This post is the fourth of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we cover the discovery of slow randomized port scans.
Port scans are an important part of an attacker’s active reconnaissance efforts because they reveal a lot of information about a target network. Software packages that enable port scanning, such as Nmap, are designed to probe hosts on a network for open software communication ports that the attacker can then attempt to exploit or compromise.
The downside of port scans is that they are easy to detect if they are performed too aggressively. Next-Gen Firewalls (NGFW) and Intrusion Prevention Systems (IPS) can automatically trigger port scan alerts and block the external scanning host. So in order to avoid detection attackers try to stay under the radar — they scan slowly and randomize their scan targets in an attempt to blend in with other innocent network chatter. They try to stay under the alert thresholds configured on automated perimeter defense systems. How, then, does one find port scanning activity if they attackers are going to be stealthy about it?
Well, if looking only at real-time or short-term traffic streams is insufficient, then the natural answer is to look through more historic network traffic to identify the malicious activity. The port scanning activity is there to be found in the network traffic — a system just needs to collect the data and query it to cut through all the other innocent network noise.
In Novetta Cyber Analytics, the “Port Scanners” analytic search does just this. It finds clients that are performing port scans on the monitored network by looking for the following:
Clients that are sending 0-byte TCP packets OR one-sided UDP communications…
And are touching more than 250 (configurable) distinct server ports on the network
Normal client traffic does not hit anywhere near this number of distinct server ports, so anything matching this behavior profile is worthy of investigation.
Port scans normally come from external sources, like automated malware bots that are looking to continually scan and attack with no human interaction. The scans can also, however, be launched by hosts within a network, by a remote malicious operator or by a trusted insider looking for vulnerable internal services or attempting to increase their level of access. So it is important to analyze all network traffic, external and internal, for this active reconnaissance activity.
If an analyst is able to identify port scanning early they will benefit by (a) identifying potential attackers as early as possible and (b) seeing what responses are sent back to the scanning attempts as this will help the analyst identify weaknesses and take preventative measures.
The only benign activity uncovered, false positives, should be intentional authorized port scans by network analysts looking for security weaknesses. This activity would be returned because the analytic does not know the intention of the client, only that they match the profile for the search. For a properly-configured Port Scanners analytic search, however, false positives should be very rare since benign clients don’t typically have a reason for sending 0-byte (empty) packets to many server ports. Once authorized internal IP addresses are whitelisted, and the security clients are tagged as innocent, the results should only include attacker activity.
That does it for port scanning activity. Stay tuned for more powerful searches that can reveal malicious behavior as we move through this entire advanced analytics series.
Read the next post in this series: Protocol Abuse.
Visit the Series Intro to see a complete list of the analytics covered.