Response Guidance - Heavy TCP Host Scan On Fixed Port :g:

Response Guidance - Heavy TCP Host Scan On Fixed Port :g:

Why this rule fired:

  1. This rule fires whenever there is TCP port traffic permitted from the same source IP to 500 different destination hosts on a fixed port within a 3 minute window.

    1. For example, 192.168.1.50 (single source IP) connected to port 80 (fixed port) on 500 different destination IPs in 3 minutes


Possible Causes:

  1. Network management and mapping tools can trigger this rule inadvertently during discovery processes. To reduce the number of false positives, authorized network scanners and applications should be added to the SIEM.

  2. Excessive port scanning can be an indicator of malicious activity. Scanning networks for vulnerable ports that are open can allow someone to gain unauthorized access to a device or network. 


Why This Matters:

  1. Port scanning is a common technique that hackers to use probe networks or devices for vulnerable ports that are open. If the source IP is external from the network, someone could be looking for a way into the network. See: https://blog.ipswitch.com/port-scanning-101-what-it-is-what-it-does

  2. If the source IP is an internal address it could indicate that the host has been compromised and is trying to gain access to other devices within the network. This is called pivoting and is a technique that hackers use to compromise other systems in a network that they already have access to. See: https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf section 4.6 for more information



Further Investigation:

In the Incident Screen:

  1. Click list view

  2. Click Action -> Search

    1. Search for the incident by pasting the Incident ID in the Incident ID box

    2. If you do not have an incident ID, change the Search Time to match desired time-frame 

      1. Under Incident Name, search “Heavy TCP Host Scan On Fixed Port”

  3. Highlight desired incident

  4. Click Events at bottom to view events that triggered the incident

  5. The Source IP column shows the IP address where the scan originated

  6. The Destination IP column shows the IP address that was scanned

  7. The Destination TCP/UDP Port column shows the port that was scanned on the destination host



Action:

  1. If the source IP address is internal, verify the integrity of the device by running a malware scan and removing any malware that may be trying to spread throughout the network and investigate for any signs of compromise

  2. If the source IP address is external, consider adding a firewall rule to block the IP where the scan is originating

  3. Consider performing your own vulnerability/port scan to look for unwanted open ports in the network and prevent possible exploitation.