IDS mailing list archives
Re: An insider attack scenario
From: Joel Esler <eslerj () gmail com>
Date: Wed, 10 Jun 2009 15:03:40 -0400
pamaclark () yahoo com wrote:
You may be able to fingerprint what subnet is not being monitored, however, is the subnet that YOU are on being monitored? In that case you are caught either way.Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right? So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected. Does this sound plausible? And what current IDS/IPS technologies can be used to against this? Thanks From - Wed
As for detection of this kind of thing, there are several solutions for that:
<my own company> RNA -- Real Time Network Awareness </my own company>Anomaly detection software and passive awareness software. There are a couple out there.
-- joel esler | Sourcefire
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)