IDS mailing list archives

Re: An insider attack scenario

From: Thrynn <thrynn404 () gmail com>
Date: Wed, 10 Jun 2009 13:12:29 -0400

Since we are being hypothetical:

- The company would likely place the sensors where they would have
visibility on the highest valued targets, the things someone would
want to attack. The "unmonitored" segments would be things like user
desktops. They would then use their firewalls and switches to manage
traffic between the unmonitored segments and the high value areas.

The real insider threat (at-least as I view it) is when someone
leverages their legitimate access to do something nefarious. Think
about pilfering through a database to copy the info, or find something
cool (celebrities/vip/etc records)...or the email admin reading
peoples mail. Their purpose isn't to attack and root the box, they
already have access. They are just abusing their power.

In your scenario, I suppose you could attack and takeover a coworkers
desktop and then gain access to the database or whatever you are after
(through the use of their credentials).

In these situations, signatures and anomaly detectors are probably
going to be blind, as the traffic looks legit (other than the desktop
to desktop attack).

This seems like a case where IDS/IPS is the wrong tool for the job.

On Wed, Jun 10, 2009 at 11:24 AM, <pamaclark () yahoo com> wrote:

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs 
restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks 
unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by 
fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which 
sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network 
segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks

Current thread:

An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)