Recourse Technologies Inc., a provider of e-security threat management solutions, has announced ManHunt 1.2 and ManTrap 2.1 security solutions, designed to track and trap network intruders.

The company's roots trace to Exodus Communications, where cofounder Frank Huerta, president and CEO, and Michael Lyle, chief technical officer, worked together. In response to certain attacks, the two played key roles in designing and implementing a line of security services built around a combination of proprietary and off-the-shelf technology. ManTrap, first released in October 2000, offers a "honeypot" style of security protection in which the attacker is discovered and watched while playing in harmless "cages." ManHunt, first released in December 2000, is designed to track the attack to its source.

The Redwood City, Calif.-based company, founded in February 1999, received $20 million in a third round of funding last November and now has over 100 employees.

"Our mission is to revolutionize the next wave of security software," says Andrew Maguire, senior product manager with the company. "Awareness has been increased and people have been putting in countermeasures."

Along with the enormous estimated financial impact caused by hacker attacks and viruses, and the growing sophistication of attackers, organizations face the continued lack of skilled security talent to deal with the issues. Traditional approaches for companies trying to protect themselves include the "fortress model," in which a firewall controls perimeter access, and intrusion detection, which relies on recognition of scripts identifying known viruses. However, these are in conflict with trends in e-business toward opening paths to computer systems from the outside.

The Recourse alternative, based on threat management, aims at gathering information about the attack and buying time, Maguire explains. Attackers have the advantage when they hit the target with a new threat because the targets have no information. Forensic tools and logging applications are good at piecing together what happened after the attack. Intrusion detection systems (IDSs) are good at issuing alerts when attacks happen, but limited in their ability to filter out false alarms.

ManHunt uses a Protocol Anomaly Detection (PAD) approach to detect an attack. The approach examines the profile of protocol packets coming over the line; if they don't match, a warning is triggered. This is analyzed to see if it constitutes a threat. In response to a threat, alerts are issued and the firm's TrackBack feature is started. This tool logs into the router that originated the attack, then traces it back to its previous point of origination.

If the attack is traced to an Internet Service Provider (ISP), a Handoff module notifies the ISP about the incident. "The biggest problem is getting the ISPs to track the attacker back to the source," Maguire says. "We need an easier and quicker method." ManHunt 1.2 integrates with the Cisco IDS, collecting events from multiple Cisco IDS sensors and performing aggregation and correlation on them in real time.

Data collected from ManTrap 2.1 version is available to ManHunt 1.2, so that an attacker's methods and motives can be inferred from the attacker's actions while contained in the decoy environment.

ManHunt 1.2, which can monitor a near-capacity gigabit Ethernet link or up to 10 full-capacity 100MB fast Internet links, is priced at $25,000 for one CPU or $95,000 for four CPUs. ManTrap 2.1 is priced at $7,500 per cage.