protect a corporate network anymore. They say it’s time to fight back.
But some members of the security industry worry that giving IT managers the tools to attack
their attackers could cause far more serious problems than it would solve.
Symbiot, Inc., a fledgling infrastructure security company based in Austin, Texas, is
getting ready to release its first product at the end of this month. The company’s
Intelligent Security Infrastructure Management Solution uses artificial intelligence
software to analyze network patterns, manage attacks on the network and respond to them.
What is causing a stir in the security community is the response part of the plan.
Symbiot’s founders are looking to fight back against hackers, virus writers and
denial-of-service attacks by launching counterattacks. It’s time, they say, for the
attacked to become the attackers.
”Threats to the enterprise network are evolving at an unprecedented pace,” says Mike W.
Erwin, president of Symbiot. ”Businesses can no longer afford the substantial financial
resources and manpower associated with the endless loop of building walls and repairing and
rebuilding them after each attack — only to repeat the process day in and day out.
”Responses would include many different levels, graduated from blocking and quarantining
to more invasive techniques,” he adds.
So far, however, Symbiot executives are not saying exactly what these ‘invasive techniques’
will be. Erwin would only go so far as classifying the countermeasures as ‘non-destructive,
destructive-recoverable, and destructive non-recoverable’. He does say that blocking,
shunning and diverting attacks will take care of most threats.
But it’s the term ‘counterattacks’ and what that might mean that has security analysts
concerned.
Launching a retaliatory denial-of-service attack against an aggressor opens up the door to a
whole host of questions. How would that counterattack affect ISPs? What would it do to
network traffic and corporate bandwidth? Would the attack target unsuspecting users whose
computers have been compromised by a virus and now are being used to send spam or
denial-of-service attacks?
”This is not the best of ideas,” says Steve Sundermeier, a vice president with Medina,
Ohio-based Central Command, Inc., an anti-virus company. ”Think about how Code Red or
Blaster affected bandwidth as a whole. A counterattack would only add additional weight to
the to the bandwidth pressure. That could put the Internet into a crawl.
”You’re putting companies at risk,” he adds. ”You’re putting people’s livelihoods at
risk… It just isn’t a good idea to repay evil with evil.”
See Continuation: How Will ISPs and Users be Affected?
would be pummeled by the weight of counterattacks.
Erwin, however, says ISPs are already suffering.
”Intermediaries, such as ISPs, are already caught in the middle when one of their
customers is engaged in, or is the target of, a network-based attack,” he says. ”Our
system empowers customers to mount a supportable response at the moment they are being
attacked and their network assets are placed at risk by an attacker.”
Both Sundermeier and Ken Dunham, director of malicious code at iDefense, a security and
anti-virus company, say innocent users, whether individuals or corporate users, would feel
the brunt of many counterattacks.
A significant number of worms in the past several months have been geared to infect a
machine and then open a backdoor that the virus author can use to remotely control that
computer. Once thousands or hundreds of thousands of machines have been compromised this
way, the hacker can then use this army of ‘zombie’ machines to send malignant waves of spam
or hit a company with an aggressive denial-of-service attack. If the company under attack
traced the source of the attack, it would take them back to these compromised machines.
That means a counterattack might be more likely to hit an elderly woman living in Duluth or
a remote worker who didn’t download the security update in time, as it would the virus
author who actually infected those machines and launched the attack.
Symbiot’s Erwin says those compromised computers are a part of the problem, leaving them
open to response.
”When a zombied host or infected computer has been clearly identified as the source of an
attack, it is our responsibility to empower customers to defend themselves,” says Erwin.
”An infected machine, one no longer under the control of its owner, is no longer an
innocent bystander.”
Dunham of iDefense disagrees.
”This is riddled with problems,” says Dunham. ”You don’t want to make it any more awful
for a victim than it already is. If someone’s computer has been compromised, you don’t want
to slam them again with a counterattack… What kind of online community would this lead
to?”
Dunham adds that he’d be interested to find out what would happen if a computer on a
military network was compromised and used in a denial-of-service attack. The company that
launched a counterattack against that machine might find itself in a situation it hadn’t
expected.
Symbiot executives say they’ll release more information about their product the closer they
get to the release day, which is scheduled for March 31.
Want to talk about this topic? Go to our IT Management Forum: http://forums.datamation.com/forumdisplay.php?s=&forumid=1