• An internal host has attempted contact with many ports on a small number of internal IP addresses

Possible Root Causes

  • An infected internal system that is part of a targeted attack is trying to locate any services which may be active on a small number of hosts by attempting connections on different ports on one or more IP addresses
  • An IT-run vulnerability scanner or asset discovery system is mapping out system services on a host
  • The detected host is communicating with another host using a peer-to-peer protocol and the traffic configuration on the switch is only supplying one direction of the traffic to the Vectra sensor

Business Impact

  • Reconnaissance of individual systems may represent the beginning of a targeted attack in your network
  • If the system being scanned is an important or critical asset, any unauthorized scan should be treated with utmost suspicion
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters

Steps to Verify

  • Check to see if the detected host is authorized to perform port scans on the target hosts
  • Look at the pattern of ports being scanned to try to determine what the detected host may be searching for
  • If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further