Network and system scanning by external 3rd parties are as common as weeds growing in a garden, and it is about as useful too. Scanning occurs for a variety of reasons: it could be a search engine attempting to index your public environment and website, an ISP evaluating their autonomous system, universities conducting research, or hackers looking for potential victims. While I’m sure no one really wants their systems frequently scanned, it usually more of a nuisance than a security threat. However, all that noise does make it very challenging to identify when you have been scanned by a hacker. So is it even worth the effort? What value does it provide?
There are a lot of reasons security folks give to ignore network scanning, such as, “it happens all the time”, “there is just too much volume”, “just because a bad bot scanned us doesn’t mean we are being hacked”, “it’s just automated, who cares?”, etc. And while there is validity to each of these arguments and more, it is still useful to evaluate scanning data if you can do it quickly and with analytics powering it.
Scanning data is very useful in pre-threat efforts to try to get ahead of the threat. It is one of the tools that hackers employ in the recon phase. If you can identify malicious scanning behavior, you can potentially get ahead of the threat and take steps to identify and mitigate upcoming attacks. However, this is very difficult and often hardly worth the effort.
However, by automating and applying logic to analyze scans data, you can differentiate between innocuous scans, suspicious bot scans, and targeted attacks. For example, if we see a single IP address run a port scan against the network looking for open ports, and then we see the same IP focus its scans on a smaller network subset or otherwise change its behaviors, we have a better indication that it is probing the network for weaknesses and a potential attack. Then by applying a block to that IP or actively monitoring for it in your SIEM and SOC, you can potentially prevent that IP from either gathering more information or even stop an attack.
Scan data will never be the most valuable data for your network security, but it can be more valuable that most consider. A little creativity and some scripting can turn scans from a worthless annoyance to a valuable data point. For all intents and purposes the scans affecting your network become a real-time threat intelligence feed that pertains directly to your environment.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.
