Re: An insider attack scenario

[Joel Esler <eslerj () gmail com>]

pamaclark () yahoo com wrote:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs 
> restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks 
> unmonitored. I guess this is quite common in real world right?
>
> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by 
> fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which 
> sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network 
> segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
>
> Thanks
>
>
> From - Wed
You may be able to fingerprint what subnet is not being monitored, 
however, is the subnet that YOU are on being monitored?  In that case 
you are caught either way.

As for detection of this kind of thing, there are several solutions for 
that:
<my own company>
RNA -- Real Time Network Awareness
</my own company>

Anomaly detection software and passive awareness software.  There are a 
couple out there.


--
joel esler | Sourcefire