Re: An insider attack scenario

[Ron Gula <rgula () tenablesecurity com>]

On 6/10/2009 11:24 AM, pamaclark () yahoo com wrote:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs 
> restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks 
> unmonitored. I guess this is quite common in real world right?
>
> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by 
> fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which 
> sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network 
> segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
>
> Thanks
>
>
>
>   
What you describe is very plausible. However, a lot of modern enterprise
networks
have some sort of other technologies to complement their NIDS (or lack
of a NIDS)
deployment. These technologies could include:

- netflow/anomaly detection
- web application firewalls
- log analysis tools
- host based IDSes on servers
- firewalls

So the real question might not be if they have or don't have a NIDS, it
might be
if anyone in that part of the network is actually looking and monitoring
events
for insider attacks, worm outbreaks, .etc.

Ron Gula
Tenable Network Security