Focus on IDS
An insider attack scenario Jun 10 2009 03:24PM
pamaclark yahoo com (8 replies)
AW: An insider attack scenario Jun 16 2009 09:56AM
Daniel, Akos (a daniel drillisch-telecom de)
Re: An insider attack scenario Jun 11 2009 10:05AM
Nick Besant (lists hwf cc)
pamaclark (at) yahoo (dot) com [email concealed] wrote:
> Hi,
> I'm new to IDS/IPS...
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
Not many organisations have spent money (or committed time) on
monitoring their internal networks other than for basic availability
(e.g. disk space, CPU load). Of those that have, experience suggests
that the majority haven't dedicated enough time understanding the nature
of the network activity inside their network to make monitoring
efficient against anything but loud, obvious attacks or things that can
be correlated against out-of-the-box.

> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
> Thanks

As suggested in an earlier reply, if you know where the sensors are, you
can flood them with traffic or run at a rate below their threshold.
However, you're probably going to find that they're just looking for
known virus or other malware-based activity. If you are an insider with
knowledge of the system, the likelihood is that you will be targeting
your attack and will remain below the radar.

Some of this can be mitigated by designing the security solutions by
assessing risk prior to deciding on a monitoring solution. If you
assume that an attacker can be inside or outside your perimeter, you can
start to address the risks accordingly; pick your favourite mix of
solutions that include IDS/IPS, SIEM, etc. *as well as* a good set of
audited policy statements.


Nick Besant

[ reply ]
Re: An insider attack scenario Jun 10 2009 07:59PM
Todd Haverkos (infosec haverkos com)
Re: An insider attack scenario Jun 10 2009 07:04PM
Tommy May (tommymay comcast net)
Re: An insider attack scenario Jun 10 2009 07:03PM
Joel Esler (eslerj gmail com)
Re: An insider attack scenario Jun 10 2009 05:55PM
Jeremy Bennett (jeremyfb mac com)
Re: An insider attack scenario Jun 10 2009 05:46PM
Ron Gula (rgula tenablesecurity com)
Re: An insider attack scenario Jun 10 2009 05:12PM
Thrynn (thrynn404 gmail com)


Privacy Statement
Copyright 2010, SecurityFocus