Signs of an Internal Darknet Scan
- An internal host has contacted a number of internal IPs that have not been active in the recent past
- Darknet detections cover longer periods than port scans and ignore contact to systems which do not respond to this host, but which are otherwise active
- The threat score places large weight on the spread of IPs, medium for spread of ports and low for the total number of dark IPs contacted
- The certainty score places equal weight on the spread of IPs, spread of ports and number of dark IPs contacted
Why Attackers Scan the Darknet
- An infected internal system that is part of targeted attack is performing slow reconnaissance of your network by reaching out to different IP addresses in your network
- A vulnerability scanner or asset discovery system is mapping systems in your network
- A host has been moved to a new network and is unsuccessfully attempting to connect to many previously available services
Business Impact of an Internal Darknet Scan
- Slow reconnaissance of your systems may represent the beginning of a targeted attack in your network
- Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior
How to Investigate Internal Darknet Scans
- Check to see if the detected host should be authorized for network scans
- Look at the pattern of IP addresses being scanned to determine the intent of the scan
- If the pattern appears random and distributed over time, determine which software on the host could be causing the connection requests
