Re: An insider attack scenario



pamaclark@xxxxxxxxx writes:
Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several
sub-network segments. Due to finance or staffs restrictions, the
company could only use a limited number of sensors, hence leave some
internal sub-networks unmonitored. I guess this is quite common in
real world right?

Yeah, it's not uncommon. That theres any internal IDS in fact is
somewhat uncommon still. And a lot of clients aren't monitoring the
IDS they do have.

So, if I were an inside attacker, I may find out sensor locations
(either physical of logical locations) by fingerprinting the sensors
as discussed in some previous threads or whatever tricks. Means I
will know which sub-networks are monitored and others are not,
right? So that I can launch attacks to those unmonitored network
segments without being detected.

Sure. Or the attacker could blind the IPS or overwhelm any analyst
with so many alerts no one has achance to go through them all. snot
and sneeze are tools for doing so with spoofed ip's. They can light
up an IDS like a Christmas tree.

Or, if the attackers wants the stealth approach, and have the luxury
of time, the attacker can simply slow activity below the default
thresholds of the IDS in play since not many orgs modify the defaults
(or can afford to make them more sensitive than default). Some IDS
technologies are pretty primitive and can be avoided with subtle
permutations because they're overly reliant on exact signature
matching vs detecting the actual vulnerability.

Does this sound plausible? And what current IDS/IPS technologies can
be used to against this?

Rather than focusing on IDS technology overmuch, the mantras of
defense in depth and a risk management approach to the issues are
worth a thought. IDS is hampered with some necessary issues
(i.e. ability to be blinded, and that while you can crank it up to
detect everything, you don't have analyst staff to deal with
everything).

But you are doing a good thing paying attention to the inside network,
because there's still a folly out there of over-focus on the firewall
and perimeter while companies blithely let egress traffic out without
restriction, and every employee has relatively unfettered web access
whereby on-network assets can become rather easily compromised.

Credit to Chris Nickerson who is fond of saying the perimeter is dead
and is now located where the data is (not on the Internet edge).

--
Todd Haverkos
http://www.linkedin.com/in/toddhaverkos



Relevant Pages

  • RE: ssh and ids
    ... Are there any solutions that exist that allow a network which already ... This might allow the IDS to know and read all ... Lets suppose the attacker is mildly sophisticated, ... authorized port usage of a system or group of systems? ...
    (Focus-IDS)
  • RE: Active response... some thoughts.
    ... Subject: Active response... ... Netscreen IDS features TCP reset as a major feature of their ... between your attacker and your IDS, ... The attacker could modify his IP-stack such that resets are being ignored ...
    (Focus-IDS)
  • Re: Active response... some thoughts.
    ... It is good to remember that many IDS implementations send ... TCP RST to the two endpoints in the communication. ... the attacker can just simply hack his stack to igno ... stack such that resets are being ...
    (Focus-IDS)
  • Re: Active response... some thoughts.
    ... Subject: Active response... ... > drops the packet on the wire before it gets past the in-line IDS. ... Active-response is great if you have a signature for it ... the attacker can just simply hack his stack to ignore the ...
    (Focus-IDS)
  • Re: IDS and NMS
    ... Start by designing and installing a network. ... Next, a more detailed view of the network is required, so a NMS is ... the network administrator wants to see what ... This is where integrating the IDS console into the NMS makes sense. ...
    (Focus-IDS)