Network probes or the pre-ATT&CK phase (see below*1) are indicators of the silent attacker reconnaissance of the internet. Hidden in these scans can be the first signs of interest which can lead to a potentially damaging security breach, so you might want to take the time to examine them and make sure your systems are not affected.
Anyone that operates digital services or a corporate network will know that network probes come with the territory – at some point, if not every minute, your network will be probed by an outside entity looking for a way in. Generally, these come in the forms of automated port and vulnerability scanners.
On the surface, you may think just being scanned is part of the mischief of the internet and is nothing to worry about – especially as they pose no immediate risk. While it may just be that, advanced vulnerability analysis shows there is a more sinister subset of scans which are attempting to cloak more serious probes by hiding in plain sight. Although, these network probes and scans are not typically breaches themselves, they shouldn’t be ignored as they are the work of open source intelligence operations seeking to compromise and infiltrate your networks.
If we look at a typical scan, we usually see a network probe with little more than an agent comprised of an automated script that is checking for details about your infrastructure or the application code you are hosting. Its sole purpose is to scan the internet and return with information about what assets, software and services you are exposing. At any one time there are potentially millions of these network probes and hostile scans out there looking for vulnerabilities to exploit, which they most certainly will be if they’re left unattended.
The tools to create these probes are easy to come by. Commercial software or services such as Shodan, Censys.io or the free tool MASSCAN, allow threat actors (malicious and “gray hat”) to easily locate vulnerable devices or services that are attached to the internet and likely attached directly to your network. This information can then be weaponised. A well-compiled list can allow an attacker to quickly create an attack surface map that highlights the fastest ways to breach your security and perimeter defences and gain access to our network and files.
The most common breaches we see today can range from existing security vulnerabilities in blogging software, or servers exposing remote administrative tools like remote desktop or cloud buckets (such as Amazon S3), right through to an internet-facing conference video system with default passwords like “admin” (see the breach of the Brazilian ISP in 2015).
The good news is that as defensive operators and system admins, we can use these same tools to run scans proactively on our own environments in order to see the weak points in our networks. but we need to be prudent and exercise good hygiene, acting swiftly on the information we have.
How a network probe attack works
Essentially, there tend to be two phases of a network probe-based attack. The first stage is a scan of your network, this can be either using a port scan or a ping sweep. If a interesting service is discovered that information is communicated back to the actor. This is where the actual attack surface will be examined. Once the vulnerability is discovered, the actor may attempt to upload a malicious payload onto that device to usurp authority on it.
Once infected, stage two kicks in, here the device can be queued into the cybercriminal’s infection list, extending their ability to infiltrate, exfiltrate or further leverage it to use the infected device as a pivot platform to scan for sensitive data within your network. The process continues as the infiltration leap-frogs from machine to machine and the infection spreads. Of course, on top of this, those behind the attack will now have unfettered access to your network as and when they choose. From here they can exfiltrate data, launch ransomware attacks or disrupt business operations. But the operational information gathering activity is the start, and where the where it all began. To be clear, the attacker already has assumed you have next-generation firewalls and endpoint protection, intrusion detection systems, and secure demilitarized zones setup while going through these motions.
Making sure you’re protected, reduce attack surface
Network probes form part of what is largely an automated attack with infected systems reaching out to find other vulnerable systems, or dedicated systems set on mapping a census of internet services. The Snowden Leaks showed the NSA had just this type of setup using a system called Tao.
So what’s the right approach? Effectively it’s all about reducing your internet footprint or attack surface.
Start with the basics… One of the biggest things you can do to start with is ensure that your hardware isn’t your weak point – so this means making sure that your firewall or routers that control access to your network, as well as any other internet-facing devices you have on your network, don’t have default passwords set on them.
This is going to be an increasingly complex task as IoT becomes more embedded in our businesses. Since the Mirai botnet first appeared new generations of botnets have focused on compromising IoT devices and they continue to be an area of concern for IT security teams. Just this week Mirai was discovered to have uploaded new types of architecture support to their code base. Minimising open ports will significantly reduce the chances of a network probe or hostile scan successfully getting into your network. Beyond this, ensuring that you have a solid patch management programme in place will help you ensure that known vulnerabilities are removed, which will deny this as a route to entry for any would-be attacker.
Finally, you need to monitor for things like unauthorised port scans or ping sweeps. Recording these events, means you can report any potential probes to the IT management or security team so they can conduct forensic analysis and make decisions about how to proceed. Once you have reported the probe, you should continue monitoring activity through intrusion detection sensors so you can keep a check on suspicious activities.
A good quality continuous monitoring and penetration testing service can help enumerate these issues and resolve them. Most of our clients find this to be the most effective service available to show immediate value to their organisation and reduce risk, as they don’t require long or complicated contractual engagements, but insure a simple place to start.