Re: An insider attack scenario

[Tommy May <tommymay () comcast net>]

In many deployments, the management interfaces are in a different logical zone than those interfaces which are actually 
monitoring vs. inspecting...  So I would say that while there is some plausibility to your scenario, its really in the 
configuration and deployment strategy of the IDS/IPS that allows it to go undetected.  In a nutshell, an insider never 
really knows where the true "monitor windows" are without sufficient need to know (operational support role...etc.) 
especially if the IDS is configured to not do reverse DNS lookups, as it should be.

Tommy
 

----- Original Message -----
From: pamaclark () yahoo com
To: focus-ids () securityfocus com
Sent: Wednesday, June 10, 2009 11:24:44 AM GMT -05:00 US/Canada Eastern
Subject: An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs 
restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks 
unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by 
fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which 
sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network 
segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks