June 18, 2004
SAN JOSE, Calif. - In war, politics and sports, it's often said that the best defense is a strong offense. But the foot soldiers of computer security work differently: They scramble to build virtual walls that can blunt the impact of attacks. Now, a Texas company wants to bring vigilante justice to cyberspace.
Symbiot Security Inc. says its new Intelligent Security Infrastructure Management Systems not only defends networks but lets them fight back, too. Symbiot says the product is already in use in some corporate, government and military networks.
Though the notion of striking back against "bad guys" may satisfy primal urges, most security experts question whether retaliation will actually halt cyberattacks. Instead the skeptics worry that fighting back could trigger lawsuits, Internet traffic jams and more digital onslaughts.
Ideas about going on the offensive against Internet attackers "have been bounced around for a while," said senior analyst Jesse Dougherty of the security firm Sophos Inc. "But I don't think anyone has been foolhardy enough to actually to form a company around the concept."
Until now, that is.
The offering, known as iSIMS, comes amid growing frustration over computer intruders. The U.S.-government funded CERT Coordination Center handled 137,529 computer security incidents in 2003, up from 82,094 last year and 52,658 in 2001.
Hackers, worms and data attacks are costing companies dearly, and open the door to identity theft and the loss of intellectual property.
"Make no mistake," reads a document on Symbiot's Web site, "we are in the midst of an information warfare conflict which we have not been fighting."
Symbiot's iSIMS consists of hardware, software and support services. Much of it is focused on traditional defensive measures, like blocking unwanted traffic or deflecting it to where it can do no harm. But it can also escalate the response and return fire.
In documents on the Austin, Texas, company's Web site, Symbiot advocates a gradual escalation of action based on the best information available and the customer's preference.
However, privately held Symbiot won't reveal what shape the most aggressive attacks might take. It also won't say whether any iSIMS clients, whom it will not name, have taken aggressive offensive measures. It did say, however, that iSIMS has been deployed on "several enterprise, government and military networks."
"When we're talking about this, the technical details become extremely important," said Tim Mullen, chief software architect of the secure accounting program maker AnchorIS.
Mullen, who has no relationship with Symbiot, says he supports striking back in certain situations.
A position paper attributed to Symbiot's executives and posted on its Web site broadly outlines the counter-strike philosophy. "On the Rules of Engagement for Information Warfare" says computer intrusions deserve a response in kind - including "asymmetric" countermeasures that can include flooding the attacking computers with data, rendering them Internet-blind, and other measures to neutralize the problem.
Such actions could be disastrous, experts say.
The Internet is made up of countless interconnected devices, and any innocent routers between the attacker and retaliator would suffer at least twice in a counterstrike. In most cases, the identity of the attacker isn't clear. Other times, the "attacker" could be thousands of computers whose users have no idea their machine is infected with a virus.
Symbiot said much of the criticism of iSIMS has been lodged by people who aren't familiar with the product. Still, its executives declined to reveal details, and turned down a request for a telephone interview. William Hurley II, Symbiot's vice president of corporate development, cited "demands to our schedule," though he did accept questions via e-mail and sent back answers, which he insisted be attributed to the company or to its management.
The responses mirrored the content of Symbiot's Web site, which describes the 18-employee company as "emerging as a leader" in security infrastructure management. The company described the initial response to iSIMS, which officially launched in April, as "overwhelming."
Symbiot said the system collects data from all its customers, tracks attacks and attackers and analyzes each incident for the potential monetary impact and offers a "risk score." The company says any decision to take action ultimately resides in its clients. It offers no legal indemnification.
Symbiot acknowledged that strong offensive responses are not appropriate for attacks that are difficult to track. But even cases where it's possible to track down an attacker can lead to trouble.
For instance, if a hacker takes advantage of vulnerabilities on multiple PCs to relay the assault through them, then the victim can trace it by exploiting the same vulnerabilities as the initial act.
"So you are in effect breaking into each of those systems as you follow this person back," said Adrian Vanzyl, chief executive of the security firm Seclarity Inc. "Are you legally liable for that? It's a very, very good question."
In the past, some attempts to fight fire with fire have misfired.
A week after the MSBlaster worm took advantage of unpatched Windows-based computers last August, a variant dubbed Welchia was released. It exploited the same flaw as MSBlaster but also attempted to install the patch that fixed the vulnerability.
As it did so, Welchia clogged networks even as it sought machines to fix.
"We've seen worms that have had major impact like causing delays in airline schedules, shutting down ATM machines, 911 systems and so on," said Dorothy Denning, a professor of defense analysis at the Naval Postgraduate School. "Putting any kind of worm out there would be dangerous."