What is a Network Scan?

1. Network scanning: involves detecting all active hosts on a network and mapping them to their IP addresses.
2. Port scanning: refers to the process of sending packets to specific ports on a host and analyzing the responses to learn details about its running services or the location of potential vulnerabilities.

1. Vanilla scan/SYNC scan: TCP SYN packets are sent to the ports of each address in an attempt to connect to all ports. Port numbers 0 – 65,535 are utilized.
2. Strobe scan: the attacker attempts to connect to a specific range of ports, which are typically open on Windows-based hosts or UNIX/Linux-based hosts.
3. Sweep scan: Scans a large set of IP addresses in an attempt to detect a system that has an open port.
4. Passive scan: occurs when network traffic entering or leaving the network is captured and the traffic is then analyzed to determine which ports are open on the hosts within the network.
5. User Datagram Protocol (UDP) scan: empty UDP packets are sent to different ports of a set of addresses to determine how the operating system responds. Closed UDP ports respond with the ‘Port Unreachable’ message when any empty UDP packets are received. Other operating systems respond with the Internet Control Message Protocol (ICMP) error packet.
6. FTP bounce scan: this scan is initiated from an intermediary File Transfer Protocol (FTP) server in an attempt to hide the location of the attacker.
7. FIN scan: TCP FIN packets that specify that the sender wants to close a TCP session are sent to each port for a range of IP addresses.

Preparation

1. Make sure that all the network metadata is ingested in the Lumu platform. Learn more in or deployment guide. 
   
2. Make good use of the Labels feature offered by Lumu. Having appropriate names for your endpoints and LVAs can be very helpful when categorizing your traffic and identifying incidents.
   
3. If there are any remote users in your network, make sure they are covered by your Continuous Compromise Assessment strategy. To learn more about how to ensure this, refer to our article about VPN and SDP configuration.      
   
4. Make sure to configure your switch/router correctly to capture network metadata. To learn more about how to carry out this configuration, refer to the documentation of your device’s manufacturer. Alternatively, software such as PacketBeat or Ntop set up on one of the switch’s mirror ports can be used to capture this type of metadata.
5. Make sure that you have deployed Lumu Virtual Appliances (VA) and that they are capturing NetFlow metadata. To achieve this, your network’s devices must forward NetFlow logs to the Lumu VA, or alternatively must have PacketBeat configured as an external collector.. To learn more about this collector, refer to our article about PacketBeat. 
   

Detection & Analysis

1. Identify the devices performing the network scan activity by using the incidents tab in the Lumu Portal. You can find this information at a glance in the Activity section of the Lumu Portal. 
2. Identify the network segments that triggered the activity in order to assess the priority and risk of this incident, and to determine the level of activity across your network.
3. Identify associated IOCs detected on the same endpoints by looking at the distribution tab in the Lumu Portal. 
4. Check if any of the related IOCs has Network Service Scanning capabilities by looking at the MITRE ATT&CK Matrix in the Context tab of the Lumu portal. If you have identified this capability in the detected threat, this triggers the probability that the detected network scanning activity is associated with seen IOCs on that device and network segment.
5. Validate that the activity is not part of a legitimate penetration test or red team activity.

Containment, Eradication, & Recovery

1. Identify and isolate endpoints where activity was detected. When threat actors start to perform network scans, the usual reason is network discovery. They already have initial access to your network and are trying to identify valuable or vulnerable assets in order to achieve lateral movements. 
2. Lumu Defender, the most advanced Lumu subscription tier, features response integrations that allow Lumu to obtain even more precise intelligence and to promptly respond to threats by communicating with other cybersecurity tools and assets. This may be vital when it comes to reacting appropriately using the tools in your cybersecurity stack. 
   
3. Check whether the credentials for remote access to your network have been potentially compromised. Check Event Collector error codes and look for unknown accounts in your Active Directory. Also, enable Multi-factor authentication in your network.
4. If you identify a network scan incident in the same network segment and/or label where other IOCs have been detected, and the network scan incident wasn’t caused by the work of your security team, review the detected IOCs and whether they are currently blocked by your Firewall or other components of your security infrastructure. 
5. Create and apply access control lists on your firewalls and routers. Remember, In a Zero Trust model, there is no such thing as a trusted source. As such, every request to access the system must be authenticated, authorized, and encrypted. 
6. Isolate the targeted device from your network. Verify that security updates on the device are up to date, as well as the Access Control Lists on services. Also, review your access logs and force Multi-factor authentication.

Post-Incident Activity

1. Use Lumu to detect the devices in your network that performed the network scans and make sure that no additional incidents of this type are reported. In addition, you can also conduct awareness campaigns focusing on the users that own and/or manage those devices.
2. To determine whether or not a device is at risk, you’ll need to find out what an attacker would see if they perform a port scan on said device. One way to do this is to use a tool like Nmap, a free port scanner which, unfortunately, is used by hackers to carry out attacks but isn’t inherently dangerous to use on your own device. From there, you can see which of the device’s ports show as “open.”