Every day our networks are scanned by hundreds, even thousands, of bots, crawlers, scrapers, search engines, and other services. While most of these scans are innocuous, some are conducted by malicious bots or bad actors seeking to find systems they can exploit. Considering the amount of noise scans create and the fact that they very rarely indicate an imminent or ongoing attack, it can be difficult for security operations centers to make good use of network scan data. However, maximizing the value you get in scans enables you to identify a potential attack before it occurs.
Scan data is particularly useful in identifying reconnaissance and attack preparation activities of hackers. But it does take some work and processing to differentiate between various scan types. To accomplish this at Security On-Demand, our scan surveillance analytics successfully attempt to classify scans based upon the type of activity they are performing (see image below).
All scans are initially classified as active scans as long as a scan is probing either 10+ ports on a single device, 10+ IP addresses on the network,or a mix of both. Once the first connections are underway an active scan alert is generated. If after the scan concludes, a new scan is started from the same source, a discovery scan alert is generated and it starts to look for anomalous behaviors. If behaviors of the scan change, such as more allowed connections or fewer devices scanned, then an attacker scan alert is generated, suggesting that the activity appears malicious and an attack may be imminent.
The next step is evaluating the allowed connections. If after one or more scans the system sees a focus on one or a few systems or specific ports and a high percentage of allowed connections, a targeted attack alert is generated.
Such a methodology allows a SOC to hone in on scan activity that appears to be malicious and may be predictive of an incoming attack. From here, the SOC has numerous options it can take to secure the network. Some options may include orchestrating a block of the suspicious IP in question, stopping the immediate activity, and attempting to correlate the scan activity with subsequent behaviors along the Cyber-Attack Lifecycle (i.e. Recon -> Attack Preparation -> Attack -> Exploit -> Control and Maintain -> Compromise), such as attempts to log into a device, install malware, remote access, etc.
This data also enables your threat hunters more focused data to hunt across the network. Your threat intelligence team is then able to research and develop intelligence on the attacker, and your security engineers can create new rules to protect the network from the bad actor or similar activity in the future.
Through applying a methodology to processing scan activity, you can turn a lot of (seemingly) worthless noise into something useful and valuable. The way you process and handle your scan activity should be unique to you, and there are a variety of ways to craft your analytics. Most importantly, you should recognize that robust alerting in scan data allows you to potentially get ahead an attack before it is launched and that could mean all the difference in the world.