Reconnaissance
Suspicious Port Sweep
Detection overview
A Suspicious Port Sweep detection indicates potential reconnaissance activity where an attacker scans multiple ports on one or more hosts to identify open and potentially vulnerable services. This is often a precursor to more targeted attacks as it helps attackers map the network and identify potential entry points.
Triggers
- An internal host has attempted contact with a large number of internal IP addresses on a small number of ports
Possible Root Causes
- An infected internal system that is part of a targeted attack is contacting a large number of internal IP addresses on a small number of ports to find systems which are running particular software that may be vulnerable to an attack
- An IT-run vulnerability scanner or asset discovery system is mapping out system services in your network
- A host with an unusual discovery mechanism is looking for a service on its local subnet
- Alarm equipment or IP cameras are performing large-scale scans due to misconfiguration or firmware bugs
Business Impact
- Reconnaissance of your systems may represent the beginning of a targeted attack in your network
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters
Steps to Verify
- Check to see if the detected host is authorized to perform port sweeps
- Look at the pattern of ports being scanned to determine the intent of the scan
- If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further
Suspicious Port Sweep
Possible root causes
Malicious Detection
- An attacker performing a port scan to identify open and exploitable services on the network.
- Malware or automated scripts designed to perform network reconnaissance.
- Compromised internal host being used to scan the network for further exploitation.
Benign Detection
- Network or security administrators conducting legitimate vulnerability assessments.
- Network monitoring tools performing health checks on services and devices.
- Automated scripts or applications with legitimate reasons to query multiple services.
Suspicious Port Sweep
Example scenarios
Scenario 1: An internal host generates a high volume of SYN packets to a range of ports on various servers within the network. Investigation reveals that the host is compromised, and the attacker is mapping the network to identify exploitable services.
Scenario 2: A security team runs a scheduled vulnerability assessment, triggering the detection of a suspicious port sweep. The activity is verified as benign after confirming with the IT department.
Suspicious Port Sweep
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Potential Network Intrusion
Successful identification of open ports and services can lead to exploitation of vulnerabilities, resulting in unauthorized access.
Resource Exhaustion
High volume of port scanning can cause network congestion and impact the performance of network devices and services.
Increased Attack Surface Awareness
Information gathered from port sweeps can be used by attackers to refine their strategies, increasing the risk of targeted attacks.
Suspicious Port Sweep
Steps to investigate
Review Logs
Examine firewall, IDS/IPS, and server logs to identify the source and scope of the port sweep. Look for patterns and repeated attempts.
Identify the Source
Determine whether the scanning activity originates from an internal or external host. Check if the source IP address is known and trusted.
Check for Associated Activity
Look for other suspicious activities linked to the source IP, such as failed login attempts, unusual network traffic, or malware alerts.
Consult with IT and Security Teams
Verify if any authorized security assessments or network monitoring activities were being conducted during the time of detection.
Suspicious Port Sweep
MITRE ATT&CK techniques covered
Suspicious Port Sweep
Related detections
FAQs
What is a Suspicious Port Sweep?
A Suspicious Port Sweep involves scanning multiple ports on one or more hosts within a network to identify open and potentially vulnerable services, often indicative of reconnaissance activities by attackers.
How can I detect a Suspicious Port Sweep in my network?
Detect Suspicious Port Sweeps by monitoring for patterns of multiple connection attempts to various ports, high volumes of SYN packets without corresponding ACK packets, and scanning activities from single sources.
What are the common signs of a Suspicious Port Sweep?
Common signs include sequential or random scanning patterns, multiple connection attempts within a short timeframe, and incomplete connection attempts (SYN packets without ACK responses).
Why are Suspicious Port Sweeps a significant threat?
They can reveal open and vulnerable services to attackers, potentially leading to unauthorized access, exploitation of vulnerabilities, and subsequent targeted attacks.
Can legitimate software trigger this detection?
Yes, legitimate vulnerability assessments, network monitoring tools, and administrative scripts can generate port sweeps that may trigger this detection.
What steps should I take if I detect a Suspicious Port Sweep?
Investigate the source and scope of the scanning activity, check for associated suspicious activities, review logs, and consult with IT and security teams to verify if the activity is legitimate.
How does Vectra AI identify Suspicious Port Sweeps?
Vectra AI uses advanced AI algorithms and machine learning to analyze network traffic patterns and identify anomalies indicative of port sweeping activities.
What tools can help verify the presence of a Suspicious Port Sweep?
Tools such as firewall and IDS/IPS logs, network traffic analysis tools, and SIEM solutions can help verify and investigate suspicious port sweep activities.
What is the business impact of a Suspicious Port Sweep?
It can lead to potential network intrusion, resource exhaustion, and increased risk of targeted attacks due to the exposure of open and vulnerable services.
How can I prevent Suspicious Port Sweeps?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of services to minimize vulnerabilities.