Reconnaissance
Internal Darknet Scan
Detection overview
The Internal Darknet Scan detection identifies attempts by an internal host to scan IP addresses within the organization's network that are not actively used or publicly advertised (often referred to as "darknet" space). This type of activity is typically associated with reconnaissance efforts to discover hidden or unused network segments that could be leveraged for malicious purposes.
Triggers
- An internal host has contacted a number of internal IPs that have not been active in the recent past
- Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active
Root Causes
- An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
- A vulnerability scanner or asset discovery system is mapping systems in your network
- A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services
Business Impact
- Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior
Steps to Verify
- Check to see if the detected host should be authorized for network scans
- Look at the pattern of IP addresses being scanned to determine the intent of the scan
- If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests
Internal Darknet Scan
Possible root causes
Malicious Detection
- An attacker inside the network attempting to discover hidden or unused IP addresses that could be used for lateral movement or data exfiltration.
- Compromised internal host running malware that performs network scanning to identify potential targets within the organization's internal network.
- Insider threat where an internal user conducts unauthorized network reconnaissance to find unsecured devices or services.
Benign Detection
- Network administrators performing legitimate network mapping or maintenance activities.
- Security assessments or vulnerability scans that include probing darknet spaces as part of their methodology.
- Misconfigured network monitoring tools generating traffic that resembles darknet scans.
Internal Darknet Scan
Example scenarios
Scenario 1: An internal host generates a high volume of scan probes targeting a range of IP addresses within the darknet space. Investigation reveals that the host is compromised, and the attacker is mapping the network to identify potential targets for lateral movement.
Scenario 2: A sudden spike in network traffic is detected, originating from a security team's vulnerability scanner. Verification with the IT department confirms that the activity is part of a scheduled security assessment, and the detected behavior is legitimate.
Internal Darknet Scan
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Exposure of Hidden Assets
Discovery and exploitation of hidden or unused network segments can lead to unauthorized access to sensitive data or systems.
Increased Risk of Lateral Movement
Attackers can use information gathered from darknet scans to move laterally within the network, escalating privileges and accessing critical resources.
Potential Operational Disruption
High volumes of scan traffic can cause network congestion and impact the performance of legitimate network operations.
Internal Darknet Scan
Steps to investigate
Review Network Traffic Logs
Analyze logs to identify the source of the scan probes and the targeted IP addresses. Look for patterns and repeated attempts.
Identify the Source
Determine the internal host generating the darknet scan traffic. Verify if the host and user are authorized to perform such actions.
Check for Associated Activity
Look for other signs of compromise or suspicious behavior linked to the scanning host, such as malware alerts, unusual login attempts, or data exfiltration activities.
Consult with IT and Security Teams
Confirm if any legitimate network mapping, security assessments, or maintenance activities could explain the detected darknet scan behavior.
Internal Darknet Scan
MITRE ATT&CK techniques covered
FAQs
What is an Internal Darknet Scan?
An Internal Darknet Scan involves probing internal IP addresses within a network that are not actively used or publicly advertised, typically as part of reconnaissance efforts to discover hidden or unused network segments.
What are the common signs of an Internal Darknet Scan?
Common signs include multiple scan probes to unassigned IP addresses, high volumes of connection attempts to dark network segments, and unusual network traffic patterns.
Can legitimate software trigger this detection?
Yes, network mapping, security assessments, and misconfigured network monitoring tools can generate traffic that resembles darknet scans.
How does Vectra AI identify Internal Darknet Scans?
Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic patterns and identify anomalies indicative of darknet scanning activities.
What is the business impact of an Internal Darknet Scan?
It can lead to exposure of hidden assets, increased risk of lateral movement, and potential operational disruption due to high volumes of scan traffic.
How can I detect an Internal Darknet Scan in my network?
Detect Internal Darknet Scans by monitoring for scan probes to IP addresses within the darknet space, high volumes of connection attempts from single sources, and unusual traffic patterns involving non-active network segments.
Why are Internal Darknet Scans a significant threat?
They can reveal hidden or unused network assets that may be exploited by attackers, leading to unauthorized access, lateral movement, and potential data breaches.
What steps should I take if I detect an Internal Darknet Scan?
Investigate the source and scope of the scan activity, check for associated suspicious behaviors, review logs, and consult with IT and security teams to verify if the activity is legitimate.
What tools can help verify the presence of an Internal Darknet Scan?
Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious internal darknet scan activities.
How can I prevent Internal Darknet Scans?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.