Security DevCenter
oreilly.comSafari Books Online.Conferences.


Symbiot on the Rules of Engagement

by Andy Oram

A few days ago, Symbiot Security released news of a controversial new defensive computer security service and placed a stake in the ground of enterprise security with a white paper titled "On The Rules of Engagement." Essentially, the new rules would allow victims of network-based attacks to plan and execute countermeasures--effectively fighting back. Andy Oram from the O'Reilly Network engaged the chief officers of the company in an interview about this innovative new service.

Oram: What is the thrust of your new security technology? How does it differ from conventional, defensive security?

Symbiot: Symbiot's main iSIMS offering is delivered as a subscription service complete with on-site hardware, ongoing service, technical support, system maintenance, and vulnerability updates. Importantly, a subscription provides regular updates to our Symbiot.NET knowledgebase of attacker profiles, which not only keeps tabs on the activities of attackers worldwide, but also maintains shared-risk metrics scores.

For several years, Symbiot has been researching and developing a system that allows corporations to measure the effectiveness of their organization's security posture. Our system relies on a uniform, portable, standardized measure of threat, which we call a 'risk score'. This metric is expressed as a three-digit number and bears considerable similarity to a credit score provided by Experian or TRW. These risk scores are used throughout our system and provide the accountability, consistency, and standardization that we've found lacking with the deployment of nearly all security solutions today.

Merely erecting defensive walls around the perimeter of an enterprise network is not an adequate deterrent in today's hostile climate. Symbiot's technology allows companies to plan and execute the appropriate countermeasures, and respond to hostile network attacks. Our strategy has been developed by applying the wisdom gained from centuries of military operations, diplomatic relations, and legal recourse to provide practical business solutions for the enterprise.

Our technology is different from existing security solutions because, to date, no company has delivered a system to the commercial marketplace that has the ability to strike back against network-based attacks. Our technology's counterstrike capacity is not constrained, but instead follows a military model for applying a "graduated response" against malicious attackers.

Oram: You describe the response to your "Rules of Engagement" white paper as favorable, with many people saying, "It's about time!" To what do you attribute that visceral, gut reaction? (I will return to the social implications of the reaction at the end.)

Symbiot: Network-based attacks are not victimless crimes. When the CIO/CSO of a major corporation fails to defend their network from an attack, and that attack is successful, they are held accountable to management, the board of directors, and the company's shareholders. Government regulations like HIPAA and Sarbanes-Oxley have raised the stakes for CIO's and CSO's everywhere, with accountability issues being the subject of media and regulatory scrutiny.

When an enterprise network gets attacked, that represents an assault on the livelihood of the people responsible for the network. They can, and do lose their jobs over security breaches and compromised customer data.

O'Reilly Open Source Convention.

The "visceral, gut reaction" probably comes from the fact that until now, companies have had to sit back and see billions of dollars of damage done to the infrastructures of enterprise without having the opportunity to respond. Symbiot has effectively leveled the playing field and is picking up the support of businesses no longer willing to be victims in an information warfare campaign.

We think Tim Mullen echoed the sentiment of much of the IT security community when he said, "The moment that I begin to incur costs, or the integrity of services that I pay for is reduced by any degree, is the moment that I have the right to do something about it."

Oram: What is some major attention and press coverage you have received from your press release and white paper?

Symbiot: Already, we've had countless visitors come to our web site and download the white paper since we published it. Particular interest is being shown by large enterprises, and, not surprisingly, from the government and military sector. We've also received numerous emails, requests for product demonstrations, and media requests, even a few television appearances. We are ecstatic over the response and look forward to taking advantage of these opportunities as well as others as they arise.

Oram: Is it fair to compare your technologies to the threats by large copyright holders that they could enter and damage computer systems hosting unlawful copies of copyrighted material? How about the self-help provisions of UCITA, which would allow software vendors to disable their software while it runs on their customers' systems? Or even the possibility (which the U.S. Department of Defense is reportedly acting on) of carrying on cyber-war by trying to disrupt and disable support systems within an enemy country? Are these precedents for your system?

Symbiot: No, the copyright issues are not network-borne attacks. We have not built a system that allows companies to point at a random target and "pull the trigger". Our technology is a means for justifiable self-defense of an enterprise network under attack. Our solutions are not designed or developed to tackle the huge issues surrounding DRM, software piracy, or general copyright abuse.

Our solutions provide enterprise customers with new means for defending their network assets. Our process draws on Daniel Webster's lawful military doctrine of necessity and proportionality. Which, in essence, says if someone is attacking you, you don't have time to debate the issue. You have a need to respond in kind. Most importantly, we weigh the response in proportion to the attack.

Oram: How do you make sure you are targeting the originator (and a purposeful, malicious originator at that) of an attack? How do you avoid troubling innocent users whose addresses were spoofed or who might be part of an unknown DDOS attack? In fact, how do you defend against abuse and the kind of escalation of information warfare whereby attackers try to attack an innocent site by triggering a response against it by one of your customers?

Symbiot: Although this hasn't been addressed in the enterprise, in government this is referred to as "Attacker Attribution." We maintain a central repository of attacker profiles, Symbiot.NET, which is based on the cooperative surveillance and reconnaissance gathered by our customers. This provides a historical record of attackers, their methods, and their intent, which serves to aid in properly identifying the source of malicious attacks. By applying "triangulation" to the attack and looking at it from several different customer endpoints, we can determine the appropriate countermeasures to deploy.

In regards to spoofed attacks, when there is no positive identification of the attacker (that is, we cannot positively attribute an attack back to its source), deploying defensive countermeasures and reporting intelligence would be most appropriate. However, this decision (and the power to initiate an offensive countermeasure) ultimately resides in the hands of our customer.

Oram: Let's describe the system a little bit more, then. You accumulate reports from your customers of suspicious behavior and eventually identify networks that you are certain are originators of attacks?

Symbiot: That is how the attacker profiling works within our system. The risk scores we spoke to earlier are constantly adjusted by reports stemming from all over the world. Our profiling techniques use a combination of factors to achieve strong correlation; especially after long-term surveillance has been conducted. In addition, customers not only receive the risk score being transmitted by a company in real time, but they can compare that score to Symbiot.NET's records for validation prior to the authorization of any network transaction.

Oram: How can your customers marshal enough resources to deliver a credible response to an attacker? Doesn't this mean you have to be bigger than the attacker (by a lot!)?

Symbiot: No, you do not necessarily have to be bigger than the attacker. Symbiot's customers are empowered with the ability to mount multilateral responses. For example, let's look at known attackers who target the financial services sector. They often mount organized attacks against businesses within that sector. Those businesses are now able to coordinate a multilateral effort against the attackers--effectively combining their resources and working together to address a common threat.

Companies should not be considered aggressors by merely using Symbiot's counter-strike capabilities to respond to network-based threats. Our graduated response determines how aggressive a countermeasure should be. Furthermore, corporate policies will bind the individuals using our technology to be accountable for their actions.

Oram: So, you are combining the power of your customers and focusing it upon an attacker, rather like how the inhabitants of a frontier town organized a posse to go after a band of robbers?

Symbiot: Not at all, posses never had to respond to threats in real time. They were largely reactionary forces used to track down criminals fleeing from justice. Our system doesn't allow or support this type of action; it simply empowers customers to mount a supportable response at the moment they are being attacked and their network assets are placed at risk.

Oram: Could your attack hurt innocent victims, such as ISPs or hubs that have to carry the increased traffic along its way, or (as mentioned earlier) unwitting perpetrators of a DDOS attack? Perhaps the perpetrator has opened a temporary account that he can abandon at small inconvenience to himself, and melt away while letting his host bear the brunt of the response. Is there no such thing as an innocent bystander any more?

Symbiot: There is always the possibility of collateral damage. Intermediaries such as ISPs are already caught in the middle when one of their customers is engaged in, or is the target of a network-based attack. Our philosophy is most certainly not one of "shoot first and ask questions later." However, when a zombied host or an infected computer has been clearly identified as the source of an attack, it is our responsibility to empower customers to defend themselves. An infected machine, one no longer under the control of its owner, is no longer an innocent bystander.

Oram: Something's going to go wrong sometime. Who bears legal liability? Could your company, as service provider or vendor, be dragged into a lawsuit or a criminal proceeding over an unjust attack carried out by a customer because of misconfiguration or poor judgment? By coordinating customer responses, you maintain some control over the delivery of the attack. That would seem to make you squarely responsible for any legal questions raised by it.

Symbiot: The legal environment surrounding the use, misuse, and operation of a system for active network self-defense has many unexplored issues. However, the legal liability is borne by the attacker. The determination of how to respond and what strength to apply is controlled by the system's operator. The legal implications, jurisdiction, and liabilities arising from the system's use are presently very important for us all to consider. There are several levels of decision involved in executing countermeasures, each with its own chain of accountability.

Oram: It seems that no single customer can flag a site as an attacking site. The identification of attackers grows from information gathered from multiple sources. Is that protection against the possibility of launching a counter-attack against a site that doesn't deserve it?

Symbiot: Very much so! For any well-measured and justifiable action to be taken against another network presence, we feel that a robust collection of evidence, with a strong chain of custody must be collected and relied on. It is very important that the proper procedures are being followed when planning and executing countermeasures.

Oram: Here's the social implications question. The gusto with which many readers greeted your paper seems to reveal a reservoir of vindictiveness within society. It is reminiscent of the U.S. war on Afghanistan after the September 11, 2001 attacks--a war that had clear practical goals, but was also meant to prove that "America could still stand tall." Do the free-floating fears over terror and crime in the twenty-first century get wrapped up in your proposal and its positive reception by many people?

There are clearly social implications here. We believe greater corporate accountability implies a greater responsibility to society. With the number of malicious attacks increasing exponentially, people are no longer willing to be victimized. In that sense, the psychological dimension to our approach and its reception by the public has to do with accountability. Which is why we are developing and publishing new Rules of Engagement.

As a company, Symbiot is looking primarily at corporate conflicts in transnational contexts, that is, across many jurisdictions. We have counterstrike technology that, at the end of the day, will force both sides to come to the table and negotiate a resolution. Most of the time, however, situations do not escalate to force; instead the threat of force empowers civil resolutions. Law does not exist without threat of force.

"What causes opponents to come of their own accord is the prospect of gain. What discourages opponents from coming is the prospect of harm."
--Sun Tzu, Art of War, first century, A.D.

Andy Oram is an editor for O'Reilly Media, specializing in Linux and free software books, and a member of Computer Professionals for Social Responsibility. His web site is

Return to Security DevCenter.

Sponsored by: