Cyber Threats: Network Probes
Network Probes are not an immediate threat. However, they do indicate that someone is casing your system for possible entry points for attack. It’s a network monitor which analyzes protocols and network traffic (in real-time).
There are positive and helpful uses for network probes. Using a network probe on your own network can help you find anything slowing down your network as well as trace possible vulnerabilities that require patches. However, many use network probes for malicious purposes. This makes it crucial to know how they work, how to detect them and how to handle unwanted probing. There are two, most common, types of Network Probes: Port Scans and SYN Scans.
A port scan connects to a series of ports on a machine to find which respond and which do not. These port scanners can be written very quickly, yet just as easily detected by an operating system making them less popular today. One way to make a simple port scan just complex enough to run longer, while remaining undetected, is to randomize their order of which ports are being scanned. In a large network, even a one-minute delay of a scan packet can allow it to go undetected.
Half-open SYN Scans
The half-open SYN scan is a much sneakier way of going about it. How these scans work is that once the scanner connects to a port it shuts down the connection before a full connection occurs so that the operating system doesn’t log the scan having happened at all. This means that the operating system is not detecting the scan, allowing black-hat hackers to easily find vulnerabilities and plan methods for attack, all while remaining undetected.
For in-depth information about a plethora of Network Scanner types, see this post from the Linux journal.
Preventing unwanted Network Probes
There are a few ways to ensure safety against unwanted Network Probes. The first is to move as many services as you can to a hosted service. Second is to close as many internet-facing ports as you can. When most of the ports are closed, the malware is unable to detect any vulnerability. It is also wise to upgrade your firewall to a more sophisticated application, commonly known as Next Gen firewall. A more savage solution is needed from an upmarket manufacturer such as Watchguard, Cisco, Cisco Small Business, Sonicwall and Checkpoint. Equalize on one or two firewalls and learn the program effective rules.
How to handle Network Probes
An unannounced network scan can cause a lot of panic in a company. The first thing to do when having detected a foreign network scan is to remain calm. It could be a non-security issue or a test which had not been communicated. If it is a security issue, there are a number of ways to manage it and jumping straight into rushed conclusions could cause repercussions which could have, otherwise, been avoided.
The first step in handling an unwanted network probe is to document the activity. By documenting the activity, all those handling the problem can stay well informed and privy to patterns. Documentation also allows for a broader perspective which aids in making smarter decisions about how to proceed. It’s also always a great resource to have in case a court case ensues therefrom. From there, you want to determine whether you are vulnerable or not. Identify any ports that are not well known to you and set up a network analyzer to collect traffic on that port. Take inventory of all your network software. This is not ideal when working on a time-crunch, but can help identify what you’re looking for.
Reporting Network Probes
Once you have a comprehensive understanding and recorded events, report the probe. You’re going to want to alert management and the security team about the probe so they can conduct forensic analysis and make executive decisions about how to proceed. Once reported, continue monitoring the activity by placing extra intrusion detection sensors on uncovered network sections and leverage your operations center. From here, you may want to contact the source- if not given further instruction and try to determine what had attracted the attention in the first place. This will help you prevent future occurrences.
For very comprehensive steps about managing unwanted network probes download this document.
Learn how to detect and mitigate cyber threats with our Cyber Threat Detection and Mitigation Certification Training Course!
Start your FREE trial today!