Plan to Counterattack Hackers Draws More Fire

Download the authoritative guide: Cloud Computing 2019: Using the Cloud for Competitive Advantage

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Now that Symbiot, Inc. has released information on its plans to enable companies to counterattack digital threats, some security analysts have stepped up their concerns that it could cause more problems than it solves.

Symbiot's founders are looking to fight back against hackers, virus writers and denial-of-service attacks by launching counterattacks. It's no longer enough to protect a company's perimeter, they say; it's time for the attacked to become the attackers.

But members of the security community are raising concerns that striking back at attackers not only leaves the company open to legal problems, but could double the strain on associated networks, ISPs and Internet hubs. They also say it aims the guns directly at innocent victims of computer viruses.

''Vigilantism didn't work in the wild west and electronic vigilantism is likely to be just as distasteful,'' says George Bakos, a senior security expert with the Institute for Security Technology Studies at Dartmouth College. ''The desire to take action does not justify contributing to the problem... At what point does the escalation stop?''

Nearly a month ago, Symbiot, which is based in Austin, Texas, announced it would be releasing its first product, the Intelligent Security Infrastructure Management Systems platform (iSIMS). The platform, geared to work with existing security tools, such as firewalls and VPNs, is designed to model threats coming into the network and raise alerts about serious attacks.

However, what had people talking was the company's claim that it was going to enable counterstrikes. But details of what those strikes would entail weren't released until late last week.

The Counterstrikes

In a written statement, Symbiot executives say there are many levels of response that can be used against an attacker. Before there would be any response, however, they say the software would check several things, such as risk metrics, reconnaissance, surveillance and confirming identification.

Once that is done, if the intensity, duration and effect of the attack is great enough, the corporate IT or security manager can use countermeasures. Those countermeasures go from benignly blocking traffic or diverting traffic to more aggressive maneuvers like sending the packet content used in the attack back at the attacker.

But the tool goes one step further.

It also enables the IT or security manager to obtain access privileges on the attacker's system and then go in and disable, destroy or seize control of his assets. The IT manager also could launch a counterstrike that would send exploits specific to vulnerabilities on the attacker's machine.

And, finally, the software allows for preemptive strikes on a source known to be orchestrating attacks. ''This retaliation could be far in excess of the attack that the aggressor has underway,'' according to a written statement on the Symbiot Web site.

Symbiot executives could not be reached for this story, but there is a warning posted on the site about legal issues involved with launching an attack. ''Symbiot is continually evaluating the legal aspects of these more aggressive countermeasures... We stress that our customers should obtain appropriate advice and information to make decisions that will not violate applicable laws. In some instances, availability of these countermeasures may be restricted.''

To hear why some analysts are calling the plan dangerous, continue on to the next page...

Going too far?

The idea of a company launching an attack, along with the severity of the countermeasures, is raising concerns in the security community.

Launching a retaliatory denial-of-service attack against an aggressor opens up the door to a whole host of questions. How would that counterattack affect ISPs? What would it do to network traffic and corporate bandwidth? Would the attack target unsuspecting users whose computers have been compromised by a virus and now are being used to send spam or denial-of-service attacks?

''It's not a good idea to have a tool that is offensive by nature,'' says Ken Dunham, director of malicious code at iDefense, a security intelligence company. ''It's riddled with problems... It creates a vigilante atmosphere that could lead to chaos. It's not appropriate for computer security at large.''

A good portion of the controversy swirls around counterattacks that might be launched against zombie, or compromised, machines.

A significant number of worms in the past several months have been geared to infect a machine and then open a backdoor that the virus author can use to remotely control that computer. Once thousands or hundreds of thousands of machines have been compromised this way, the hacker can then use this army of 'zombie' machines to send malignant waves of spam or hit a company with an aggressive denial-of-service attack. If the company under attack traced the source of the attack, it would take them back to these compromised machines.

Analysts question the benefit of attacking unsuspecting users. And it would be bad enough if the zombie computer belonged to a grandmother in Michigan, but what if some of those zombie machines were part of a high school network, or were based in law enforcement or an electrical utility?

What would happen if those networks came under counterstrike?

Steve Sundermeier, a vice president with Medina, Ohio-based Central Command, Inc., an anti-virus company, says any time innocent computers are in line to be attacked, there's plenty of room for trouble.

''It all revolves around those compromised machines,'' says Sundermeier. ''How can you take a preemptive strike or retaliate against a machine or a person that doesn't even know that they've been compromised? It could be a school system that has every possible security procedure in place but one student disabled something, and now you're launching a counterattack against them. You'd be wreaking havoc on the whole school.''

In a previous interview, Mike W. Erwin, president of Symbiot, says those compromised machines are a big part of the problem. And that opens them up to response.

''When a zombied host or infected computer has been clearly identified as the source of an attack, it is our responsibility to empower customers to defend themselves,'' says Erwin. ''An infected machine, one no longer under the control of its owner, is no longer an innocent bystander.''

But Bakos says that's simply too dangerous.

''Shutting down a system that is flawed but is still business-critical could prove disastrous,'' he says. ''The aggressive defenders can't possibly know the value of the system to its owners... What if it is part of an Emergency Response System, or health care or a utility?

''We can pretend that all infrastructure critical systems are behind impenetrable defenses but we'd be deluding ourselves,'' adds Bakos. ''More financial damage and potential human damage can be done by the responses than by the initial attacks themselves.''

Submit a Comment

Loading Comments...