Lance Spitzer is doing what most CIOs and CSOs cant afford to do. As the founder of the Honeynet Project, a three-year-old nonprofit research group,he is sitting back and watching the hackers, just to see what theyll dream up next.The latest? Automated credit card fraud. The bad guysthats Spitzers technical term can go to an automated network of e-commerce sites controlled by hackers and punch in a stolen credit card number. If the number has been used on any of the hacked sites, the network automatically retrieves the name, address and purchase history of the unlucky credit card holder, making it easier to commit further fraud.Spitzer, whose day job is with Sun Microsystems, knows this is happening because one of the Windows 2000 computers that makes up the Honeynet Project was used for this very purpose by a hacker who had access to more than 15,000 computers. But aside from alerting the CERT Coordination Center, the industry group that tracks such things, researchers at the Honeynet Project just observed the hackers exploits. Thats the idea behind the project: to set up a network of what are known as honeypots, bogus computers that dont need to be defended, so that security experts can study how the hacking community operates if left unchecked.With honeypots, theres no production activity or authorized action, so if anybody interacts, you know theyre being naughty, Spitzer says, using another technical term. Its one of the very few cases where you can take an offensive approach. The idea of going on the offensive against hackers is not entirely new, but these days it seems to be gaining some momentum. In fact, the latest buzzword in information security is intrusion prevention, which vendors are positioning as a replacement for intrusion detection systems. The idea behind an intrusion prevention system (IPS) is to stop an attacknot just detect it. (Sounds a bit like what firewalls were supposed to do, huh?) If two guys showed up in masks and with guns, you wouldnt just record them on a videotape, points out Ken Tyminksi, vice president and CISO of Prudential Financial, Inc., who is currently deploying a system from Information Security Systems.Not that long ago, the idea of an offensive defense, seemed, well, offensive. Tim Mullen, CIO of the security software vendor AnchorIS, was lambasted last winter for presenting a paper about how companies might disable computers that launch malicious code. This is a highly controversial tactic, because of the very real possibility of attacking a computer system whose owners themselves are the victims of a hacker. But even as the hate mail subsided, Mullen was quietly working on a product, now in demo, that allows companies to strike back against computers on their own networks that have been infected with malicious code. Now with the Enforcer product that you deploy within your own network, you can do whatever you want, knowing that you own that asset, Mullen explains. Spitzer, for one, has a simpler idea. He suggests that CIOs and CSOs think about deploying what he calls honey tokens. These might be phony patient records at a hospital, or even simply a word processing file named HR-salaries thats stored in a restricted part of the network. If anyone tries to access the files, the security team knows the person is up to no goodideally, long before the trespasser does any real damage.In other words, the best defense really might be better offense. Who knew? Related content news ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations By Lucian Constantin Oct 02, 2023 4 mins Hacker Groups Ransomware Cybercrime feature 10 things you should know about navigating the dark web A lot can be found in the shadows of the internet from sensitive stolen data to attack tools for sale, the dark web is a trove of risks for enterprises. Here are a few things to know and navigate safely. By Rosalyn Page Oct 02, 2023 13 mins Cybercrime Cybercrime Security news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Government Security Practices news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe