IDS mailing list archives
Re: An insider attack scenario
From: Ron Gula <rgula () tenablesecurity com>
Date: Wed, 10 Jun 2009 13:46:06 -0400
On 6/10/2009 11:24 AM, pamaclark () yahoo com wrote:
Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks
What you describe is very plausible. However, a lot of modern enterprise networks have some sort of other technologies to complement their NIDS (or lack of a NIDS) deployment. These technologies could include: - netflow/anomaly detection - web application firewalls - log analysis tools - host based IDSes on servers - firewalls So the real question might not be if they have or don't have a NIDS, it might be if anyone in that part of the network is actually looking and monitoring events for insider attacks, worm outbreaks, .etc. Ron Gula Tenable Network Security
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)