IDS mailing list archives
Re: An insider attack scenario
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 10 Jun 2009 14:59:55 -0500
pamaclark () yahoo com writes:
Hi, I'm new to IDS/IPS... Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
Yeah, it's not uncommon. That theres any internal IDS in fact is somewhat uncommon still. And a lot of clients aren't monitoring the IDS they do have.
So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
Sure. Or the attacker could blind the IPS or overwhelm any analyst with so many alerts no one has achance to go through them all. snot and sneeze are tools for doing so with spoofed ip's. They can light up an IDS like a Christmas tree. Or, if the attackers wants the stealth approach, and have the luxury of time, the attacker can simply slow activity below the default thresholds of the IDS in play since not many orgs modify the defaults (or can afford to make them more sensitive than default). Some IDS technologies are pretty primitive and can be avoided with subtle permutations because they're overly reliant on exact signature matching vs detecting the actual vulnerability.
Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
Rather than focusing on IDS technology overmuch, the mantras of defense in depth and a risk management approach to the issues are worth a thought. IDS is hampered with some necessary issues (i.e. ability to be blinded, and that while you can crank it up to detect everything, you don't have analyst staff to deal with everything). But you are doing a good thing paying attention to the inside network, because there's still a folly out there of over-focus on the firewall and perimeter while companies blithely let egress traffic out without restriction, and every employee has relatively unfettered web access whereby on-network assets can become rather easily compromised. Credit to Chris Nickerson who is fond of saying the perimeter is dead and is now located where the data is (not on the Internet edge). -- Todd Haverkos http://www.linkedin.com/in/toddhaverkos
Current thread:
- An insider attack scenario pamaclark (Jun 10)
- Re: An insider attack scenario Jeremy Bennett (Jun 10)
- Re: An insider attack scenario Ron Gula (Jun 10)
- Re: An insider attack scenario Thrynn (Jun 10)
- Re: An insider attack scenario Joel Esler (Jun 10)
- Re: An insider attack scenario Tommy May (Jun 10)
- Re: An insider attack scenario Todd Haverkos (Jun 10)
- Re: An insider attack scenario Nick Besant (Jun 11)
- AW: An insider attack scenario Daniel, Akos (Jun 16)