Plan to Counterattack Hackers Draws More Fire

Now that Symbiot, Inc. has released information on its plans to enable companies tocounterattack digital threats, some security analysts have stepped up their concerns thatit could cause more problems than it solves.

Symbiot's founders are looking to fight back against hackers, virus writers anddenial-of-service attacks by launching counterattacks. It's no longer enough to protect acompany's perimeter, they say; it's time for the attacked to become the attackers.

But members of the security community are raising concerns that striking back at attackersnot only leaves the company open to legal problems, but could double the strain onassociated networks, ISPs and Internet hubs. They also say it aims the guns directly atinnocent victims of computer viruses.

''Vigilantism didn't work in the wild west and electronic vigilantism is likely to be justas distasteful,'' says George Bakos, a senior security expert with the Institute forSecurity Technology Studies at Dartmouth College. ''The desire to take action does notjustify contributing to the problem... At what point does the escalation stop?''

Nearly a month ago, Symbiot, which is based in Austin, Texas, announced it would bereleasing its first product, the Intelligent Security Infrastructure Management Systemsplatform (iSIMS). The platform, geared to work with existing security tools, such asfirewalls and VPNs, is designed to model threats coming into the network and raise alertsabout serious attacks.

However, what had people talking was the company's claim that it was going to enablecounterstrikes. But details of what those strikes would entail weren't released until latelast week.

The Counterstrikes

In a written statement, Symbiot executives say there are many levels of response that canbe used against an attacker. Before there would be any response, however, they say thesoftware would check several things, such as risk metrics, reconnaissance, surveillance andconfirming identification.

Once that is done, if the intensity, duration and effect of the attack is great enough, thecorporate IT or security manager can use countermeasures. Those countermeasures go frombenignly blocking traffic or diverting traffic to more aggressive maneuvers like sendingthe packet content used in the attack back at the attacker.

But the tool goes one step further.

It also enables the IT or security manager to obtain access privileges on the attacker'ssystem and then go in and disable, destroy or seize control of his assets.The IT manager also could launch a counterstrike that would send exploits specific tovulnerabilities on the attacker's machine.

And, finally, the software allows for preemptive strikes on a source known to beorchestrating attacks. ''This retaliation could be far in excess of the attack that theaggressor has underway,'' according to a written statement on the Symbiot Web site.

Symbiot executives could not be reached for this story, but there is a warning posted onthe site about legal issues involved with launching an attack. ''Symbiot is continually evaluating the legal aspects of these more aggressivecountermeasures... We stress that our customers should obtain appropriate advice andinformation to make decisions that will not violate applicable laws. In some instances,availability of these countermeasures may be restricted.''

To hear why some analysts are calling the plan dangerous, continue on to the next page...

Going too far?

The idea of a company launching an attack, along with the severity of the countermeasures,is raising concerns in the security community.

Launching a retaliatory denial-of-service attack against an aggressor opens up the door toa whole host of questions. How would that counterattack affect ISPs? What would it do tonetwork traffic and corporate bandwidth? Would the attack target unsuspecting users whosecomputers have been compromised by a virus and now are being used to send spam ordenial-of-service attacks?

''It's not a good idea to have a tool that is offensive by nature,'' says Ken Dunham,director of malicious code at iDefense, a security intelligence company. ''It's riddledwith problems... It creates a vigilante atmosphere that could lead to chaos. It's notappropriate for computer security at large.''

A good portion of the controversy swirls around counterattacks that might be launchedagainst zombie, or compromised, machines.

A significant number of worms in the past several months have been geared to infect amachine and then open a backdoor that the virus author can use to remotely control thatcomputer. Once thousands or hundreds of thousands of machines have been compromised thisway, the hacker can then use this army of 'zombie' machines to send malignant waves of spamor hit a company with an aggressive denial-of-service attack. If the company under attacktraced the source of the attack, it would take them back to these compromised machines.

Analysts question the benefit of attacking unsuspecting users. And it would be bad enoughif the zombie computer belonged to a grandmother in Michigan, but what if some of thosezombie machines were part of a high school network, or were based in law enforcement or anelectrical utility?

What would happen if those networks came under counterstrike?

Steve Sundermeier, a vice president with Medina, Ohio-based Central Command, Inc., ananti-virus company, says any time innocent computers are in line to be attacked, there'splenty of room for trouble.

''It all revolves around those compromised machines,'' says Sundermeier. ''How can you takea preemptive strike or retaliate against a machine or a person that doesn't even know thatthey've been compromised? It could be a school system that has every possible securityprocedure in place but one student disabled something, and now you're launching acounterattack against them. You'd be wreaking havoc on the whole school.''

In a previous interview, Mike W. Erwin, president of Symbiot, says those compromisedmachines are a big part of the problem. And that opens them up to response.

''When a zombied host or infected computer has been clearly identified as the source of anattack, it is our responsibility to empower customers to defend themselves,'' says Erwin.''An infected machine, one no longer under the control of its owner, is no longer aninnocent bystander.''

But Bakos says that's simply too dangerous.

''Shutting down a system that is flawed but is still business-critical could provedisastrous,'' he says. ''The aggressive defenders can't possibly know the value of thesystem to its owners... What if it is part of an Emergency Response System, or health careor a utility?

''We can pretend that all infrastructure critical systems are behind impenetrable defensesbut we'd be deluding ourselves,'' adds Bakos. ''More financial damage and potential humandamage can be done by the responses than by the initial attacks themselves.''