Triggers
- An internal host has attempted contact with a large number of internal IP addresses on a small number of ports
Possible Root Causes
- An infected internal system that is part of a targeted attack is contacting a large number of internal IP addresses on a small number of ports to find systems which are running particular software that may be vulnerable to an attack
- An IT-run vulnerability scanner or asset discovery system is mapping out system services in your network
- A host with an unusual discovery mechanism is looking for a service on its local subnet
- Alarm equipment or IP cameras are performing large-scale scans due to misconfiguration or firmware bugs
Business Impact
- Reconnaissance of your systems may represent the beginning of a targeted attack in your network
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters
Steps to Verify
- Check to see if the detected host is authorized to perform port sweeps
- Look at the pattern of ports being scanned to determine the intent of the scan
- If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further