Active Scanning: Scanning IP Blocks

ID Name
VT0006.001 Scanning IP Blocks
VT0006.002 Vulnerability Scanning

Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to gather network information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses.

Scans may range from simple pings (ICMP requests and responses) to find open ports to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for Initial Access via SSH External Remote Services. [1]

Mitigations

Mitigation Description
Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

Detection

Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).

Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.

References

Attachments

ID
VT0006.001
Sub-techniques
Tactic
Reconnaissance
Platforms
PRE
Data Sources
Network device logs
Packet capture
Version
1.0

Created: 09 December 2020

Last Modified: 20 December 2020