Every well-prepared attack begins with the recognition of the victim. Whether it is a social engineering attack or a network attack, the reconnaissance phase is crucial in order to get to know the victim's weaknesses and select the appropriate tools.
Vertical scanning works slightly differently. After initially establishing that a host is running, the attacker attempts to identify what services are running there and what versions they are in (known as Fingerprints). In this case, multiple requests are sent to a single IP address on different ports. Depending on the tool or scanning mechanism selected, it is possible to scan the 100 most popular ports, ports from 1-1024 or all ports from 1-65535.
Why is using NetFlow data a good way to detect network scanning?
NetFlow makes it possible to monitor the flow of data on the network. Its huge advantage is the transmission of information about every communication that occurred, whether it was an exchange of large amounts of data or the exchange of individual packets between parties. NetFlow records each flow direction separately and therefore also leaves a trail of unidirectional transmissions or, as in the case of network scanning, of failed connection attempts.
How does Sycope detect network scanning?
Sycope Security is a set of multiple rules used to detect volumetric and quality anomalies in network traffic. Among the nearly 60 detection methods are methods for detecting horizontal and vertical network scans. The idea behind them is to calculate the number of unique address and port pairs and the number of sessions established.
In the case of horizon scanning, the mechanism detects connections or connection attempts originating from a single IP address that are established with many different devices.
For vertical scanning, connections or connection attempts between a pair of IP addresses are detected. An alarm is triggered if such connections are established on a large number of ports, more than is the case with normal communication.
The use of all these parameters and assigning them appropriate values in the detection methods means that for correct network traffic, where the Client establishes valid sessions and exchanges a given alert, the alert will not be triggered. On the other hand, if the communication contains patterns indicative of a deviation from the standards, in such a situation the system will trigger an alert and inform the administrator of the event itself and its details.
Importantly, the system administrator has the option of adapting the thresholds to his/her own network and requirements, as the parameters of the rule may differ from the default values, if only due to the size of the network.
Summary The way NetFlow works ensures that information about any traffic on the network is recorded and transmitted to the collector. In contrast, the correct interpretation of this data and the detection of anomalies is the task of the analysis modules.
ORGANIZATOR
POSLJEDNE NOVOSTI
OFFICE
SLOVENIJA
Bravničarjeva ulica 13
1000 Ljubljana, Slovenia
SRBIJA
Bul. Mihaila Pupina 10 D, lok. 129
11070, Novi Beograd, Serbia
NEWSLETTER
Prijavi se za naš newsletter
MeetPoint2022 / Terms of Use