Detecting Recon Attempts
Wiki > Detecting Recon Attempts
Description | Kill Chain Stage | |
Network reconnaissance scans and probes networks and precede a network attack. An attacker who successfully conducts reconnaissance on a network has a higher likelihood of attempting to compromise a network than an attacker whose reconnaissance attempts are prevented. |
|
|
Threat type to monitor | ||
■ Unauthorised network scanning and / or probing – both internally and externally | ||
Monitoring setup | ||
■ Firewall | ||
Events Indicators | ||
■ Sudden rise in ICMP packets
■ Sudden rise in the packet drops on the firewall |
||
Rules | ||
■ Port scan horizontal log
■ Multi service connection attempts log ■ Port scan vertical log ■ Detect port knocking log ■ Excessive denied inbound traffic followed by permit by source IP ■ ICMP reconnaissance scan ■ Port Scan messages log ■ DNS lookups from the same host ■ RDP traffic from same source to multiple destinations |
Category: Use Case