Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC Handler Roadmap


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

How to become an Internet Storm Center Handler

The Internet Storm Center depends on reader input to maintain an active cooperative community of security professionals. The input you provide takes on many forms. Sometimes it is an e-mail with an interesting observation, some of you provide continuos input by running a DShield sensor or participating in our web application honeypot or 404 project. Of course, all that input doesn't mean a thing if it is not turned around quickly. This is the part where our handlers come in. The main task is to take all the input we receive, including what handlers experience in their day jobs, and turn it around into "diaries".

We call them "diaries" vs. "blogs" for a number of reasons. First of all, at the time the Internet Storm Center was started, the term "blog" didn't exist yet. Secondly, a diary is usually a daily account of what is happening in one's life. And this is kind of what we are looking for here at the Internet Storm Center.

Now how can you become an Internet Storm Center Handler, and what does it mean to be one? This is a question we get quite a bit and I am trying to formalize the process a bit.

The basic requirements to be considered:

  • 1 GIAC Certification or significant contribution to the field
  • Open participation in the security community
  • Shown an ability and willingness to write (GIAC Gold, blogs or other published papers and articles)
  • Able to publish on your own quickly without review by others (for example employer. but you may recuse yourself if you find that a topic presents a conflict with your day job)
  • Vetted by existing handlers

Being a handler is a volunteer position. While we do on occasion provide stickers, shirts or other tokens of appreciation, there is no set schedule and no guarantee that we will continue this practice. You should be able to write about breaking events quickly if you are the handler on duty, which requires a broad knowledge of security issues and how they impact "the real world". We can not accept applicants that need to have diaries reviewed by their company. You may choose not to publish if you feel that the topic represents a conflict of interest with your day job.

Diaries are not anonymous and you will have to sign them with your real name, not an alias. You do not have to mention who you work for, but you may. As part of your signature you may add a link to a personal or corporate website.

Vetting process: One senior handler will initially endorse the application. At least one existing handler has to have met the applicant in person. Any problems that may indicate that the person is unsuitable should be brought to the attention of the group. The CTO and Director will try to achieve a consensus in the group about the suitability of a particular candidate. The final decision will be with the CTO/Director.

Apprentice

All new handlers will start out as an "Apprentice". During your apprentiship, you should

  • Write 3 diaries during the 2-3 months after being accepted.
  • Not more then 1 diary a week (however, you may write more... they just don't count towards the 3)
  • The Handler on Duty (HoD) has to approve the diaries before making them live

Handler

After the third diary is published, a review of the diaries will take place and a decision will be made to accept or not accept the person as a "Handler". In some cases, the apprenticeship may be continued for another 1-2 months before a decision is made.

Initially, a handler will be provided with access to various handler resources like mailing lists and the ability to publish diaries independently. A handler is expected to sign up for at least 8 "Handler on Duty" shifts per year (ideally: one a month).

A handler will qualify for a "handler shirt" after 6 months and 6 HoD shifts (only shifts with diary count). All handlers are encouraged to present about the ISC at SANS or other conferences.

Senior Handler

After 2 years of service as a handler, publishing at least 20 diaries total (the apprentice diaries count) and fulfilling all the requirements outlined above, a handler is considered to be promoted "Senior Handler". Senior handlers are considered for additional benefits. A senior handler is expected to continue to serve as a HoD regularly, as well as speak at security events at SANS or other conferences. A senior handler should give Internet Storm Center related presentations at conferences or in the local community (Infragard, ISSA and such).

Retired Handler

If a handler no longer has time to fulfill the requirements, the handler is moved into "retired" status. As a retired handler, the handler no longer has access to various handler resources. However, if the handler should choose to join up again, the handler status will be re-instated at the level it was 1 year prior to retirement.

How to apply

Use your contact form (https://isc.sans.edu/contact.html or e-mail an informal application to handlers@sans.edu. Please only submit plain text, no word documents / pdf or other attachments. Issues to cover in your request:

  • Contact information (name, email, address)
  • Who do you work for
  • GIAC certifications
  • Have you met any handlers in person (who?)
  • Links to prior blog posts or similar work of interest (e.g. links to public mailing lists you participate in)
  • Brief overview of your experience