Plan to Counterattack Hackers Draws More Fire

Now that Symbiot, Inc. has released information on its plans to enable companies to

counterattack digital threats, some security analysts have stepped up their concerns that

it could cause more problems than it solves.

Symbiot’s founders are looking to fight back against hackers, virus writers and

denial-of-service attacks by launching counterattacks. It’s no longer enough to protect a

company’s perimeter, they say; it’s time for the attacked to become the attackers.

But members of the security community are raising concerns that striking back at attackers

not only leaves the company open to legal problems, but could double the strain on

associated networks, ISPs and Internet hubs. They also say it aims the guns directly at

innocent victims of computer viruses.

”Vigilantism didn’t work in the wild west and electronic vigilantism is likely to be just

as distasteful,” says George Bakos, a senior security expert with the Institute for

Security Technology Studies at Dartmouth College. ”The desire to take action does not

justify contributing to the problem… At what point does the escalation stop?”

Nearly a month ago, Symbiot, which is based in Austin, Texas, announced it would be

releasing its first product, the Intelligent Security Infrastructure Management Systems

platform (iSIMS). The platform, geared to work with existing security tools, such as

firewalls and VPNs, is designed to model threats coming into the network and raise alerts

about serious attacks.

However, what had people talking was the company’s claim that it was going to enable

counterstrikes. But details of what those strikes would entail weren’t released until late

last week.

The Counterstrikes

In a written statement, Symbiot executives say there are many levels of response that can

be used against an attacker. Before there would be any response, however, they say the

software would check several things, such as risk metrics, reconnaissance, surveillance and

confirming identification.

Once that is done, if the intensity, duration and effect of the attack is great enough, the

corporate IT or security manager can use countermeasures. Those countermeasures go from

benignly blocking traffic or diverting traffic to more aggressive maneuvers like sending

the packet content used in the attack back at the attacker.

But the tool goes one step further.

It also enables the IT or security manager to obtain access privileges on the attacker’s

system and then go in and disable, destroy or seize control of his assets.

The IT manager also could launch a counterstrike that would send exploits specific to

vulnerabilities on the attacker’s machine.

And, finally, the software allows for preemptive strikes on a source known to be

orchestrating attacks. ”This retaliation could be far in excess of the attack that the

aggressor has underway,” according to a written statement on the Symbiot Web site.

Symbiot executives could not be reached for this story, but there is a warning posted on

the site about legal issues involved with launching an attack. ”Symbiot is continually evaluating the legal aspects of these more aggressive

countermeasures… We stress that our customers should obtain appropriate advice and

information to make decisions that will not violate applicable laws. In some instances,

availability of these countermeasures may be restricted.”

To hear why some analysts are calling the plan dangerous, continue on to the next page…

Going too far?

The idea of a company launching an attack, along with the severity of the countermeasures,

is raising concerns in the security community.

Launching a retaliatory denial-of-service attack against an aggressor opens up the door to

a whole host of questions. How would that counterattack affect ISPs? What would it do to

network traffic and corporate bandwidth? Would the attack target unsuspecting users whose

computers have been compromised by a virus and now are being used to send spam or

denial-of-service attacks?

”It’s not a good idea to have a tool that is offensive by nature,” says Ken Dunham,

director of malicious code at iDefense, a security intelligence company. ”It’s riddled

with problems… It creates a vigilante atmosphere that could lead to chaos. It’s not

appropriate for computer security at large.”

A good portion of the controversy swirls around counterattacks that might be launched

against zombie, or compromised, machines.

A significant number of worms in the past several months have been geared to infect a

machine and then open a backdoor that the virus author can use to remotely control that

computer. Once thousands or hundreds of thousands of machines have been compromised this

way, the hacker can then use this army of ‘zombie’ machines to send malignant waves of spam

or hit a company with an aggressive denial-of-service attack. If the company under attack

traced the source of the attack, it would take them back to these compromised machines.

Analysts question the benefit of attacking unsuspecting users. And it would be bad enough

if the zombie computer belonged to a grandmother in Michigan, but what if some of those

zombie machines were part of a high school network, or were based in law enforcement or an

electrical utility?

What would happen if those networks came under counterstrike?

Steve Sundermeier, a vice president with Medina, Ohio-based Central Command, Inc., an

anti-virus company, says any time innocent computers are in line to be attacked, there’s

plenty of room for trouble.

”It all revolves around those compromised machines,” says Sundermeier. ”How can you take

a preemptive strike or retaliate against a machine or a person that doesn’t even know that

they’ve been compromised? It could be a school system that has every possible security

procedure in place but one student disabled something, and now you’re launching a

counterattack against them. You’d be wreaking havoc on the whole school.”

In a previous interview, Mike W. Erwin, president of Symbiot, says those compromised

machines are a big part of the problem. And that opens them up to response.

”When a zombied host or infected computer has been clearly identified as the source of an

attack, it is our responsibility to empower customers to defend themselves,” says Erwin.

”An infected machine, one no longer under the control of its owner, is no longer an

innocent bystander.”

But Bakos says that’s simply too dangerous.

”Shutting down a system that is flawed but is still business-critical could prove

disastrous,” he says. ”The aggressive defenders can’t possibly know the value of the

system to its owners… What if it is part of an Emergency Response System, or health care

or a utility?

”We can pretend that all infrastructure critical systems are behind impenetrable defenses

but we’d be deluding ourselves,” adds Bakos. ”More financial damage and potential human

damage can be done by the responses than by the initial attacks themselves.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web