IDS mailing list archives
Re: An insider attack scenario
From: Nick Besant <lists () hwf cc>
Date: Thu, 11 Jun 2009 11:05:16 +0100
pamaclark () yahoo com wrote:
Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
Not many organisations have spent money (or committed time) on monitoring their internal networks other than for basic availability (e.g. disk space, CPU load). Of those that have, experience suggests that the majority haven't dedicated enough time understanding the nature of the network activity inside their network to make monitoring efficient against anything but loud, obvious attacks or things that can be correlated against out-of-the-box.
So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
As suggested in an earlier reply, if you know where the sensors are, you can flood them with traffic or run at a rate below their threshold. However, you're probably going to find that they're just looking for known virus or other malware-based activity. If you are an insider with knowledge of the system, the likelihood is that you will be targeting your attack and will remain below the radar. Some of this can be mitigated by designing the security solutions by assessing risk prior to deciding on a monitoring solution. If you assume that an attacker can be inside or outside your perimeter, you can start to address the risks accordingly; pick your favourite mix of solutions that include IDS/IPS, SIEM, etc. *as well as* a good set of audited policy statements. Regards, Nick Besant
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)