Suspicious Port Sweep

Suspicious Port Sweep

Signs of Suspicious Port Sweep

  • An internal host has attempted contact with a large number of internal IP addresses on a small number of ports
  • The threat score is lower for scattered scans and higher when a single port is scanned across many IP addresses
  • The certainty score is driven by the number and frequency of scanning attempts

Why Attackers Sweep Ports

  • An infected internal system that is part of a targeted attack is contacting a large number of internal IP addresses on a small number of ports to find systems which are running particular software that may be vulnerable to an attack
  • An IT-run vulnerability scanner or asset discovery system is mapping out system services in your network
  • A host with an unusual discovery mechanism is looking for a service on its local subnet
  • Alarm equipment or IP cameras are performing large-scale scans due to misconfiguration or firmware bugs

Business Impact of Suspicious Port Sweep

  • Reconnaissance of your systems may represent the beginning of a targeted attack in your network
  • Authorized reconnaissance by vulnerability scanners and asset discovery systems should be limited to a small number of hosts which can be whitelisted for this behavior using triage filters

How to Investigate Suspicious Port Sweeps

  1. Check to see if the detected host is authorized to perform port sweeps
  2. Look at the pattern of ports being scanned to determine the intent of the scan
  3. If the pattern appears random and distributed over time, it is likely some form of reconnaissance and should be dealt with before the attack progresses further
White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections