Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Hi,

Have you heard about NAC and HIPS?

http://en.wikipedia.org/wiki/Network_Access_Control
http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system

Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-)

My example from the future:
1. The switch realise a new port activated -> sign it to SIM
2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM
3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall
4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it
5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears
6. The camera sees you, the security guard get a phone call from NOC
7. I wake up from my sweet dreams :-)

*SIM:
http://en.wikipedia.org/wiki/Computer_security_incident_management
**NOC:
http://en.wikipedia.org/wiki/Network_operations_center

Cheers,
Akos

-----Ursprüngliche Nachricht-----
Von: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] Im Auftrag von pamaclark (at) yahoo (dot) com [email concealed]
Gesendet: Mittwoch, 10. Juni 2009 17:25
An: focus-ids (at) securityfocus (dot) com [email concealed]
Betreff: An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks

[ reply ]
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus