Lesson 1, Topic 18
Port Scan Activity
- Review the relevant events in SEIM and collect the following information:
a) IP address of the internal/external scanner
b) Time and date of offence
c) Geo location of the external scanner if applicable
d) Search the correlation and basic events to collect the information that are required
e) Any additional information about the internal scanner (asset name, owner, etc.)
f) Search the correlation and basic events to collect the information that are required
- Evaluate the external IP address reputation and analyze the events and network traffic if available:
a) Investigate the malicious IP address and URL using the available information sources (X-Force Exchange, IP Void, etc.) to see if it is/has been associated with malicious/unauthorized activity. (Please be careful not to go directly to any sites thought to be malicious)
a. Where is the data coming from and where is it going?
b. Is it associated with known malicious activity or indicators of compromise (e.g., malware, malicious IPs/domains, etc.)?
c. What type of site/IP/hostname is it? Is it an official affiliated vendor, group, association, etc?
d. Does it appear to be a legitimate site/IP/hostname?
e. Are there professional relationships in place? Are they in the same division or industry?
b) Verify the reliability of the information about the malicious IPs or URLs
c) Check internal references for authorized exceptions (e.g., CMDB Tool, CSIRT team)
NOTE: It is the recommended to search the following websites to get more information about the malware and level of risk:
- Search for any possible related incident in the ticketing system or the SIEM solution
a) IP address of the scanner
In case of finding relevant incidents, create a master incident ticket and link all the existing tickets with the master ticket
- Categorize the incident as Probes and Scan, and assign the incident to the appropriate team based on the document “SOC Tier 1 – Security Threat Monitoring Process/Procedure”.
NOTE: Below is the list of available options for the incident types:
Web Application Attack
Unauthorized System Activity
Unauthorized Network Activity
Suspicious System Activity
Suspicious Network Activity
Probes and Scans
Denial of Service
Communication with Malicious Network
- Collect as much information as possible about the probe and scan events:
a) Internal/external IP addresses that are used to initiate the scan activity
b) IP address of the assets that are scanned
c) Ports that targeted for the scan activity
- Check the IP address of the scanners with the rest of the security team:
a) If the IP address belongs to the company vulnerability management solution, report the incident as a false positive and send a request to the SIEM admin team to add those IP addresses to the list of legitimate scanners in the SIEM solution
b) If the IP address belongs to an approved penetration test, report the incident as a false positive
- Prioritize the incidents based on the instructions provided in the document “Security Incident Management Process”.
- Consider possible short-term containment actions for an external scan activity:
a) Protect the assets from external scan activity: Blocking the scan and probing communication to any external host can be effective to contain any type of security threat. Below are some recommended mechanisms to achieve this goal:
a. Apply filters to firewalls or router ACLs to block IP addresses that are associated with the scan activity
b. Apply filters to iptable (Linux) or the Windows firewall to block IP addresses that are associated with the scan activity
- Consider possible short-term containment actions for an internal scan activity:
a) Identify the internal asset and investigate the reason of the scan activity:
a. Identify the owner of the asset and check whether they are part of the security/network team or not.
b. If there is, any evidence that shows the scan activity is initiated by a worm or any other types of malware, change the type of the incident to Malicious Code and follow the instructions in the Malicious Code runbook.
c. If the scan activity was user initiated, fully document the case and escalate to CSIRT and HR/legal teams.
- Conduct further network and host forensics as required
- If there are any unauthorized changes on the protective technology by the internal users or admins, ensure all the user accounts that are associated with the person are disabled.
- Take the following actions if applicable:
a) Review the firewall policies to ensure they are following the best practices
b) Review the security policies on the IPS
c) Review the security policies of the proxy servers
d) Revisit the network configuration on the host
- If the incident is left open for an extended period (e.g., 7+ days) Ensure at least one follow-up notification is sent and If they are still unresponsive, escalate to management for action
- Work with the Threat Intelligence team to refine existing rules or develop new signatures/rules to detect activity, as necessary.
- Look for attacker’s artifacts to come back:
a) Unusual network communication
b) Unusual processes
c) Account used by the attackers and simultaneous logins