Now that Symbiot, Inc. has released information on its plans to enable companies to
counterattack digital threats, some security analysts have stepped up their concerns that
it could cause more problems than it solves.
Symbiot’s founders are looking to fight back against hackers, virus writers and
denial-of-service attacks by launching counterattacks. It’s no longer enough to protect a
company’s perimeter, they say; it’s time for the attacked to become the attackers.
But members of the security community are raising concerns that striking back at attackers
not only leaves the company open to legal problems, but could double the strain on
associated networks, ISPs and Internet hubs. They also say it aims the guns directly at
innocent victims of computer viruses.
”Vigilantism didn’t work in the wild west and electronic vigilantism is likely to be just
as distasteful,” says George Bakos, a senior security expert with the Institute for
Security Technology Studies at Dartmouth College. ”The desire to take action does not
justify contributing to the problem… At what point does the escalation stop?”
Nearly a month ago, Symbiot, which is based in Austin, Texas, announced it would be
releasing its first product, the Intelligent Security Infrastructure Management Systems
platform (iSIMS). The platform, geared to work with existing security tools, such as
firewalls and VPNs, is designed to model threats coming into the network and raise alerts
about serious attacks.
However, what had people talking was the company’s claim that it was going to enable
counterstrikes. But details of what those strikes would entail weren’t released until late
last week.
The Counterstrikes
In a written statement, Symbiot executives say there are many levels of response that can
be used against an attacker. Before there would be any response, however, they say the
software would check several things, such as risk metrics, reconnaissance, surveillance and
confirming identification.
Once that is done, if the intensity, duration and effect of the attack is great enough, the
corporate IT or security manager can use countermeasures. Those countermeasures go from
benignly blocking traffic or diverting traffic to more aggressive maneuvers like sending
the packet content used in the attack back at the attacker.
But the tool goes one step further.
It also enables the IT or security manager to obtain access privileges on the attacker’s
system and then go in and disable, destroy or seize control of his assets.
The IT manager also could launch a counterstrike that would send exploits specific to
vulnerabilities on the attacker’s machine.
And, finally, the software allows for preemptive strikes on a source known to be
orchestrating attacks. ”This retaliation could be far in excess of the attack that the
aggressor has underway,” according to a written statement on the Symbiot Web site.
Symbiot executives could not be reached for this story, but there is a warning posted on
the site about legal issues involved with launching an attack. ”Symbiot is continually evaluating the legal aspects of these more aggressive
countermeasures… We stress that our customers should obtain appropriate advice and
information to make decisions that will not violate applicable laws. In some instances,
availability of these countermeasures may be restricted.”
To hear why some analysts are calling the plan dangerous, continue on to the next page…
Going too far?
The idea of a company launching an attack, along with the severity of the countermeasures,
is raising concerns in the security community.
Launching a retaliatory denial-of-service attack against an aggressor opens up the door to
a whole host of questions. How would that counterattack affect ISPs? What would it do to
network traffic and corporate bandwidth? Would the attack target unsuspecting users whose
computers have been compromised by a virus and now are being used to send spam or
denial-of-service attacks?
”It’s not a good idea to have a tool that is offensive by nature,” says Ken Dunham,
director of malicious code at iDefense, a security intelligence company. ”It’s riddled
with problems… It creates a vigilante atmosphere that could lead to chaos. It’s not
appropriate for computer security at large.”
A good portion of the controversy swirls around counterattacks that might be launched
against zombie, or compromised, machines.
A significant number of worms in the past several months have been geared to infect a
machine and then open a backdoor that the virus author can use to remotely control that
computer. Once thousands or hundreds of thousands of machines have been compromised this
way, the hacker can then use this army of ‘zombie’ machines to send malignant waves of spam
or hit a company with an aggressive denial-of-service attack. If the company under attack
traced the source of the attack, it would take them back to these compromised machines.
Analysts question the benefit of attacking unsuspecting users. And it would be bad enough
if the zombie computer belonged to a grandmother in Michigan, but what if some of those
zombie machines were part of a high school network, or were based in law enforcement or an
electrical utility?
What would happen if those networks came under counterstrike?
Steve Sundermeier, a vice president with Medina, Ohio-based Central Command, Inc., an
anti-virus company, says any time innocent computers are in line to be attacked, there’s
plenty of room for trouble.
”It all revolves around those compromised machines,” says Sundermeier. ”How can you take
a preemptive strike or retaliate against a machine or a person that doesn’t even know that
they’ve been compromised? It could be a school system that has every possible security
procedure in place but one student disabled something, and now you’re launching a
counterattack against them. You’d be wreaking havoc on the whole school.”
In a previous interview, Mike W. Erwin, president of Symbiot, says those compromised
machines are a big part of the problem. And that opens them up to response.
”When a zombied host or infected computer has been clearly identified as the source of an
attack, it is our responsibility to empower customers to defend themselves,” says Erwin.
”An infected machine, one no longer under the control of its owner, is no longer an
innocent bystander.”
But Bakos says that’s simply too dangerous.
”Shutting down a system that is flawed but is still business-critical could prove
disastrous,” he says. ”The aggressive defenders can’t possibly know the value of the
system to its owners… What if it is part of an Emergency Response System, or health care
or a utility?
”We can pretend that all infrastructure critical systems are behind impenetrable defenses
but we’d be deluding ourselves,” adds Bakos. ”More financial damage and potential human
damage can be done by the responses than by the initial attacks themselves.”