Re: An insider attack scenario

[Todd Haverkos <infosec () haverkos com>]

pamaclark () yahoo com writes:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several
> sub-network segments. Due to finance or staffs restrictions, the
> company could only use a limited number of sensors, hence leave some
> internal sub-networks unmonitored. I guess this is quite common in
> real world right? 

Yeah, it's not uncommon.  That theres any internal IDS in fact is
somewhat uncommon still.  And a lot of clients aren't monitoring the
IDS they do have. 

> So, if I were an inside attacker, I may find out sensor locations
> (either physical of logical locations) by fingerprinting the sensors
> as discussed in some previous threads or whatever tricks. Means I
> will know which sub-networks are monitored and others are not,
> right? So that I can launch attacks to those unmonitored network
> segments without being detected. 

Sure.  Or the attacker could blind the IPS or overwhelm any analyst
with so many alerts no one has achance to go through them all.  snot
and sneeze are tools for doing so with spoofed ip's.   They can light
up an IDS like a Christmas tree.  

Or, if the attackers wants the stealth approach, and have the luxury
of time, the attacker can simply slow activity below the default
thresholds of the IDS in play since not many orgs modify the defaults
(or can afford to make them more sensitive than default).  Some IDS
technologies are pretty primitive and can be avoided with subtle
permutations because they're overly reliant on exact signature
matching vs detecting the actual vulnerability. 

> Does this sound plausible? And what current IDS/IPS technologies can
> be used to against this? 

Rather than focusing on IDS technology overmuch, the mantras of
defense in depth and a risk management approach to the issues are
worth a thought.  IDS is hampered with some necessary issues
(i.e. ability to be blinded, and that while you can crank it up to
detect everything, you don't have analyst staff to deal with
everything).

But you are doing a good thing paying attention to the inside network,
because there's still a folly out there of over-focus on the firewall
and perimeter while companies blithely let egress traffic out without
restriction, and every employee has relatively unfettered web access
whereby on-network assets can become rather easily compromised.

Credit to Chris Nickerson who is fond of saying the perimeter is dead
and is now located where the data is (not on the Internet edge).

--
Todd Haverkos  
http://www.linkedin.com/in/toddhaverkos