Darknet Scan

Darknet Scan

Signs of an Internal Darknet Scan

  • An internal host has contacted a number of internal IPs that have not been active in the recent past
  • Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active
  • The threat score places large weight on the spread of IPs, medium for spread of ports and low for the total number of dark IPs contacted
  • The certainty score places equal weight on the spread of IPs, spread of ports and number of dark IPs contacted

Why Attackers Scan the Darknet

  • An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
  • A vulnerability scanner or asset discovery system is mapping systems in your network
  • A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services

Business Impact of an Internal Darknet Scan

  • Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior

How to Investigate Internal Darknet Scans

  • Check to see if the detected host should be authorized for network scans
  • Look at the pattern of IP addresses being scanned to determine the intent of the scan
  • If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections