Port Vulnerability Scanning: How FlowTraq Dynamically Adapts to Your Network
Perhaps one of the most common reconnaissance techniques to map out networks when planning attacks is port vulnerability scanning. Port scans are a connection sweep of address and/or ports intended to discover what addresses have open service ports with potentially vulnerable services.
For instance, if a host has a MySQL port open, it is worth trying various exploits that some MySQL versions are vulnerable to. The same goes for web servers, email servers, databases, fileserver ports, etc.
This means attackers might port scan large blocks and ranges from the outside to try to get in. Firewalls generally block outside access to the inside, so more commonly attackers attempt to get in through phishing or device-borne viruses, and start scanning once on the inside, using the compromised system.
FlowTraq detects both horizontal and vertical scan behavior by analyzing the number of unique ports a system connects to, and the total number of unique IPs a system connects to over a number of different time frames.
An alert is generated by the FlowTraq Network Behavior Intelligence (NBI) system when the number of attempts is unusually high—meaning deviant from “typical” behavior on the observed network, For instance, if you have 10,000 systems, and they all typically show 6 unique ports +/-3 per hour, then a scan that hits 160 in 10 minutes is considered high.
Equally as important, FlowTraq will also learn the deviants. For instance, if you run an OpenVAS/Nessus/CoreImpact vulnerability scanner on your network for discovery, then FlowTraq will learn what this system is and when it performs the scans. This avoids receiving alerts each time the desired scanning behavior occurs. Any other systems showing this behavior will immediately send alerts.