Monday, June 13, 2005

Self Defending Networks, Aggressive Network Self-Defense, and Vigilantes on the net

Today is the one-year anniversary of my interview with NewScientist magazine on what, at the time, was the highly controversial subject of "countermeasures" technologies. The interview was one of many I did with Symbiot in response to the March 2004 release of the company's iSIMS (intelligent Security Infrastructure Management Software) technology.

I wanted to take a moment today to look back on the last year and review what has happened with the idea of "countermeasures" in general. In short, in the span of one year the world seems to have shifted from despising the concept to embracing it. Perhaps this is due in part to Symbiot's efforts with the OpenSIMS project to create an open source security infrastructure management system that serves as the framework for such technologies. By creating the project in the open source community with the Apache Software Foundation, perhaps some amount of credibility was given to the original concepts Symbiot created related to "countermeasures".

Want examples? Well in the last year Lycos launched it's now infamous "Make Love Not Spam" campaign, O'Reilly publishing started distributing the Syngress title, "Aggressive Network Self-Defense", and Cisco started product placement of "Self Defending Networks" on Fox. However, a great deal of this started with a discussion of "Vigilantes on the net" .

To really understand what has happened in the last year, we should look at the history of "striking back". Let's start with an understanding that the idea is not new. In December of 1999 Conxion, Inc. launched "counter strikes" against a denial of service attack on the World Trade Organization (WTO). This is probably the first documented incident of "counter measures" being used by a corporation in response to a network based attack. The event was the first in a "counter measures time-line" that shows the increasing interest, support, and controversy surrounding such technologies.

A glance at this timeline makes it clear that the idea of "striking back" has been around for some time. However, it is important to understand that I am not advocating striking back in all cases. I am a strong proponent of countermeasures being defined as a set of graduated responses that include (but are not limited to) "Strike Back" capabilities. This is evident in Symbiot's now famous (or infamous depending on your point of view) white paper "On the Rules of Engagement for Information Warfare.".

Personally, I would argue the concepts behind "countermeasures" started with the first attack on a network-based asset. It's also clear from the timeline that industry visionaries like Bruce Schneier (opposed to the idea) and Tim Mullen (a strong supporter) had given great thought to the idea of "striking back" far before Symbiot came along.

However, it can be argued that Symbiot brought this issue to the forefront and sustained visibility in the media long enough to help drive change in the industry and, more importantly, getting people to debate the subject. I see this as a result of our interviews, conferences, and white papers. Of course, it didn't hurt that so many are so polarized and passionate about the subject.

So one year to the day since my New Scientist interview explaining countermeasures, they have been publicly deployed by major corporations, shown helping counter terrorist attacks on our popular TV shows, become a popular topic in the technology press, and remain the subject of a heated (and healthy) debate. I like to think that Symbiot played a positive role in bringing this issue to the forefront and helping people understand what countermeasures really mean.

In my opinion, countermeasures aren't unjust and unfeasible; on the contrary, they're inevitable. However, to create effective countermeasures that everyone can agree to, a "Community Centric" approach to security has to exist. This means putting aside some of the differences that plague this debate and focusing on what is possible if people on both sides worked together towards a common goal. I mean hey, the hacking community does this far better job of collaboration than their counterparts in computer and network security. Until we work together, we're doomed to rebuild after each attack only to be attacked again and repeat the entire process over and over and over. Collaboration on the part of the world's security experts and authorities will put us on the right path to making the Internet a safer place for everyone.

Who knows—in the not so distant future, "countermeasures" (not "Strike Back" capabilities) may end up being a feature we all look for before deploying any security software. Perhaps tools with these features will come from collaborative efforts between the open source and security communities; which would give everyone equal input on their design, functionality, and ultimately their deployment. In the end a more secure, reliable, networking infrastructure is in the best interest of society as a whole. That's why I've made it one of my goals to do everything I can to move people towards a "Community Centric" approach to securing the assets we all depend on.


At 3:47 PM, Anonymous Anonymous said...

We certainly hope that active response will become a hot-button issue. IPS solutions (Hogwash is a great example) already offer a limited "self-defense" ability, but as network and information management applications gain more acceptance we gain the ability to gain a larger view of threats and attacks and the ability to make more informed responses. Please contact us if you're interested in our active response implementation.

-TriGeo Senior Product Architect

At 4:03 PM, Anonymous Derek Larnes said...

I can't wait until guys like you get your asses sued so that people will stop talking about this "hot button" issue.

No fortune 1000 company would ever do something like this _ever_...that simple.

At 4:14 PM, Anonymous Anonymous said...

p.s. "self-defense" (like an IP shun, shutting down your OWN workstations or servers) is not the same as "back-hacking"

I wish more people would read the entire article.

-- deleted in 5... 4... 3... 2...

At 5:36 PM, Anonymous Anonymous said...

"No fortune 1000 company would ever do something like this"

...except that they do.

At 6:47 PM, Blogger William Hurley said...

To the anonymous person who commented…

lol.. ^^ si teh sukx!

Please accept my apology as your original post was deleted on accident.


At 6:48 PM, Anonymous Anonymous said...

lol.. ^^ si teh sukx!

At 2:42 AM, Anonymous Anonymous said...

Aren't you concerned about the potential ramifications of companies adopting "Strike Back" processes as an option?

You can only knock out an opponent with DoS-style attacks if your bandwidth exceeds theirs. Therefore, the company with the most bandwidth potential is the superpower-- can you say "Arms Race?"

At 7:26 AM, Anonymous Anonymous said...

If you honestly think that the effectiveness of a DoS attack is limited to bandwidth, you need to read more. Many (most?) DoS attacks make use of vulnerabilities in the IP stack of a host. Ping floods haven't been effective since admins have learned to filter ICMP.

At 9:53 AM, Anonymous Anonymous said...

Great article. I like the concept, and any legal self-defending network is fair play. Hope to see more of this.

At 9:53 AM, Anonymous Anonymous said...

Great article. I like the concept, and any legal self-defending network is fair play. Hope to see more of this.

At 12:10 PM, Anonymous Anonymous said...

"No fortune 1000 company would ever do something like this"

...except that they do.


That's not surprising really, given that Fortune 1000 doesn't mean much. As an employee of a Fortune 50 company on the other hand, I would say that most of them are very unlikely to ever use something like this to attack outside hosts. Perhaps deploy something on internal networks to shutdown internal hosts, but the vast majority of Fortune 50 companies would not consider using something like this to shutdown outside hosts.

At 1:53 PM, Blogger Gary W. Longsine said...

Strike-back techniques are problematic from a legal and ethical perspective. Third parties might make damages claims if they get "caught in the crossfire" for example. This is the reason that most large companies and government agencies have policy in place for instant dismissal of employees and contractors who engage in cracking, scanning, or other such activities from the company network. It's dramatic and makes for exciting stories in the press, but it's unlikely to emerge as a mainstream technique for network defense.

Intrinsic Security is working to provide companies with better network defense based on less controversial but equally modern techniques. Our first product FireBreak AntiWorm is an Intrusion Suppression System using technology derived from honeypots, for example. We are happy to talk to security consultants who seek to bring effective security technology to your clients.

At 12:41 PM, Anonymous Anonymous said...

I think the world community is fortunate that an American bank has not been shut down because of a major attack, which in turn could cripple an economy.

Do you ever ask your bank, what is your contingency plan if you get hacked, attacked or infiltrated? Probably becuase they have something very minimal and ineffective.

Sept 11th came at a bad time for the US, a bubble was bursting. I think we have only seen a glimpse of the internet revolution, which I am sure we will have many more bubbles. Combine that with virtual terrorism and we will have something fun to deal with.

A country like Venezuala had many of their banks go bankrupt in the 90's it killed their economy. Why could it not happen to us? Just becuase we have federal insurance doesn't really protect us from anything.

Symbiot is exploring these issues, which I commend them for. It may not be the perfect solution, but it is driving the world community to discuss these issues openly.

Ahh the challenges of Globaliztion

A great start!


Post a Comment

<< Home