Suspicious Port Scan

Triggers

• An internal host has attempted contact with many ports on a small number of internal IP addresses

Possible Root Causes

• An infected internal system that is part of a targeted attack is trying to locate any services which may be active on a small number of hosts by attempting connections on different ports on one or more IP addresses
• An IT-run vulnerability scanner or asset discovery system is mapping out system services on a host
• The detected host is communicating with another host using a peer-to-peer protocol and the traffic configuration on the switch is only supplying one direction of the traffic to the Vectra sensor

Business Impact

• Reconnaissance of individual systems may represent the beginning of a targeted attack in your network
• If the system being scanned is an important or critical asset, any unauthorized scan should be treated with utmost suspicion
• Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters

Steps to Verify

• Check to see if the detected host is authorized to perform port scans on the target hosts
• Look at the pattern of ports being scanned to try to determine what the detected host may be searching for
• If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further