IDS mailing list archives
Re: An insider attack scenario
From: Tommy May <tommymay () comcast net>
Date: Wed, 10 Jun 2009 19:04:22 +0000 (UTC)
In many deployments, the management interfaces are in a different logical zone than those interfaces which are actually monitoring vs. inspecting... So I would say that while there is some plausibility to your scenario, its really in the configuration and deployment strategy of the IDS/IPS that allows it to go undetected. In a nutshell, an insider never really knows where the true "monitor windows" are without sufficient need to know (operational support role...etc.) especially if the IDS is configured to not do reverse DNS lookups, as it should be. Tommy ----- Original Message ----- From: pamaclark () yahoo com To: focus-ids () securityfocus com Sent: Wednesday, June 10, 2009 11:24:44 AM GMT -05:00 US/Canada Eastern Subject: An insider attack scenario Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)