Johannes Ullrich

Prior to his two decades at SANS, Johannes worked as a lead support engineer for a web development company and as a research physicist. Johannes has always been attracted to the fast pace of information security and curious to understand and measure the intricate dependencies of attacks and countermeasures. While the fast pace of the field can be overwhelming at times, it does offer constant opportunities for learning, and any change and impact is quickly measurable.

Johannes’s first network was a lab network used to remote control physics experiments. When he first got his hands on an "early" cable modem, which allowed him to control experiments from home, he overlooked the fact that the router (which he built himself from a Linux distribution) was also an open mail relay. Of course, it didn't take long for a spammer to find and abuse it, which led to an angry call from his ISP. Like most of us who start to worry about security after an incident, that was when he started learning about firewalls and security. In the process, he discovered his interest in collecting data about the attackers scanning for systems like his own. This led to the development of DShield.org, a website that still today collects logs from users worldwide to better understand these attacks.

Johannes’s daily work revolves around the Internet Storm Center. Leading this group brings him in direct contact with packets, web applications, and malware on a day-to-day basis. This work keeps his skills sharp and relevant while informing the material he presents in class. Johannes enjoys working for SANS due to the ability to disseminate what he’s learned researching current attacks, as well as bringing him in contact with students who are working in the trenches of information security. This back-and-forth sharing and learning with others drives his passion for information security.

It can be exhausting to have to deal with "yet another attack" day in and day out, but being part of the great team at the Internet Storm Center allows Johannes to affect how networks are defended. It is rewarding for him to hear from former students, readers of the Internet Storm Center, or listeners to the podcast how they applied what they learned and how it helped them. Teaching technology "from the ground up" can be challenging at times, yet crafting even a dry topic like packet analysis into something exciting and seeing students light up as they capture new concepts makes even hex conversion and counting offsets more exciting than a good movie for Johannes.

Johannes has found that students starting out in the field will often question why they need to know some of the background and details about protocols that are taught. His ability to link these topics to practical examples where this detail made the difference wins them over. His approach to teaching is to convey an understanding for the underlying principles to get students ready for what's next since information security is developing too fast to focus on specific techniques and tools.

Johannes is a partner of the Cyberwire Podcast, a member of the Board of Advisors for Threatstop, Inc, earned a PhD in physics from SUNY Albany, and holds multiple security-related certifications, including the GIAC GMON, GNFA, GWEB, GCIA and GSIP. Over the years, Johannes has been honored with a variety of awards, as well:

• ISSA President's Award for Public Service 2018 – 2018 from ISSA
• Best Security Podcast - Mar 2014 from Security Bloggers Network
• Historic Preservation Award Mobile Web Application for Historic Springfield – from City of Jacksonville, FL
• Best Technical Security Blog - 2009 & 2010 from honorSecurity Bloggers Network
• Best Paper Award - 2008 from Usenix
• Top 5 Influential Security Thinkers - Dec 2005 from SC Magazine
• Top 50 Most Powerful People in Networking - 2004 from Network World

ADDITIONAL CONTRIBUTIONS BY DR JOHANNES ULLRICH:

VIDEO SERIES

Packet Tuesday

WEBCASTS

• Attack & Defend: The Dangers of Modern Distributed Applications, June 2021
• Attack & Defend: Protecting Modern Distributed Applications and Components, RSA 2021, May 2021
  
• What Do I Need to Know About CVE-2020-5902; the F5 Networks BigIP RCE Vulnerability, July 2020
• World Password Day, May 2020
• DNS is Changing. So What?, April 2020
• SANS CyberCast - SANS@Mic - How I Learned to Stop Worrying and Love TLS, March 2020
• The Five Most Dangerous New Attacks, RSA Conference 2020
• Microsoft Patch Tuesday crypt32.dll Vulnerability Overview, January 2020
• Critical Citrix Vulnerability, December 2019
• The Future of Authentication: How Two Factor Authentication is Dying and What’s Next, June 2019
• All Your Data Belongs to Us: How to Defend Against Credential Stuffing, April 2019
• NoSQL Doesn't Mean No Vulnerable: Defending and Attacking NoSQL Database, AppSecUSA 2017

PODCASTS

• ISC StormCast – host
• Cyberwire – partner
• "Tech Talk", August 2019
• Recorded Future - episode 075, Sept 2018

TOOLS

• pcap2curl
• dshieldpfsense
• dvrxploits
• dshieldhoneypot
• ISC-Bugs
• netgearscripts

PUBLICATIONS

• Recent Internet Storm Center Posts
• "A comparative study of cyberattacks" with S. H. Kim and Q.-H. Wang, Communications of the ACM Vol 55 Issue , 66-73, (2012)
• “Gausian Process Learning for Cyber-Attack Early Warning”, with J. Zhang and P. Porras, Statistical Analysis and Data Mining: The ASA Data Science Journal 3 (1), 56-68, (2010)
• “Top Cyber Security Risks” with R. Dhamankar; M. Dausin; M. Eisenbarth; J. King; W. Kandek; E. Skoudis; and R. Lee, SANS Institute, (2009)
• "Highly Predictive Blacklisting" with J. Zhang and P. A. Porras, USENIX Security Symposium, (2008)
• “Development of the Higher Education Network Analysis (HENA) Intrusion Detection and Prevention Tool“, with S. Burd, E. Gavas, B. Kochergin, L. Lehman, and N. Memon, 1st Annual Symposium on Information Assurance, (2006)
• “Networks Under Fire: The SANS Internet Storm Center”, Invited talk, Simposio Internacional de Redes y Comunicaciones de Datos, Lima, Peru, (May 2006)
• “The SANS Internet Storm Center (ISC): A Collaborative Information Security Community”. Invited talk, FIRST technical colloquia, Buenos Aires Argentina, (2005)
• “Disappearing Patch Window and Zotob”, invited talk, University of Florida at Gainsville IT Security Awareness Day, (Oct 2005)
• “The Disappearing Patch Window. Observations from the Internet Storm Center”, invited talk, MIT Security Camp (August 2004)
• “Internet intrusions: global characteristics and prevalence.” with V. Yegneswaran and P. Barford, SIGMETRICS Perform. Eval. Rev. 31, 1, 138-147, (June 2003)
• “Administering a Distributed Intrusion Detection System” with W. Larmon, Sys Admin Magazine, Vol 11 Issue 8, (August 2002)