Infocon Alert Status

SANS is considering changing the alert status threshold for InfoCon alerts according to today’s SANS Diary. Information about Infocon is available http://isc.sans.org/infocon.php
They report that many users have commented that the alerts status has stayed green for a very long time. This gibes with something I’ve been thinking about. There haven’t been a lot of big name worm attacks. Internet connectivity hasn’t been disrupted by a virus threat. This is because the virus writers goals are different. In the past the goal was to write something clever and get noticed. That caused many news articles and either the publicity or the actual damage would cause management to focus on fixing the security problem.
Nowadays, the malicious code writers want to stay hidden. They want to collect information with keystroke monitors and screen grabbers, or they want to have a bot army for use in attacking others. They don’t want to draw attention to themselves. This lack of news coverage means management often doesn’t get involved. Each machine that is found wth a trojan is treated as a separate incident.
Should this SANS alert status go up merely on the basis of increased DNS hijacking or a known vulnerability? Clearly that is turning away from the original stated goal of monitoring threats to the internet infrastructure itself. However the SANS ISC Handlers deal with so much more than just the internet infrastructure so this change is warranted.