Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
In many deployments, the management interfaces are in a different logical zone than those interfaces which are actually monitoring vs. inspecting... So I would say that while there is some plausibility to your scenario, its really in the configuration and deployment strategy of the IDS/IPS that allows it to go undetected. In a nutshell, an insider never really knows where the true "monitor windows" are without sufficient need to know (operational support role...etc.) especially if the IDS is configured to not do reverse DNS lookups, as it should be.

Tommy

----- Original Message -----
From: pamaclark (at) yahoo (dot) com [email concealed]
To: focus-ids (at) securityfocus (dot) com [email concealed]
Sent: Wednesday, June 10, 2009 11:24:44 AM GMT -05:00 US/Canada Eastern
Subject: An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks

[ reply ]
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus