An increasing number of large companies are arming themselves with systems designed to launch debilitating counteroffensives when attacks are detected, according to a security study to be released next month.

In an 18-month study of 320 Fortune 500 companies, 30 percent said they have installed software capable of launching counterattacks after suffering security breaches, according to WarRoom Research president Mark Gembicki, an author of the study.

The report, titled "Corporate America's Competitive Edge," focuses on security and business intelligence practices. Gembicki will share preliminary findings at several conferences next week in the Washington, D.C., area.

The method known as "strikeback" gained wider attention during the past few months as the Pentagon reportedly thwarted a series of attacks with software that disabled browsers used by the attackers.

Strikeback runs the gamut from passive collection of information about hackers to deter further intrusion to a "Ping of Death" and flooding a hacker's system beyond its capacity, both of which shut down the hacker's system. Strikeback can even be escalated to the network level, where a victimized company alerts its firewalls and routers to cut off all external access or to flood the hacker's system.

Users and security experts said there is a need for strikeback capabilities but also warn that taken too far it could pose serious legal and technical problems.

"The idea of striking back is good, but there are legal issues that need to be resolved," said Dean Rich, who heads network protection as vice president of security at an Internet technology developer.

For example, you must ensure that a counterstrike is aimed at the correct system.

Jeff Moss, the director of penetration services at Secure Computing Corp., said he agreed.

"I'm a big fan of using equal force. If someone hits you with a stick, hit him back with a stick," Moss said. "The Defense Department was right in defending itself. It didn't break into any machines nor did it delete files."

However, "the DOD was lucky it knew who was attacking and could get the right people," Moss said. "In many cases, you can't be completely sure of who's attacking."

Once a hacker detects a retaliation, he can forge the headers on packets and make it seem as though the attack is coming from another address or location, experts said. And if a company launches a countermeasure using hostile applets or code that denies services or wreaks havoc on an innocent user, the results could be disastrous.

Gembicki would not comment on whether any of the surveyed companies had actually inserted hostile applets to disable any attacker systems.

But he did say many companies would rather rely on their own strikeback capabilities than call in the FBI or state law enforcement agencies. They view strikeback as a right, just as the law protects physical self-defense by way of force, he said.

Security vendors are treading carefully, incorporating strikeback-like features in their products at a deliberate pace.

"Personally, I don't know of any [commercial] software in place that truly does strike back," Rich said. But he cited a case in which a company was being spammed through e-mail, and it returned fire by sending a denial of service that flooded the culprits' systems with traffic and virtually shut them down.

But any strikeback "certainly has to be done with caution," said Patrick Taylor, director of strategic business marketing at Internet Security Systems Inc.

The company's RealSecure intrusion detection system can send a command that kills a TCP/IP connection when an intrusion is detected. It also can e-mail an administrator or have an Internet service provider revoke an account that is launching an attack.

"It doesn't have the immediate gratification of [a person] saying 'Hey I blew that guy out of the water,' " Taylor said. But it can set the stage for a company to launch a more controlled counteroffensive, he added.

But it's an ominous sign if companies adopt an attitude of shoot first and ask questions later, said Drew Williams, manager of intrusion detection at computer security developer Axent Technologies Inc. A passive approach is better, he said, in which IT managers can gather complete information about the intruders and then strike.

Some reports have indicated that 80 percent of intrusions occur inside an organization, and 65 percent to 70 percent of those are mistakes, Williams said. It would be regrettable to launch a counterstrike against someone who has mistakenly keyed something, he added.

Gembicki agreed there should be controls on the use of strikeback technology. A code of ethics controls how government agencies such as the Pentagon use strikeback measures. However, many of the Fortune 500 companies are motivated by profits and protecting corporate assets.

"These companies are truly borderless" and are moving into uncharted territory, Gembicki said.

As a result, Rich expects to see "a lot of information security cases going to court in the next few years, and these [cases] will set the foundation."

-- Rutrell Yasin - 12/07/98