well worth reading djf Computer network security: "Symbiot on the Rules of Engagement"

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Thu, 11 Mar 2004 09:45:22 -0500 (EST)
From: Andy Oram <andyo () oreilly com>
Subject: Computer network security: "Symbiot on the Rules of Engagement"
To: Dave Farber <dave () farber net>

http://www.onlamp.com/pub/a/security/2004/03/10/symbiot.html

   by [93]Andy Oram
   03/10/2004

   A few days ago, [94]Symbiot Security released news of a controversial
   new defensive computer security service and placed a stake in the
   ground of enterprise security with a white paper titled "On The Rules
   of Engagement." Essentially, the new rules would allow victims of
   network-based attacks to plan and execute countermeasures--effectively
   fighting back. Andy Oram from the O'Reilly Network engaged the chief
   officers of the company in an interview about this innovative new
   service.


   Oram: What is the thrust of your new security technology? How does it
   differ from conventional, defensive security?

   Symbiot: Symbiot's main iSIMS offering is delivered as a subscription
   service complete with on-site hardware, ongoing service, technical
   support, system maintenance, and vulnerability updates. Importantly, a
   subscription provides regular updates to our Symbiot.NET knowledgebase
   of attacker profiles, which not only keeps tabs on the activities of
   attackers worldwide, but also maintains shared-risk metrics scores.

   For several years, Symbiot has been researching and developing a
   system that allows corporations to measure the effectiveness of their
   organization's security posture. Our system relies on a uniform,
   portable, standardized measure of threat, which we call a 'risk
   score'. This metric is expressed as a three-digit number and bears
   considerable similarity to a credit score provided by Experian or TRW.
   These risk scores are used throughout our system and provide the
   accountability, consistency, and standardization that we've found
   lacking with the deployment of nearly all security solutions today.

   Merely erecting defensive walls around the perimeter of an enterprise
   network is not an adequate deterrent in today's hostile climate.
   Symbiot's technology allows companies to plan and execute the
   appropriate countermeasures, and respond to hostile network attacks.
   Our strategy has been developed by applying the wisdom gained from
   centuries of military operations, diplomatic relations, and legal
   recourse to provide practical business solutions for the enterprise.

   Our technology is different from existing security solutions because,
   to date, no company has delivered a system to the commercial
   marketplace that has the ability to strike back against network-based
   attacks. Our technology's counterstrike capacity is not constrained,
   but instead follows a military model for applying a "graduated
   response" against malicious attackers.

   Oram: You describe the response to your "Rules of Engagement" white
   paper as favorable, with many people saying, "It's about time!" To
   what do you attribute that visceral, gut reaction? (I will return to
   the social implications of the reaction at the end.)

   Symbiot: Network-based attacks are not victimless crimes. When the
   CIO/CSO of a major corporation fails to defend their network from an
   attack, and that attack is successful, they are held accountable to
   management, the board of directors, and the company's shareholders.
   Government regulations like HIPAA and Sarbanes-Oxley have raised the
   stakes for CIO's and CSO's everywhere, with accountability issues
   being the subject of media and regulatory scrutiny.

   When an enterprise network gets attacked, that represents an assault
   on the livelihood of the people responsible for the network. They can,
   and do lose their jobs over security breaches and compromised customer
   data.

   The "visceral, gut reaction" probably comes from the fact that until
   now, companies have had to sit back and see billions of dollars of
   damage done to the infrastructures of enterprise without having the
   opportunity to respond. Symbiot has effectively leveled the playing
   field and is picking up the support of businesses no longer willing to
   be victims in an information warfare campaign.

   We think [98]Tim Mullen echoed the sentiment of much of the IT
   security community when he said, "The moment that I begin to incur
   costs, or the integrity of services that I pay for is reduced by any
   degree, is the moment that I have the right to do something about it."

   Oram: What is some major attention and press coverage you have
   received from your press release and white paper?

   Symbiot: Already, we've had countless visitors come to our web site
   and download the white paper since we published it. Particular
   interest is being shown by large enterprises, and, not surprisingly,
   from the government and military sector. We've also received numerous
   emails, requests for product demonstrations, and media requests, even
   a few television appearances. We are ecstatic over the response and
   look forward to taking advantage of these opportunities as well as
   others as they arise.

   Oram: Is it fair to compare your technologies to the threats by large
   copyright holders that they could enter and damage computer systems
   hosting unlawful copies of copyrighted material? How about the
   self-help provisions of UCITA, which would allow software vendors to
   disable their software while it runs on their customers' systems? Or
   even the possibility (which the U.S. Department of Defense is
   reportedly acting on) of carrying on cyber-war by trying to disrupt
   and disable support systems within an enemy country? Are these
   precedents for your system?

   Symbiot: No, the copyright issues are not network-borne attacks. We
   have not built a system that allows companies to point at a random
   target and "pull the trigger". Our technology is a means for
   justifiable self-defense of an enterprise network under attack. Our
   solutions are not designed or developed to tackle the huge issues
   surrounding DRM, software piracy, or general copyright abuse.

   Our solutions provide enterprise customers with new means for
   defending their network assets. Our process draws on Daniel Webster's
   lawful military doctrine of necessity and proportionality. Which, in
   essence, says if someone is attacking you, you don't have time to
   debate the issue. You have a need to respond in kind. Most
   importantly, we weigh the response in proportion to the attack.

   Oram: How do you make sure you are targeting the originator (and a
   purposeful, malicious originator at that) of an attack? How do you
   avoid troubling innocent users whose addresses were spoofed or who
   might be part of an unknown DDOS attack? In fact, how do you defend
   against abuse and the kind of escalation of information warfare
   whereby attackers try to attack an innocent site by triggering a
   response against it by one of your customers?

   Symbiot: Although this hasn't been addressed in the enterprise, in
   government this is referred to as "Attacker Attribution." We maintain
   a central repository of attacker profiles, Symbiot.NET, which is based
   on the cooperative surveillance and reconnaissance gathered by our
   customers. This provides a historical record of attackers, their
   methods, and their intent, which serves to aid in properly identifying
   the source of malicious attacks. By applying "triangulation" to the
   attack and looking at it from several different customer endpoints, we
   can determine the appropriate countermeasures to deploy.

   In regards to spoofed attacks, when there is no positive
   identification of the attacker (that is, we cannot positively
   attribute an attack back to its source), deploying defensive
   countermeasures and reporting intelligence would be most appropriate.
   However, this decision (and the power to initiate an offensive
   countermeasure) ultimately resides in the hands of our customer.

   Oram: Let's describe the system a little bit more, then. You
   accumulate reports from your customers of suspicious behavior and
   eventually identify networks that you are certain are originators of
   attacks?

   Symbiot: That is how the attacker profiling works within our system.
   The risk scores we spoke to earlier are constantly adjusted by reports
   stemming from all over the world. Our profiling techniques use a
   combination of factors to achieve strong correlation; especially after
   long-term surveillance has been conducted. In addition, customers not
   only receive the risk score being transmitted by a company in real
   time, but they can compare that score to Symbiot.NET's records for
   validation prior to the authorization of any network transaction.

   Oram: How can your customers marshal enough resources to deliver a
   credible response to an attacker? Doesn't this mean you have to be
   bigger than the attacker (by a lot!)?

   Symbiot: No, you do not necessarily have to be bigger than the
   attacker. Symbiot's customers are empowered with the ability to mount
   multilateral responses. For example, let's look at known attackers who
   target the financial services sector. They often mount organized
   attacks against businesses within that sector. Those businesses are
   now able to coordinate a multilateral effort against the
   attackers--effectively combining their resources and working together
   to address a common threat.

   Companies should not be considered aggressors by merely using
   Symbiot's counter-strike capabilities to respond to network-based
   threats. Our graduated response determines how aggressive a
   countermeasure should be. Furthermore, corporate policies will bind
   the individuals using our technology to be accountable for their
   actions.

   Oram: So, you are combining the power of your customers and focusing
   it upon an attacker, rather like how the inhabitants of a frontier
   town organized a posse to go after a band of robbers?

   Symbiot: Not at all, posses never had to respond to threats in real
   time. They were largely reactionary forces used to track down
   criminals fleeing from justice. Our system doesn't allow or support
   this type of action; it simply empowers customers to mount a
   supportable response at the moment they are being attacked and their
   network assets are placed at risk.

   Oram: Could your attack hurt innocent victims, such as ISPs or hubs
   that have to carry the increased traffic along its way, or (as
   mentioned earlier) unwitting perpetrators of a DDOS attack? Perhaps
   the perpetrator has opened a temporary account that he can abandon at
   small inconvenience to himself, and melt away while letting his host
   bear the brunt of the response. Is there no such thing as an innocent
   bystander any more?

   Symbiot: There is always the possibility of collateral damage.
   Intermediaries such as ISPs are already caught in the middle when one
   of their customers is engaged in, or is the target of a network-based
   attack. Our philosophy is most certainly not one of "shoot first and
   ask questions later." However, when a zombied host or an infected
   computer has been clearly identified as the source of an attack, it is
   our responsibility to empower customers to defend themselves. An
   infected machine, one no longer under the control of its owner, is no
   longer an innocent bystander.

   Oram: Something's going to go wrong sometime. Who bears legal
   liability? Could your company, as service provider or vendor, be
   dragged into a lawsuit or a criminal proceeding over an unjust attack
   carried out by a customer because of misconfiguration or poor
   judgment? By coordinating customer responses, you maintain some
   control over the delivery of the attack. That would seem to make you
   squarely responsible for any legal questions raised by it.

   Symbiot: The legal environment surrounding the use, misuse, and
   operation of a system for active network self-defense has many
   unexplored issues. However, the legal liability is borne by the
   attacker. The determination of how to respond and what strength to
   apply is controlled by the system's operator. The legal implications,
   jurisdiction, and liabilities arising from the system's use are
   presently very important for us all to consider. There are several
   levels of decision involved in executing countermeasures, each with
   its own chain of accountability.

   Oram: It seems that no single customer can flag a site as an attacking
   site. The identification of attackers grows from information gathered
   from multiple sources. Is that protection against the possibility of
   launching a counter-attack against a site that doesn't deserve it?

   Symbiot: Very much so! For any well-measured and justifiable action to
   be taken against another network presence, we feel that a robust
   collection of evidence, with a strong chain of custody must be
   collected and relied on. It is very important that the proper
   procedures are being followed when planning and executing
   countermeasures.

   Oram: Here's the social implications question. The gusto with which
   many readers greeted your paper seems to reveal a reservoir of
   vindictiveness within society. It is reminiscent of the U.S. war on
   Afghanistan after the September 11, 2001 attacks--a war that had clear
   practical goals, but was also meant to prove that "America could still
   stand tall." Do the free-floating fears over terror and crime in the
   twenty-first century get wrapped up in your proposal and its positive
   reception by many people?

   There are clearly social implications here. We believe greater
   corporate accountability implies a greater responsibility to society.
   With the number of malicious attacks increasing exponentially, people
   are no longer willing to be victimized. In that sense, the
   psychological dimension to our approach and its reception by the
   public has to do with accountability. Which is why we are developing
   and publishing new Rules of Engagement.

   As a company, Symbiot is looking primarily at corporate conflicts in
   transnational contexts, that is, across many jurisdictions. We have
   counterstrike technology that, at the end of the day, will force both
   sides to come to the table and negotiate a resolution. Most of the
   time, however, situations do not escalate to force; instead the threat
   of force empowers civil resolutions. Law does not exist without threat
   of force.

   "What causes opponents to come of their own accord is the prospect of
   gain. What discourages opponents from coming is the prospect of harm."
   --Sun Tzu, Art of War, first century, A.D.

   [99]Andy Oram is an editor at O'Reilly & Associates, specializing in
   books on Linux and programming. Most recently, he edited
   [100]Peer-to-Peer: Harnessing the Power of Disruptive Technologies.
     _________________________________________________________________

       Copyright © 2000-2004 OReilly Media, Inc. All Rights Reserved.
     All trademarks and registered trademarks appearing on the O'Reilly
            Network are the property of their respective owners.
              For problems or assistance with this site, email

References

  93. http://www.onlamp.com/pub/au/36
  94. http://symbiot.com/
  98. http://securityfocus.com/columnists/203
  99. http://www.onlamp.com/pub/au/36
 100. http://www.oreilly.com/catalog/peertopeer/

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/