IDS mailing list archives
Re: An insider attack scenario
From: Thrynn <thrynn404 () gmail com>
Date: Wed, 10 Jun 2009 13:12:29 -0400
Since we are being hypothetical: - The company would likely place the sensors where they would have visibility on the highest valued targets, the things someone would want to attack. The "unmonitored" segments would be things like user desktops. They would then use their firewalls and switches to manage traffic between the unmonitored segments and the high value areas. The real insider threat (at-least as I view it) is when someone leverages their legitimate access to do something nefarious. Think about pilfering through a database to copy the info, or find something cool (celebrities/vip/etc records)...or the email admin reading peoples mail. Their purpose isn't to attack and root the box, they already have access. They are just abusing their power. In your scenario, I suppose you could attack and takeover a coworkers desktop and then gain access to the database or whatever you are after (through the use of their credentials). In these situations, signatures and anomaly detectors are probably going to be blind, as the traffic looks legit (other than the desktop to desktop attack). This seems like a case where IDS/IPS is the wrong tool for the job. On Wed, Jun 10, 2009 at 11:24 AM, <pamaclark () yahoo com> wrote:
Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)