Detecting Recon Attempts
Wiki > Detecting Recon Attempts
| Description | Kill Chain Stage | |
| Network reconnaissance scans and probes networks and precede a network attack. An attacker who successfully conducts reconnaissance on a network has a higher likelihood of attempting to compromise a network than an attacker whose reconnaissance attempts are prevented. |
|
|
| Threat type to monitor | ||
| ■ Unauthorised network scanning and / or probing – both internally and externally | ||
| Monitoring setup | ||
| ■ Firewall | ||
| Events Indicators | ||
| ■ Sudden rise in ICMP packets
■ Sudden rise in the packet drops on the firewall |
||
| Rules | ||
| ■ Port scan horizontal log
■ Multi service connection attempts log ■ Port scan vertical log ■ Detect port knocking log ■ Excessive denied inbound traffic followed by permit by source IP ■ ICMP reconnaissance scan ■ Port Scan messages log ■ DNS lookups from the same host ■ RDP traffic from same source to multiple destinations |
||
Category: Use Case