Active Scanning

Before compromising a victim, adversaries may execute active Reconnaissance scans to gather information that can be used during targeting. Active scans are those where adversaries probe victim infrastructure via network traffic.

Adversaries may perform port scanning for open SSH services and for SSL/TLS configurations depending on what information they seek to gather.

Information from these scans may reveal opportunities for other forms of Reconnaissance and Initial Access.[1]

Mitigations

Mitigation Description
Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

Attachments

ID
VT0006
MITRE ID
Sub-techniques
Tactic
Reconnaissance
Platforms
PRE
Data Sources
Network device logs
Packet capture
Version
1.0

Created: 09 December 2020

Last Modified: 20 December 2020