• An internal host has contacted a number of internal IPs that have not been active in the recent past
  • Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active

Root Causes

  • An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
  • A vulnerability scanner or asset discovery system is mapping systems in your network
  • A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services

Business Impact

  • Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior

Steps to Verify

  • Check to see if the detected host should be authorized for network scans
  • Look at the pattern of IP addresses being scanned to determine the intent of the scan
  • If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests