Port Scan

Port Scan

Identifying a Port Scan is crucial in the realm of network security, as it often represents the initial stage of reconnaissance in potential cyber attacks. In a port scan, attackers systematically check a host for open ports by sending client requests to multiple ports and observing the responses. Open ports can reveal about active services, potentially unveiling vulnerabilities that could be exploited for unauthorized access or malicious activities. Early detection of port scans is therefore vital for preemptive security measures, allowing network administrators to assess and fortify their defenses, close unnecessary ports, and monitor suspected sources for further suspicious activities.

ElastiFlow provides a collection of anomaly detection jobs designed to identify port scans including various monitoring strategies and analytical techniques aimed at detecting the distinctive patterns of such reconnaissance activities.

Attributes

Attribute	Information
Analysis Type	population
MITRE ATT&CK Technique	Network Service Scanning (T1046)
MITRE ATT&CK Tactic	Discovery (TA0007)

Downloads

Schema	Vector	Perspective	Window	Link
CODEX	direct	edge	fast	elastiflow_codex_netsec_port_scan_direct_edge_fast
CODEX	direct	edge	slow	elastiflow_codex_netsec_port_scan_direct_edge_slow
CODEX	direct	inbound	fast	elastiflow_codex_netsec_port_scan_direct_in_fast
CODEX	direct	inbound	slow	elastiflow_codex_netsec_port_scan_direct_in_slow
CODEX	direct	outbound	fast	elastiflow_codex_netsec_port_scan_direct_out_fast
CODEX	direct	outbound	slow	elastiflow_codex_netsec_port_scan_direct_out_slow
CODEX	direct	private	fast	elastiflow_codex_netsec_port_scan_direct_priv_fast
CODEX	direct	private	slow	elastiflow_codex_netsec_port_scan_direct_priv_slow
CODEX	distributed	edge	fast	elastiflow_codex_netsec_port_scan_distrib_edge_fast
CODEX	distributed	edge	slow	elastiflow_codex_netsec_port_scan_distrib_edge_slow
CODEX	distributed	inbound	fast	elastiflow_codex_netsec_port_scan_distrib_in_fast
CODEX	distributed	inbound	slow	elastiflow_codex_netsec_port_scan_distrib_in_slow
CODEX	distributed	outbound	fast	elastiflow_codex_netsec_port_scan_distrib_out_fast
CODEX	distributed	outbound	slow	elastiflow_codex_netsec_port_scan_distrib_out_slow
CODEX	distributed	private	fast	elastiflow_codex_netsec_port_scan_distrib_priv_fast
CODEX	distributed	private	slow	elastiflow_codex_netsec_port_scan_distrib_priv_slow
ECS	direct	edge	fast	elastiflow_ecs_netsec_port_scan_direct_edge_fast
ECS	direct	edge	slow	elastiflow_ecs_netsec_port_scan_direct_edge_slow
ECS	direct	inbound	fast	elastiflow_ecs_netsec_port_scan_direct_in_fast
ECS	direct	inbound	slow	elastiflow_ecs_netsec_port_scan_direct_in_slow
ECS	direct	outbound	fast	elastiflow_ecs_netsec_port_scan_direct_out_fast
ECS	direct	outbound	slow	elastiflow_ecs_netsec_port_scan_direct_out_slow
ECS	direct	private	fast	elastiflow_ecs_netsec_port_scan_direct_priv_fast
ECS	direct	private	slow	elastiflow_ecs_netsec_port_scan_direct_priv_slow
ECS	distributed	edge	fast	elastiflow_ecs_netsec_port_scan_distrib_edge_fast
ECS	distributed	edge	slow	elastiflow_ecs_netsec_port_scan_distrib_edge_slow
ECS	distributed	inbound	fast	elastiflow_ecs_netsec_port_scan_distrib_in_fast
ECS	distributed	inbound	slow	elastiflow_ecs_netsec_port_scan_distrib_in_slow
ECS	distributed	outbound	fast	elastiflow_ecs_netsec_port_scan_distrib_out_fast
ECS	distributed	outbound	slow	elastiflow_ecs_netsec_port_scan_distrib_out_slow
ECS	distributed	private	fast	elastiflow_ecs_netsec_port_scan_distrib_priv_fast
ECS	distributed	private	slow	elastiflow_ecs_netsec_port_scan_distrib_priv_slow

By deploying this suite of anomaly detection jobs, organizations can effectively identify port scanning activities in their early stages. Prompt detection of port scans allows network administrators to take immediate action, such as reconfiguring firewalls, shutting down unnecessary services, or increasing surveillance on critical assets, thereby enhancing the overall security posture of the network and preventing potential breaches.