Triggers
- An internal host has contacted a number of internal IPs that have not been active in the recent past
- Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active
Root Causes
- An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
- A vulnerability scanner or asset discovery system is mapping systems in your network
- A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services
Business Impact
- Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior
Steps to Verify
- Check to see if the detected host should be authorized for network scans
- Look at the pattern of IP addresses being scanned to determine the intent of the scan
- If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests