An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks

Since we are being hypothetical:

- The company would likely place the sensors where they would have
visibility on the highest valued targets, the things someone would
want to attack. The "unmonitored" segments would be things like user
desktops. They would then use their firewalls and switches to manage
traffic between the unmonitored segments and the high value areas.

The real insider threat (at-least as I view it) is when someone
leverages their legitimate access to do something nefarious. Think
about pilfering through a database to copy the info, or find something
cool (celebrities/vip/etc records)...or the email admin reading
peoples mail. Their purpose isn't to attack and root the box, they
already have access. They are just abusing their power.

In your scenario, I suppose you could attack and takeover a coworkers
desktop and then gain access to the database or whatever you are after
(through the use of their credentials).

In these situations, signatures and anomaly detectors are probably
going to be blind, as the traffic looks legit (other than the desktop
to desktop attack).

This seems like a case where IDS/IPS is the wrong tool for the job.

On Wed, Jun 10, 2009 at 11:24 AM, <pamaclark@...> wrote:

On 6/10/2009 11:24 AM, pamaclark@... wrote: What you describe is very plausible. However, a lot of modern enterprise
networks
have some sort of other technologies to complement their NIDS (or lack
of a NIDS)
deployment. These technologies could include:

- netflow/anomaly detection
- web application firewalls
- log analysis tools
- host based IDSes on servers
- firewalls

So the real question might not be if they have or don't have a NIDS, it
might be
if anyone in that part of the network is actually looking and monitoring
events
for insider attacks, worm outbreaks, .etc.

Ron Gula
Tenable Network Security

An IPS is very valuable both in protecting a DMZ and in protecting  
internal assets. However, it is not a panacea. A secure network  
topology should include department firewalls separating off subnets  
that have different access restrictions and individual hosts should be  
secured as well.

So, even if the IPS administrator was your internal attacker he or she  
should not be able to gain unauthorized access because other measures  
are in place.

To be honest an internal IPS would be one of the last security devices  
I would invest in when securing an internal network.

-J

On Jun 10, 2009, at 8:24 AM, pamaclark@... wrote:

pamaclark@... wrote: You may be able to fingerprint what subnet is not being monitored,
however, is the subnet that YOU are on being monitored?  In that case
you are caught either way.

As for detection of this kind of thing, there are several solutions for
that:
<my own company>
RNA -- Real Time Network Awareness
</my own company>

Anomaly detection software and passive awareness software.  There are a
couple out there.


--
joel esler | Sourcefire

In many deployments, the management interfaces are in a different logical zone than those interfaces which are actually monitoring vs. inspecting...  So I would say that while there is some plausibility to your scenario, its really in the configuration and deployment strategy of the IDS/IPS that allows it to go undetected.  In a nutshell, an insider never really knows where the true "monitor windows" are without sufficient need to know (operational support role...etc.) especially if the IDS is configured to not do reverse DNS lookups, as it should be.

Tommy
 

----- Original Message -----
From: pamaclark@...
To: focus-ids@...
Sent: Wednesday, June 10, 2009 11:24:44 AM GMT -05:00 US/Canada Eastern
Subject: An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks

pamaclark@... writes:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several
> sub-network segments. Due to finance or staffs restrictions, the
> company could only use a limited number of sensors, hence leave some
> internal sub-networks unmonitored. I guess this is quite common in
> real world right?

Yeah, it's not uncommon.  That theres any internal IDS in fact is
somewhat uncommon still.  And a lot of clients aren't monitoring the
IDS they do have.

> So, if I were an inside attacker, I may find out sensor locations
> (either physical of logical locations) by fingerprinting the sensors
> as discussed in some previous threads or whatever tricks. Means I
> will know which sub-networks are monitored and others are not,
> right? So that I can launch attacks to those unmonitored network
> segments without being detected.

Sure.  Or the attacker could blind the IPS or overwhelm any analyst
with so many alerts no one has achance to go through them all.  snot
and sneeze are tools for doing so with spoofed ip's.   They can light
up an IDS like a Christmas tree.  

Or, if the attackers wants the stealth approach, and have the luxury
of time, the attacker can simply slow activity below the default
thresholds of the IDS in play since not many orgs modify the defaults
(or can afford to make them more sensitive than default).  Some IDS
technologies are pretty primitive and can be avoided with subtle
permutations because they're overly reliant on exact signature
matching vs detecting the actual vulnerability.

> Does this sound plausible? And what current IDS/IPS technologies can
> be used to against this?

Rather than focusing on IDS technology overmuch, the mantras of
defense in depth and a risk management approach to the issues are
worth a thought.  IDS is hampered with some necessary issues
(i.e. ability to be blinded, and that while you can crank it up to
detect everything, you don't have analyst staff to deal with
everything).

But you are doing a good thing paying attention to the inside network,
because there's still a folly out there of over-focus on the firewall
and perimeter while companies blithely let egress traffic out without
restriction, and every employee has relatively unfettered web access
whereby on-network assets can become rather easily compromised.

Credit to Chris Nickerson who is fond of saying the perimeter is dead
and is now located where the data is (not on the Internet edge).

--
Todd Haverkos  
http://www.linkedin.com/in/toddhaverkos

pamaclark@... wrote:
> Hi,
>
> I'm new to IDS/IPS...
>
> Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?
>  
Not many organisations have spent money (or committed time) on
monitoring their internal networks other than for basic availability
(e.g. disk space, CPU load).  Of those that have, experience suggests
that the majority haven't dedicated enough time understanding the nature
of the network activity inside their network to make monitoring
efficient against anything but loud, obvious attacks or things that can
be correlated against out-of-the-box.

> So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.
>
> Does this sound plausible? And what current IDS/IPS technologies can be used to against this?
>
> Thanks
>  

As suggested in an earlier reply, if you know where the sensors are, you
can flood them with traffic or run at a rate below their threshold.
However, you're probably going to find that they're just looking for
known virus or other malware-based activity.  If you are an insider with
knowledge of the system, the likelihood is that you will be targeting
your attack and will remain below the radar.

Some of this can be mitigated by designing the security solutions by
assessing risk prior to deciding on a monitoring solution.  If you
assume that an attacker can be inside or outside your perimeter, you can
start to address the risks accordingly; pick your favourite mix of
solutions that include IDS/IPS, SIEM, etc. *as well as* a good set of
audited policy statements.

Regards,

Nick Besant

Hi,

Have you heard about NAC and HIPS?

http://en.wikipedia.org/wiki/Network_Access_Control
http://en.wikipedia.org/wiki/Host_based_intrusion_detection_system

Those tools will see what you do. And if the Firewalls and IPS and HIPS and NAC cooperate with a SIM/SIEM* than you 'have to run'! :-)

My example from the future:
1. The switch realise a new port activated -> sign it to SIM
2. The NAC realise your scan (or any unusual things) from the newly opened port -> sign it to SIM
3. The HIPS on host realises the scan (or any unusual things) as well -> sign it to SIM and to the Firewall
4. Firewall reacts and denies any traffic that goes through with your IP -> you may sign it
5. In the NOC** the SIM GUI is opened on a monitor and on the left corner of this monitor a camera display - from the room where the port is patched - appears
6. The camera sees you, the security guard get a phone call from NOC
7. I wake up from my sweet dreams :-)

*SIM:
http://en.wikipedia.org/wiki/Computer_security_incident_management
**NOC:
http://en.wikipedia.org/wiki/Network_operations_center

Cheers,
Akos

-----Ursprüngliche Nachricht-----
Von: listbounce@... [mailto:listbounce@...] Im Auftrag von pamaclark@...
Gesendet: Mittwoch, 10. Juni 2009 17:25
An: focus-ids@...
Betreff: An insider attack scenario

Hi,

I'm new to IDS/IPS...

Suppose a company has a large network, which is divided into several sub-network segments. Due to finance or staffs restrictions, the company could only use a limited number of sensors, hence leave some internal sub-networks unmonitored. I guess this is quite common in real world right?

So, if I were an inside attacker, I may find out sensor locations (either physical of logical locations) by fingerprinting the sensors as discussed in some previous threads or whatever tricks. Means I will know which sub-networks are monitored and others are not, right? So that I can launch attacks to those unmonitored network segments without being detected.

Does this sound plausible? And what current IDS/IPS technologies can be used to against this?

Thanks