Honeypot Launched Offensive Cyber Attack Upon Crackers And Cyber Miscreants

Offensive and defensive cyber security capabilities are in much demand these days. While defensive cyber security capabilities can keep the cracker at bay to great extent yet offensive cyber security strikes can eliminate the possibilities of continuous cyber attacks by such crackers to a greater extent.

If we adopt defensive cyber security capabilities alone, that would not serve the purpose at all. For instance, malware are comfortably evading anti viruses as browser based malware are growing. In fact, we cannot rule out the use of anti virus updates as a potential tool to install malware, steal information and launch cyber warfare attacks. 

 

A basic analysis of cyber security vulnerability has revealed that internet is full of unprotected and unsafe devices, SCADA systems and computers. Anybody can take advantage of these unsecured systems and it is very difficult to pin point to a particular individual, company or nation behind such cyber attack.

We cannot label China as the cyber attacks and cyber crimes villain of the world for every sophisticated cyber attack that takes place in the cyberspace. The issues of cross border cyber attacks, authorship attribution and cyber crimes convictions must be resolved first before blaming a person, organisation or nation.

In the absence of any  international harmonisation and regulatory framework for areas like cyber law, cyber security, cyber terrorism, cyber warfare, cyber espionage, etc. Even the Tallinn manual on the international law is not applicable to international cyber warfare attacks and defence.

In these circumstances, offensive cyber security or counterstrike through aggressive defence becomes a good option. One such idea was recently implemented by a Russian researcher who built an aggressive honeypot to test the ability to hack back and reverse penetrate the cyber attackers. The researcher found that it is not only easy to build a honeypot that attacks back but it was also relatively simple to gather the attackers’ network adapter settings, trace routes, and login names.

The trap was specifically set for SQL injection attacks. The researcher used two basic lures for potential attackers on the site: a PHP-based honeypot server that included a social engineering element and an automated attack that grabbed the attackers’ email addresses if he or she used two Russian email services, mail.ru and yandex.ru, exploiting now-patched vulnerabilities in those services.

While it is possible to grab the attackers’ internal IP addresses and resources, scan for his files, BSSIDs, and make audio and video recordings from his laptop, among other things, is also possible with the attacking honeypot.

At Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) we believe that the concepts of counterstrike through aggressive defence and private defence in cyberspace presupposes the adoption and use of information technology to produce legitimate and legalised disabling and reasonably destructive effects. Some adopted measures completely destroys the functioning of the offending computer while others simply disable the computer for the time being by either shutting it down or making it temporarily non-functional.

Thus, the adopted measure to gain public support and legitimacy must be “proportionate” to the harm that could have caused had that measure not been adopted. For instance, the shutting down of the computer of the person using the malware is permissible whereas the destruction or procurement of data and information stored in such computer, having no connection and association with that malware, may not be commensurate with the protection requirements.

Such destruction or procurement of data may be unlawful and perhaps exceed the limits of self-defence. Thus, technology adopted must not only be safe and effective, but it must also be “legal and law-abiding”.

A countermeasure, which is not very accurate, and law abiding would be a remedy worst than the malady and hence it should be avoided. For instance, if a virus has been launched by using a public server, then by disabling that server the genuine and legitimate users will be unnecessarily harassed and they would be denied the services which they are otherwise entitled to. Thus, the countermeasure measure adopted must be job specific and not disproportionate to the injury sought to be remedied.

Source: CECSRDI.