Plan to Fight Back Against Hackers Causes Stir

Wednesday Mar 17th 2004 by Sharon Gaudin
Share:

A new security company is running with the idea that it's simply not enough to protect a corporate network anymore. They say it's time to fight back. But analysts worry that attacking back will cause even more trouble.

A new security company is up and running with the idea that it's simply not enough to protect a corporate network anymore. They say it's time to fight back.

But some members of the security industry worry that giving IT managers the tools to attack their attackers could cause far more serious problems than it would solve.

Symbiot, Inc., a fledgling infrastructure security company based in Austin, Texas, is getting ready to release its first product at the end of this month. The company's Intelligent Security Infrastructure Management Solution uses artificial intelligence software to analyze network patterns, manage attacks on the network and respond to them.

What is causing a stir in the security community is the response part of the plan.

Symbiot's founders are looking to fight back against hackers, virus writers and denial-of-service attacks by launching counterattacks. It's time, they say, for the attacked to become the attackers.

''Threats to the enterprise network are evolving at an unprecedented pace,'' says Mike W. Erwin, president of Symbiot. ''Businesses can no longer afford the substantial financial resources and manpower associated with the endless loop of building walls and repairing and rebuilding them after each attack -- only to repeat the process day in and day out.

''Responses would include many different levels, graduated from blocking and quarantining to more invasive techniques,'' he adds.

So far, however, Symbiot executives are not saying exactly what these 'invasive techniques' will be. Erwin would only go so far as classifying the countermeasures as 'non-destructive, destructive-recoverable, and destructive non-recoverable'. He does say that blocking, shunning and diverting attacks will take care of most threats.

But it's the term 'counterattacks' and what that might mean that has security analysts concerned.

Launching a retaliatory denial-of-service attack against an aggressor opens up the door to a whole host of questions. How would that counterattack affect ISPs? What would it do to network traffic and corporate bandwidth? Would the attack target unsuspecting users whose computers have been compromised by a virus and now are being used to send spam or denial-of-service attacks?

''This is not the best of ideas,'' says Steve Sundermeier, a vice president with Medina, Ohio-based Central Command, Inc., an anti-virus company. ''Think about how Code Red or Blaster affected bandwidth as a whole. A counterattack would only add additional weight to the to the bandwidth pressure. That could put the Internet into a crawl.

''You're putting companies at risk,'' he adds. ''You're putting people's livelihoods at risk... It just isn't a good idea to repay evil with evil.'' See Continuation: How Will ISPs and Users be Affected?

Sundermeier also worries that ISPs, which deal with such large amounts of network traffic, would be pummeled by the weight of counterattacks.

Erwin, however, says ISPs are already suffering.

''Intermediaries, such as ISPs, are already caught in the middle when one of their customers is engaged in, or is the target of, a network-based attack,'' he says. ''Our system empowers customers to mount a supportable response at the moment they are being attacked and their network assets are placed at risk by an attacker.''

Both Sundermeier and Ken Dunham, director of malicious code at iDefense, a security and anti-virus company, say innocent users, whether individuals or corporate users, would feel the brunt of many counterattacks.

A significant number of worms in the past several months have been geared to infect a machine and then open a backdoor that the virus author can use to remotely control that computer. Once thousands or hundreds of thousands of machines have been compromised this way, the hacker can then use this army of 'zombie' machines to send malignant waves of spam or hit a company with an aggressive denial-of-service attack. If the company under attack traced the source of the attack, it would take them back to these compromised machines.

That means a counterattack might be more likely to hit an elderly woman living in Duluth or a remote worker who didn't download the security update in time, as it would the virus author who actually infected those machines and launched the attack.

Symbiot's Erwin says those compromised computers are a part of the problem, leaving them open to response.

''When a zombied host or infected computer has been clearly identified as the source of an attack, it is our responsibility to empower customers to defend themselves,'' says Erwin. ''An infected machine, one no longer under the control of its owner, is no longer an innocent bystander.''

Dunham of iDefense disagrees.

''This is riddled with problems,'' says Dunham. ''You don't want to make it any more awful for a victim than it already is. If someone's computer has been compromised, you don't want to slam them again with a counterattack... What kind of online community would this lead to?''

Dunham adds that he'd be interested to find out what would happen if a computer on a military network was compromised and used in a denial-of-service attack. The company that launched a counterattack against that machine might find itself in a situation it hadn't expected.

Symbiot executives say they'll release more information about their product the closer they get to the release day, which is scheduled for March 31.

Want to talk about this topic? Go to our IT Management Forum: http://forums.datamation.com/forumdisplay.php?s=&forumid=1

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved