, then you’re probably going to see attacks that other banks are seeing, but you’re probably not that terribly interested in attacks that retailers are seeing. So having that kind of filtering and that kind of specialty is certainly important as you look for relevant threat intelligence. It’s very easy to get too much threat intelligence. It should help you focus on attacks and incidents that matter. That’s the goal of it. So if you get more threat intelligence than you get IDS alerts, well, then you’re probably doing it wrong.

Dave Bittner:

Yeah. It’s interesting, because we hear people having to deal with this fire hose of information, alerts, and their logs, and it seems that the real goal here is to make the intelligence that you get actually actionable.

Dr. Johannes Ullrich:

Yeah. I always call it … It should help you color your logs. So you get all of these feeds from your internal sensors, and we all know a lot of them are false positives. But now, you would like to add this threat intelligence information to tell you which of these alerts are relevant. And there are ways to highlight those alerts and assign them a different priority. I think that’s one way that threat intelligence can be used.

Dave Bittner:

Now, switching gears to talk about the broader cybersecurity world, as you look toward the horizon, what are some of the things that have you really concerned?

Dr. Johannes Ullrich:

Well, I think the attackers are getting really good at harvesting public information to create more widely targeted social engineering attacks. Examples are using things like LinkedIn and such. It has gone on for quite a while, but I think attackers are getting better at that. So for example, attackers are using things like usernames and passwords leaked from other sites in order to attack you. Those attacks tend to be pretty difficult to defend against because they come, typically, from large botnets, so large networks of IP addresses. They use somewhat real and relevant information to hit your site.

This is really hard. These credential-stuffing attacks, they’re sometimes called — they’re a huge problem. I also see them being used, for example, in a case from earlier this year, where insurance had problems with that. If you have life insurance, for example, and you never set up an online account to link with your life insurance, criminals are now using that publicly leaked information in order to set up access for you, essentially. And there’s so much information leaked. I don’t think there’s a right way to authenticate the user with just online means anymore. So in that case, actually, they went back to sending out paper mail, which isn’t necessarily where we want to go.

Dave Bittner:

Yeah, yeah. Not terribly efficient.

Dr. Johannes Ullrich:

Yeah.

Dave Bittner:

Where do you see it heading? Has the horse left the barn when it comes to privacy, when it comes to being able to effectively authenticate people? Is it something we need to pull back in?

Dr. Johannes Ullrich:

I think in part, the horse has left the barn when you’re talking about just online verification. I haven’t really seen anybody do that right at this point. In general, I think, what we have to learn and get a better handle on is evaluating risk correctly. How much risk are we exposing ourselves to, based on what authentication method or what features we allow online, and some things, maybe, that should not be done online. We had a big discussion in the U.S. here with electronic voting and such. Maybe paper ballots aren’t all that bad. You have to, in the end, decide, is it worth not to have paper ballots? What do you actually gain by not doing that? Is it worth the cost saving? And I think businesses have to ask the same question. Are they actually incurring more risks than it’s worth?

Dave Bittner:

I think in our industry, we deal with a lot of hype, and particularly in the past couple of years, we’ve seen a lot of hype around artificial intelligence and machine learning, almost to the point where I think when those terms come up, there’s a tendency for some folks to roll their eyes. And I wonder if we’re actually doing ourselves a disservice, because those are useful tools when applied correctly, but the hype machine has kind of devalued them.

Dr. Johannes Ullrich:

Yeah. I don’t think you can really do much about it. The hype cycle, it’s sometimes called. Whenever there’s a new technology like this, it takes a while for reality to just set in, and for people to know what it does. A lot of this, of course, is also the funding game, where companies are more into selling stock than actually selling products. And sadly, some investors are falling for these keywords. But I think this is something that will sort itself out over the years.

Dave Bittner:

Now, what about the workforce issues? Something that, obviously, you’re involved with there at SANS is training people and getting people up to speed. First of all, do you think that the workforce issue, the shortage of qualified people, is as bad as it’s described?

Dr. Johannes Ullrich:

I think it’s bad. I’m not sure it’s as bad as some of these studies say. There’s, of course, some hype there as well. But I think there’s certainly a shortage, and really, businesses also have to figure out how much they are willing to pay for these positions. I think there’s also some mismatch in expectations there. In the end, I think we certainly have to train more people. We have to train them earlier. By the time they get to SANS, they usually already have a job in security, so at that point, it’s almost too late to do it. SANS, of course, itself, we try to do a lot more with high school kids and try to get people earlier in their career in order to build a pipeline there of cybersecurity professionals.

Dave Bittner:

Yeah. Can you describe to us, what is the focus of SANS? What are some of the programs that you’re offering, and what are your goals?

Dr. Johannes Ullrich:

One thing we, for example, do quite successfully now is, at the high school or undergraduate age, to try to identify candidates using, for example, communication of security, where we set up these security games, these challenges, and try to figure out who’s actually good, who has the right aptitude to do it. And what we actually find is that a lot of kids don’t even realize they’re actually good at it. And part of that is cultural, based on family background and such.

They’re never exposed to it, but in part, these challenges, they’re not just testing technical knowledge, but do you have the right aptitude? Are you the person that really likes to dig into a problem like this and do a puzzle, as we often have to with cybersecurity? And are you able to come up with a new and interesting solution to problems like this? So I think that has a lot of promise. We’re able to identify these kids and get them into these careers, where they can make a difference.

Dave Bittner:

Yeah. It’s interesting to me. I’ve heard cases where organizations are going out and trying to find people like musicians, because they’re people who are trained to handle things that come at them in real time, collaborating with other people, and it’s a way of thinking that can shift and apply to cybersecurity quite well.

Dr. Johannes Ullrich:

Yeah. I remember one case where I was teaching a class for a company in the Bay Area. They had huge problems hiring people because of the cost of living and everything. And one student in class, he was a photographer, and literally, he lost his equipment at the beach, needed a job, and signed up, and was hired. And he was actually one of the better students in class. He got going at it, and this was a very technical class. You have to look a little bit outside the usual candidate pool to identify these people. And of course, we want to identify them early on. You want to know, can they do it? So it’s not just random hiring and then throwing a lot of training at them and see who makes it. But the trick is to identify these people and see, can they actually do it, can they learn what needs to be learned in order to do that job?

Dave Bittner:

Do you think some of the organizations on the HR side are doing themselves a disservice by … We see some of these almost comical job requirements. Looking for interns, must have 10 years of professional experience — that sort of thing.

Dr. Johannes Ullrich:

Yep, yep. I think the problem is, a lot of HR departments in companies are looking for perfect candidates that already know everything they know for the job, and that doesn’t exist in security. You may be able to find a forklift driver that has experience driving forklifts, but if you’re looking for, for example, a security analyst that has experience in the very specific software packages that you’re using in your company, that’s the wrong way to go about it. You have to find people with the right aptitude, and then you have to train them internally. That’s what you have to do. And in a particular sense, stuff will change. In this industry, the software package you’re using today, it’s probably not the software package you’ll use in two or three years. So the ability of people to learn and the ability or the willingness of companies to actually support this with training and such, I think, is critical to overcome this shortage and find good candidates.

Dave Bittner:

Now, as a teacher, what is your advice for those who are coming up, who are looking to study these topics? What’s the best way for them to approach it? How can they get the most out of the classes that they’re signing up to take?

Dr. Johannes Ullrich:

Well, I think, stick to the basics. Don’t over-specialize too early. Anybody in security should have a good networking background, should know how to do some coding. So start with that, and don’t get right into hacking. Everybody wants to hack. That’s my complaint with the industry. Our classes that always seem to be the best-selling is where what you actually need to do is to defend. So learn the basics. Don’t get stuck with the hype of the latest tools and such. And really, don’t learn tools. Learn technologies. That’s what everybody comes down to.

Dave Bittner:

Our thanks to Dr. Johannes Ullrich for joining us. Be sure you check out his podcast, the SANS ISC StormCast podcast. It is definitely worth a listen.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...