Triggers
- An internal host has attempted contact with many ports on a small number of internal IP addresses
Possible Root Causes
- An infected internal system that is part of a targeted attack is trying to locate any services which may be active on a small number of hosts by attempting connections on different ports on one or more IP addresses
- An IT-run vulnerability scanner or asset discovery system is mapping out system services on a host
- The detected host is communicating with another host using a peer-to-peer protocol and the traffic configuration on the switch is only supplying one direction of the traffic to the Vectra sensor
Business Impact
- Reconnaissance of individual systems may represent the beginning of a targeted attack in your network
- If the system being scanned is an important or critical asset, any unauthorized scan should be treated with utmost suspicion
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters
Steps to Verify
- Check to see if the detected host is authorized to perform port scans on the target hosts
- Look at the pattern of ports being scanned to try to determine what the detected host may be searching for
- If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further