Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
On 6/10/2009 11:24 AM, pamaclark (at) yahoo (dot) com [email concealed] wrote:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
>
> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
>
> Thanks
>
>
>
>
What you describe is very plausible. However, a lot of modern enterprise
networks
have some sort of other technologies to complement their NIDS (or lack
of a NIDS)
deployment. These technologies could include:

- netflow/anomaly detection
- web application firewalls
- log analysis tools
- host based IDSes on servers
- firewalls

So the real question might not be if they have or don't have a NIDS, it
might be
if anyone in that part of the network is actually looking and monitoring
events
for insider attacks, worm outbreaks, .etc.

Ron Gula
Tenable Network Security

[ reply ]
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus