Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)
Since we are being hypothetical:

- The company would likely place the sensors where they would have
visibility on the highest valued targets, the things someone would
want to attack. The "unmonitored" segments would be things like user
desktops. They would then use their firewalls and switches to manage
traffic between the unmonitored segments and the high value areas.

The real insider threat (at-least as I view it) is when someone
leverages their legitimate access to do something nefarious. Think
about pilfering through a database to copy the info, or find something
cool (celebrities/vip/etc records)...or the email admin reading
peoples mail. Their purpose isn't to attack and root the box, they
already have access. They are just abusing their power.

In your scenario, I suppose you could attack and takeover a coworkers
desktop and then gain access to the database or whatever you are after
(through the use of their credentials).

In these situations, signatures and anomaly detectors are probably
going to be blind, as the traffic looks legit (other than the desktop
to desktop attack).

This seems like a case where IDS/IPS is the wrong tool for the job.

On Wed, Jun 10, 2009 at 11:24 AM, <pamaclark (at) yahoo (dot) com [email concealed]> wrote:
> Hi,
> I'm new to IDS/IPS...
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
> Thanks

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus