Detecting Recon Attempts

Wiki > Detecting Recon Attempts
Description Kill Chain Stage
Network reconnaissance scans and probes networks and precede a network attack. An attacker who successfully conducts reconnaissance on a network has a higher likelihood of attempting to compromise a network than an attacker whose reconnaissance attempts are prevented.
Threat type to monitor
■    Unauthorised network scanning and / or probing – both internally and externally
Monitoring setup
■    Firewall
Events Indicators
■    Sudden rise in ICMP packets

■    Sudden rise in the packet drops on the firewall

■    Port scan horizontal log

■    Multi service connection attempts log

■    Port scan vertical log

■    Detect port knocking log

■    Excessive denied inbound traffic followed by permit by source IP

■    ICMP reconnaissance scan

■    Port Scan messages log

■    DNS lookups from the same host

■    RDP traffic from same source to multiple destinations