Suspicious Outbound SMTP Connections 

Wireless Activity Monitoring

• Purpose: Ensure that you know about computers with wireless features.

• Check the List: Verify if there are PCs that are not allowed to use wireless features. 

• Approve or Update: Confirm that all the computers are laptops/computers with wireless features.

• Why Important: Related Rules.

Quick Guide:

• Review the list of computers with wireless features turned on.

• Verify that there are only computers with allowed wireless features.

• Provide your Soc Team with the entire list of laptops in your organization in CSV format.

Use Case

Continuous monitoring of all wireless activity originating from computers and servers connected to your organization's Wi-Fi network.

"Wireless activity" designed to show you the wireless activity on the computers in your network.

It is important to make sure that the information listed in the report is indeed laptops. Please follow the guide to get a bigger picture about "Wireless Activity" and then generate the report and provide your Soc Team with the entire list of laptops in your organization in CSV format.

Risk

• Network Bridge and Exposure: Connecting workstations or servers directly to Wi-Fi can inadvertently create a network bridge, exposing your internal network.

• Unauthorized Access: Unsecured or weakly secured Wi-Fi networks can be easily exploited by malicious actors to gain unauthorized access to your internal systems and data.

• Data Interception: Sensitive information transmitted over Wi-Fi can be intercepted by attackers using packet sniffing tools, leading to data breaches and potential financial losses.

• Rogue Access Points: Unauthorized access points set up by malicious actors can mimic your legitimate Wi-Fi network, tricking users into connecting and compromising their devices.

• Misconfigured Devices: Incorrectly configured devices on your Wi-Fi network can introduce vulnerabilities that attackers can exploit.

Monitoring Best Practices

• Naming Conventions: Establish clear naming conventions for laptops connected to the Wi-Fi network (e.g., COMPUTER-LT).

• Guest Wi-Fi Isolation: Separate the guest Wi-Fi network from your internal network to prevent unauthorized access to sensitive resources.

• Group Policy Enforcement: Use Group Policy Objects (GPOs) to enforce restrictions on connecting to multiple network adapters simultaneously on company-managed devices.

• Hardware Restrictions: Ensure that workstations and servers do not have built-in wireless network adapters to prevent unauthorized connections to the Wi-Fi network.

Action

Wireless Activity Report

• Generate a report of all the wireless activity on your network.

  • ESM: 

/All Reports/Mobula/Windows/Audit Applications and Services/Wireless Activity

Please review your entity's report and send it to him so that he can check whether all the computers listed in the report are laptops. Based on your entities feedback, if it is a laptops add this list to the exclusion list:

/All Active Lists/Mobula Exclusion Lists/Mobula/Windows/System or Application/System or Application(Host)

• App

Generate a report of “Wireless Activity” using the Mobula Application and inform your SOC Team / Platform Manager which of your computers listed in the report are Laptops.

• To access the report follow the steps:

1. Go to Options menu

2. Check List

3. Wireless Activity

4. Related Report

5. Generate a report (the report will be sent to your email)

Optional Exclusions

• Laptops with specific computer name conventions (e.g., COMPUTER-LT)
  (Send to your SOC the name conventions)

• Computers explicitly authorized to connect to Wi-Fi
  (Exclude from Mobula Application)

• Internal SSIDs (to focus on external or guest Wi-Fi usage)
  (Exclude from Mobula Application)

General Recommendations

• Strong Encryption: Implement robust encryption protocols like WPA3 for your Wi-Fi network. Avoid outdated protocols like WEP or WPA.

• Regular Password Changes: Enforce strong, unique passwords for Wi-Fi access and change them regularly. Consider using a passphrase instead of a simple password.

• Network Segmentation: Divide your Wi-Fi network into separate segments for guests, employees, and critical systems to limit access and potential damage in case of a breach.

• Intrusion Detection Systems (IDS): Deploy an IDS to monitor your Wi-Fi network for suspicious activity, such as unauthorized access attempts or unusual traffic patterns.

• Regular Vulnerability Scanning: Conduct regular scans of your Wi-Fi network to identify and address any vulnerabilities or misconfigurations.

• Access Point Security: Secure your access points with strong passwords and disable broadcasting of their SSID (network name).

• Device Management: Maintain an inventory of all devices authorized to connect to your Wi-Fi network and enforce security policies on them.

• Employee Training: Educate employees about the risks associated with Wi-Fi usage and provide guidance on secure practices, such as avoiding public Wi-Fi for sensitive activities.

Feedback

This use case has been developed based on our extensive experience and feedback from our valued customers. We are committed to continuous improvement and welcome your feedback and contributions to this use case. Please share any insights or suggestions you may have to help us refine and enhance this security measure.

Egress Communications to Suspicious Country

• Purpose: Define suspicious country's communication.

• Check the List: Make sure you familiar with that ongoing communications.

• Whitelist or block: Exclude from monitoring or block in Firewall.

• Why Important: Cyray’s SIEM system relies on it, facilitating broader monitoring.

Quick Guide:

• Review Egress Communications to Suspicious Country report  

• Block on Firewall or white list approved countries

Detailed Guide:

Overview

The purpose of this guide is to present an explanation of "Egress Communications to Suspicious Country” which is a high amount of outgoing traffic that passes through the organization's FW into countries that may be considered as suspicious.

Our report is based on identifying the source addresses that try to access specific destination addresses and ports, and determining their Geolocation. 

With this information, the organization can review the report findings and decide which countries should be blocked by the FW or Whitelisted if approved.

This helps reduce the risks of attacks from unwelcome countries, improves real-time monitoring alerts, and enhances the incident response and actions taken by the security operations team and platform managers.

Objectives

• Ensure all unwanted communication is blocked.

• Enhance security and compliance with regulatory maintenance of FW rules

Action

Egress Communications to Suspicious Country Report

ESM

Generate a report of all Outbound Communications through FW.

/All Reports/Mobula/DeviceType/Firewall/Egress Communications to Suspicious Country - Detailed

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of “Egress Communications to Suspicious Country” using the Mobula Application.

If the information listed in the Report is approved, whitelist it. If you can define which countries are risky or forbidden for communication, block them in your FW. Wait 24 hours to check if the changes are implemented, then press Update Task to “Complete” stage.

If the report isn’t empty, repeat the first step.

To generate the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Egress Communications to Suspicious Country

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to Options menu

2. Check List

3. Egress Communications to Suspicious Country

4. Task Update

5. Choose the status and click save.

Recommendations

• Implement Country-Based Access Controls: Establish access controls to block communication with countries that your organization's home country has conflicts with. This helps mitigate potential security risks associated with geopolitical tensions.

• Consider Permanent Partnerships: If your organization has ongoing partnerships or business relationships with specific countries, exempt them from the initial access restrictions. Ensure that communication channels with these countries remain open to facilitate business operations.

• Restrict Communication Proactively: Proactively restrict outbound communication to all countries using firewall rules. Then, gradually grant exceptions for specific users or addresses based on business requirements and authorized communications.

• Granular Firewall Rules: Configure firewall rules to allow communication with specific countries only for authorized users or addresses. This approach enhances security by limiting access to a select group while maintaining control over outbound traffic.

Risk

• Data Exfiltration: Egress communications may indicate unauthorized attempts to transfer sensitive data outside of the organization's network. This could include intellectual property, customer information, financial data, or other confidential information

• Compliance Violations: Egress communications to suspicious countries may violate regulatory requirements or industry standards related to data protection, privacy, and cybersecurity. This could result in legal and financial consequences for the organization.

• Operational Disruption: Egress communications may disrupt normal business operations by consuming network bandwidth, degrading system performance, or causing service outages. This can impact productivity and profitability for the organization.

• Supply Chain Risks: Egress communications may indicate security risks within the organization's supply chain, including third-party vendors or partners. Compromised systems or networks within the supply chain can serve as entry points for attackers to target the organization.

Monitoring Best Practices

• Exclude Wi-Fi/Guest network zones to avoid a large number of alerts about users or guests using those networks to surf the net.

• To avoid unnecessary risks,make sure all the countries you don’t want open communication to are inside the  list of suspicious countries

Optional Exclusions

• Source IP

• Destination IP

• Source IP, Destination IP, Destination Port

• Destination Port

• Customer Source Zone

General Recommendations

• Block or Limit Traffic: Immediately block or limit outbound network traffic to the suspicious country. This can be done using firewall rules, network access control lists (ACLs), or other network security devices.

• Review Access Controls: Review and tighten access controls for sensitive systems and data. Ensure that only authorized users have access to critical resources and that access is granted on a need-to-know basis.

• Patch and Update: Ensure that all systems and software are up to date with the latest security patches and updates. Vulnerabilities in outdated software can be exploited by attackers to gain unauthorized access to your network.

• Educate Users: Educate employees about the risks of communicating with suspicious countries and the importance of following security protocols. Remind them to be cautious when clicking on links or downloading attachments from unknown sources.

Conclusion

In conclusion, effective monitoring and management of egress communications to suspicious countries are paramount for maintaining the security and integrity of an organization's network infrastructure. By implementing robust access controls, proactive communication restrictions, and granular firewall rules, organizations can mitigate the risks associated with potential data exfiltration, compliance violations, operational disruptions, and supply chain vulnerabilities. Additionally, leveraging comprehensive monitoring best practices and optional exclusions helps streamline the identification of security threats while minimizing unnecessary alerts. Through these measures, organizations can strengthen their security posture, enhance regulatory compliance, and safeguard against emerging cyber threats in an increasingly interconnected digital landscape.

Troubleshooting

• The report is not being sent to the email address via Mobula application

  • Define Email Addresses

• The report is empty

  • Contact with your SOC team to check if there are any block stations or block ports and not all the organization is monitored correctly. If all are monitored you can mark the task as Done.

• Purpose: Approve or Block traffic not through DNS servers.

• Check the List: To make sure all dns request are legitimate.

• Whitelist or block: Exclude from monitoring or block in FireWall.

• Why Important: Normal and approved DNS traffic is defined well and securely.

Quick Guide:

• Review Egress DNS Communication Passed By Firewall Report 

• Block on Firewall or white list approved Zones / Addresses

Detailed Guide:

Overview

Egress (outbound) computer communication through the firewall to network addresses that are not passing through the organization's DNS server.

Communication not through an organization's DNS server poses a significant risk because the computer communications are not controlled by the organization's DNS server.

The organization can examine the report findings and determine whether the data poses a risk and need to be transferred under the organization DNS server or identify which computer communication is non-problematic and which zone addresses are legitimate such as communication to external services that can be excluded from the alerts in order to accurate alerts in real-time monitoring, and improve incident response and the reaction taken by the SOC operation personnel and platform managers.

Objectives

• Ensure all unwanted communication is blocked.

• Enhance security and compliance with regulatory maintenance of FW rules

Actions

Egress DNS Communication Passed By Firewall

ESM - Arcsight

Follow the path to generate a report for your Entities that shows all DNS communication not through DNS servers that are configured on ESM.

/All Reports/Mobula/DeviceType/Firewall/Egress DNS Communications Passed by Firewall

Please review your entity's report and send it to him so that he can check whether all the addresses on the report are approved or if there are some segmentations that can be excluded such as internal DNS or WIFI / Guest networks that usually the customer doesn't consider as risky.

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of Egress DNS Communications Passed by Firewall using the Mobula Application and inform your SOC Team / Platform Manager if there are internal networks you would like to whitelist or block if necessary.

If all the information listed in the Report is approved or excluded, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Egress DNS Communications Passed by Firewall

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Egress DNS Communications Passed by Firewall 

4. Task Update

5. Choose the status and click save.

Recommendations

• Asset and Network Assessment: Begin by conducting a thorough review of assets and networks configured on the ESM platform to identify the DNS servers currently in use. Pay particular attention to any inclusion of Wi-Fi or guest networks within the configurations.

• Exclusion of Non-Standard Systems: Evaluate if your organization utilizes different Endpoint Detection and Response (EDR) or cloud-based systems that communicate through commonly used global DNS engines. If so, ensure these systems are excluded from the monitoring scope to avoid unnecessary alerts and streamline the focus on critical assets.

Risks

• Data Exfiltration: Attackers may exploit DNS channels to exfiltrate sensitive data from the organization's network. By encoding data within DNS queries or responses, malicious actors can bypass traditional security controls and transfer data to external servers.

• Command and Control (C2) Communication: Malware or botnets may use DNS as a covert communication channel to establish command and control connections with remote servers. This can allow attackers to remotely control compromised systems and exfiltrate data or launch further attacks.

• DNS Tunnelling: Attackers may use DNS tunnelling techniques to bypass firewall restrictions and exfiltrate data from the organization's network. By encapsulating data within DNS queries or responses, attackers can establish covert communication channels that evade traditional detection mechanisms.

• Phishing and Malware Distribution: Malicious actors may use DNS to host phishing websites or distribute malware. Monitoring egress DNS traffic can help detect connections to known malicious domains and prevent users from accessing malicious content.

• Data Leakage Prevention (DLP) Violations: Egress DNS communications may result in violations of data leakage prevention policies if sensitive information is transmitted outside the organization's network. Monitoring DNS traffic can help identify and prevent unauthorized data transfers.

• Compliance Violations: Egress DNS communications may violate regulatory requirements or industry standards related to data protection and privacy. Failure to adequately monitor and control DNS traffic can result in compliance breaches and regulatory penalties.

Monitoring Best Practices with SIEM (ArcSight)

• Exclude Wi-Fi/Guest network zones to avoid a large number of alerts about users or guests using those networks to surf the net.

• Exclude known systems using different DNS engines

Optional Exclusions

• Source IP

• Destination IP

• Customer Source Zone

• Customer Source Zone and Destination IP

Global Recommendations

• Anomaly Detection: Implement anomaly detection techniques to identify deviations from normal DNS behaviour. Analyse DNS traffic patterns, query types, and response codes to detect potential indicators of malicious activity, such as domain generation algorithms (DGAs) or DNS tunnelling.

• DNS Sinkholing: Implement DNS sinkholing to redirect traffic from known malicious domains to a controlled environment for further analysis or blocking. DNS sinkholing can help disrupt communication with malicious infrastructure and prevent security threats from escalating.

• Thorough Investigation: Conduct thorough investigations of suspicious DNS events to understand the scope and impact of potential security incidents. Analyse DNS logs, network traffic, and endpoint data to identify the root cause and determine appropriate remediation steps.

• Collaboration and Information Sharing: Foster collaboration and information sharing within the cybersecurity community to enhance collective defence against DNS-based threats. Participate in threat intelligence sharing platforms, industry forums, and information sharing and analysis centres (ISACs) to exchange actionable intelligence and insights.

Conclusion

In conclusion, effective monitoring and management of egress DNS communications passed by the firewall are essential components of a robust cybersecurity strategy. By reviewing DNS traffic not routed through the organization's DNS servers, organizations can identify and mitigate potential security risks such as data exfiltration, command and control communication, DNS tunnelling, phishing, and compliance violations.

By generating and reviewing reports on egress DNS communications passed by the firewall, organizations can ensure that all communication is legitimate and appropriately routed through authorized DNS servers. Whitelisting approved zones and addresses while blocking unauthorized communication helps enhance security and compliance with regulatory requirements.

Additionally, recommendations such as conducting asset and network assessments, excluding non-standard systems, implementing anomaly detection techniques, and fostering collaboration and information sharing within the cybersecurity community are critical for strengthening DNS monitoring capabilities and defending against DNS-based threats.

Incorporating these best practices into a comprehensive cybersecurity program enables organizations to proactively identify and respond to DNS-related security incidents, protect sensitive data, and maintain regulatory compliance in an ever-evolving threat landscape.

• Purpose: Define which unrecommended Services are approved communications

• Check the List: Check which services are open to the world and make your organization vulnerable to.

• Whitelist or block: Exclude from monitoring or block in Firewall.

• Why Important: Cyray’s SIEM system relies on it, facilitating broader monitoring.

Quick Guide:

• Review Egress Restricted Services Communications Passed by Firewall Report

• Block on Firewall or white list approved ports / services

Detailed Guide:

Overview

The purpose of this guide is to present an explanation of the rule "Egress Restricted Services Communications Passed by Firewall” which is egress (outbound) firewall filtering occurring by presenting the network traffic passing through the firewall under specific ports/ services that can be either security risks or problematic in terms of sensitive information leakage. 

Our Report is based on the following ports and services: 

Port Service

22 SSH

23 Telnet

59 DCC

69 TFTP

115 SFTP

119 NNTP

135 RPC

137 Netbios

138 Netbios

139 Netbios

161 SNMP

162 SNMP

179 BGP

222 SSH-alt

445 SMB

514 Syslog

873 rsync

1433 MSSQL

1434 MSSQL

1521 Oracle

2000 RemotelyAnywhere

2323 Telnet-alt

3306 MySQL

3389 RDP

5432 PostGreSQL

5800 VNC

5900 VNC

5938 TeamViewer

6568 AnyDesk

6660 IRC

6661 IRC

6662 IRC

6663 IRC

6664 IRC

6665 IRC

6666 IRC

6667 IRC

6668 IRC

6669 IRC

8040 ConnectWise Control

8041 ConnectWise Control

8080 HTTP-alt or Ammyy Admin

8172 IIS Management

8200 GoToAssist | RescueAssist

9001 TOR Relay Server

9030 TOR Relay Serve

Therefore, Please examine the report findings and determine whether the data poses a risk and need to be blocked as necessary by the firewall or identify which data can be excluded from the alerts in order to accurate alerts in real-time monitoring, and improve incident response and the reaction taken by the SOC operation personnel and platform managers.

Objectives

• Ensure all unwanted communication is blocked.

• Enhance security and compliance with regulatory maintenance of FW rules

Actions

Report

ESM

Follow the path to generate a report for your Entities of “Egress Restricted Services Communications Passed by Firewall”.

/All Reports/Mobula/DeviceType/Firewall/Egress Restricted Services Communications Passed by Firewall

Please review your entity's report and send it to him so that he can check whether all the communications are approved or not.

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of “Egress Restricted Services Communications Passed by Firewall” using the Mobula Application and inform your SOC Team / Platform Manager if all the communication and Services are approved and can be excluded or you will block them in your FW.

When done, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Egress Restricted Services Communications Passed by Firewall 

4. Related Report

5. Generate a report (the report will be sent to your email)

Later you can generate this report once in 24 Hours by navigating to:

1. Options menu

2. Reports

3. Egress Restricted Services Communications Passed by Firewall

4. Generate Report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Egress Restricted Services Communications Passed by Firewall

4. Task Update

5. Choose the status and click save.

Recommendations

• All Services/Ports listed above are usually not supposed to make outbound communication through the FW.

• If you know about Services that are “must have” in your organisation consider opening them only for some users instead of opening them widely to the world.

• Advise your Security adviser/ consultant or CISO to decide which ports can be blocked  

• There are many alerts from port 137. We highly recommend excluding this port after sending a report to the Entity to reduce unnecessary noise.

• Explanation:

Port 137 is used by the NetBIOS (Network Basic Input/Output System) service, which is primarily used for name resolution and registration in local area networks. NetBIOS over TCP/IP allows applications on separate computers to communicate within a local network and provides three services:

1. Name Service (using port 137): Resolves NetBIOS names to IP addresses.

2. Datagram Distribution Service (using port 138): Manages connectionless communication.

3. Session Service (using port 139): Manages connection-oriented communication.

Risks

1. SSH (Port 22): Unauthorized access due to weak authentication or misconfiguration.

2. Telnet (Port 23):Plain text transmission of data leads to easy interception of credentials.

3. TFTP (Port 69):Lack of authentication makes it susceptible to unauthorized access and data exfiltration.

4. SMB (Port 445):Vulnerable to exploits such as EternalBlue, leading to unauthorized access and data theft.

5. RDP (Port 3389):Often targeted for brute force attacks and unauthorized access to systems.

6. MSSQL (Port 1433):Misconfigurations or weak credentials can lead to unauthorized access to databases and sensitive information.

7. MySQL (Port 3306):Vulnerable to SQL injection attacks and unauthorized access to databases.

8. Oracle (Port 1521):Exploitable vulnerabilities can lead to unauthorized access to Oracle databases.

9. PostgreSQL (Port 5432):Vulnerable to SQL injection and other database-related attacks.

10. VNC (Ports 5800 and 5900):Lack of encryption and weak authentication can lead to unauthorized access to systems.

These ports and services represent critical points of vulnerability in a network, as exploitation can lead to unauthorized access, data theft, and compromise of sensitive systems and information. Mitigating these risks should be a priority to maintain the security of the network.

Monitoring Best Practices with SIEM (ArcSight)

• Send a report to the entity and then exclude port 137. Send your entity an email that describes what is port 137 and that you have excluded it until he will block it in his FW after examination.

• Exclude Wi-Fi/Guest network zones to avoid a large number of alerts about users or guests using those networks to surf the net.

• Usually we see a lot of organizations with old printers or other servers that uses old ports such as NetBios. Consider replacing them with newer systems if possible.

Global Recommendations

• Block or restrict access to known risky services: Ports such as Telnet (23), FTP (20, 21), and NetBIOS (137-139) are commonly exploited by attackers. It's generally advisable to block or restrict access to these services unless they are explicitly required for legitimate purposes.

• Secure remote access: Ports associated with remote access services like SSH (22), RDP (3389), and VNC (5800, 5900) should be carefully managed and restricted to authorized users. Consider implementing additional security measures such as multi-factor authentication (MFA) for these services.

• Database security: Ports associated with database services like MSSQL (1433, 1434), MySQL (3306), and Oracle (1521) should be restricted to authorized clients and encrypted where possible to protect sensitive data.

• Application-specific filtering: Some ports are associated with specific applications like TeamViewer (5938) and AnyDesk (6568). These ports should be monitored closely, and access should be restricted to authorized users or devices.

• Regularly review and update rules: Firewall rules should be reviewed regularly to ensure they align with the organization's security policies and any changes in network infrastructure or requirements.

• Educate users: Educate users about the risks associated with certain services and the importance of adhering to security policies when accessing the network from remote locations.

Conclusion

In conclusion, effective firewall filtering and egress restrictions play a crucial role in safeguarding network security by controlling outbound traffic and mitigating potential security risks. By carefully managing access to ports and services, organizations can reduce the likelihood of unauthorized access, data breaches, and malicious activities.

Furthermore, incorporating advanced security measures such as anomaly detection and centralized logging enhances the organization's ability to detect and respond to security incidents in real-time, thus strengthening overall cybersecurity resilience.

Ultimately, by following these recommendations and adopting a proactive approach to network security, organizations can better protect their assets, sensitive information, and reputation from evolving cyber threats.

• Purpose: Recognize proactive admin scans 

• Check the List: To identify which scans are legitimate activity and which are scripts or attackers activity

• Block or Whitelist: IP addresses

• Why Important: Real time alerting when the organization traffic is being scanned 

Quick Guide:

• Review Host and Port Scans report

• Block on Firewall or white list approved addresses

Detailed Guide:

This guide aims to scrutinize various types of firewall scans within organizational networks, distinguishing legitimate proactive scans from potentially risky or unauthorized ones. By discerning between these categories, the objective is to bolster network security by identifying and addressing potential security risks or vulnerabilities that may lead to sensitive information leakage.

First, let’s explain what is the term Vertical Scan-

The scan is focused on a single target rather than scanning multiple hosts or IP’s.

Secondly, Horizontal scanning- 

Focuses on a single port and scans multiple hosts to find hosts that have a specific service running on that port.

Finally, what are the differences between Outbound, Inbound and Internal?

• Outbound-the scan or suspicious activity is originating from within your network and is directed outward towards external systems

• Inbound-indicates that the scanning activity is directed towards your network or system from an external source. This could potentially indicate an attempt by someone to assess your network's security posture or search for potential entry points.

• Internal-Internal port scan involves scanning the ports of devices within a specific network. It is focused on assessing the security of the network's internal resources.

Scans that occur from inside source IP to insider range of destination IP addresses or ports or individual ones.

Objectives

• Ensure all unwanted communication is blocked.

• Enhance security and compliance with regulatory maintenance of FW rules

• Initiate network scans on a regular basis in order to detect suspicious movements

Actions

Host and Ports Scans

ESM

Follow the path to generate a Host and Ports Scans report for your Entities.

The report is built from six different types of Scans.

• Vertical & Horizontal Outbound scans

• Vertical & Horizontal Inbound scans

• Vertical & Horizontal Internal scans

/All Reports/Mobula/DeviceType/Firewall/Host and Port Scans

Please review your entity's report and send it to him so that he can check whether all the scans that appear in the report are familiar with the IT/ System or Security team.

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of Host and Ports Scan using the Mobula Application and inform your SOC Team / Platform Manager if all the scans are familiar with your team.

If so, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Firewall Scans

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Firewall Scans

4. Task Update

5. Choose the status and click save.

Risks

Vertical Outbound Scans:

• Unauthorized data exfiltration: Attackers may attempt to transfer sensitive data outside the organization's network.

• Command and control (C2) communication: Malware or compromised devices may initiate outbound connections to command and control servers, allowing attackers to maintain control over compromised systems.

• Policy violations: Outbound scans may violate organizational policies by accessing restricted or unauthorized external resources.

• Information disclosure: Outbound scans could inadvertently leak sensitive information to external entities.

Horizontal Outbound Scans:

• Network reconnaissance: Attackers may conduct horizontal outbound scans to gather information about external networks, potentially identifying vulnerable systems or targets.

• Scanning for vulnerabilities: Outbound scans may be used to identify potential targets for future attacks or exploit known vulnerabilities in external systems.

• Resource exhaustion: Intensive scanning activities may consume network bandwidth and computing resources, impacting network performance and availability.

• Detection evasion: Attackers may use horizontal outbound scans to evade detection by spreading scanning activities across multiple external destinations.

Vertical Inbound Scans:

• Unauthorized access attempts: Attackers may use inbound scans to identify and exploit vulnerabilities in exposed services or systems, potentially gaining unauthorized access to internal networks.

• Denial of service (DoS) attacks: Inbound scans may be part of reconnaissance efforts preceding DoS attacks, aiming to identify and target critical infrastructure or services.

• Malware propagation: Inbound scans may be used to identify vulnerable systems for malware infection, enabling attackers to propagate malicious code within the internal network.

• Data exfiltration: Successful inbound scans may facilitate unauthorized data access and exfiltration from internal network resources.

Horizontal Inbound Scans:

• Coordinated attacks: Horizontal inbound scans conducted by multiple attackers or botnets can amplify the impact of attacks, increasing the likelihood of successful exploitation or compromise.

• Targeted reconnaissance: Attackers may use horizontal inbound scans to identify specific internal assets or vulnerabilities for further exploitation or attack.

• Resource exhaustion: Intensive scanning activities from multiple external sources may overwhelm network resources, leading to service degradation or disruption.

• Backdoor identification: Inbound scans may reveal the presence of backdoor access points or unauthorized entry points within the internal network, posing significant security risks.

Global Recommendations

Implement Network Segmentation:

• Segregate network assets based on their criticality and sensitivity to limit the scope of scans and mitigate the impact of potential breaches.

Deploy Intrusion Detection/Prevention Systems (IDS/IPS):

• Utilize IDS/IPS solutions to monitor network traffic and detect suspicious or malicious activities, including scanning attempts, and automatically block or alert on such activities.

Enforce Access Controls:

• Implement strict access controls to restrict unauthorized scanning activities, both inbound and outbound, and ensure that only authorized personnel or systems can initiate scans.

Regular Vulnerability Scanning:

• Conduct periodic vulnerability assessments and scans to identify and remediate security weaknesses in internal and external systems, reducing the likelihood of successful exploitation.

Encrypt Sensitive Data:

• Encrypt sensitive data both in transit and at rest to protect it from interception or unauthorized access during scanning activities, especially for outbound scans where data exfiltration risks exist.

Monitor Outbound Traffic:

• Monitor outbound network traffic for anomalies, such as unusual destinations or patterns, which may indicate unauthorized scanning or data exfiltration attempts.

Implement Logging and Auditing:

• Enable comprehensive logging of scanning activities, both inbound and outbound, to facilitate forensic analysis and incident response in case of security breaches or policy violations.

Educate Users and Employees:

• Provide regular training and awareness programs to educate employees about the risks associated with scanning activities, emphasizing the importance of adhering to security policies and procedures.

Deploy Behavior-based Detection:

• Utilize behavior-based detection mechanisms to identify suspicious scanning behaviors, such as rapid port scanning or reconnaissance activities, and trigger alerts for further investigation.

Regularly Update Security Policies:

• Review and update security policies and procedures regularly to address emerging threats, technological advancements, and changes in organizational requirements related to scanning activities.

Conclusion

In conclusion, firewall scans, whether vertical or horizontal, inbound or outbound, play a critical role in assessing and enhancing network security. By proactively identifying vulnerabilities, unauthorized access attempts, and potential security risks, organizations can effectively safeguard their networks and sensitive data from malicious activities.

The global recommendations provided offer a comprehensive framework for managing firewall scans, emphasizing the importance of network segmentation, intrusion detection, access controls, vulnerability assessments, encryption, monitoring, user education, and policy updates. By implementing these measures, organizations can mitigate security risks, detect and respond to threats promptly, and maintain a robust security posture in an evolving threat landscape.

Ultimately, effective management of firewall scans requires a proactive approach, continuous monitoring, and collaboration among IT professionals, security teams, and end-users. By prioritizing network security and adhering to best practices, organizations can mitigate the risk of security breaches, protect their assets, and uphold the trust and confidence of their stakeholders in an increasingly interconnected digital environment.

• Purpose: Recognize proactive admin scans 

• Check the List: To identify which scans are legitimate activity and which are scripts or attackers activity

• Block or Whitelist: IP addresses

• Why Important: Real time alerting when the organization traffic is being scanned 

Quick Guide:

• Review Host and Port Scans report

• Block on Firewall or white list approved addresses

Detailed Guide:

This guide aims to scrutinize various types of firewall scans within organizational networks, distinguishing legitimate proactive scans from potentially risky or unauthorized ones. By discerning between these categories, the objective is to bolster network security by identifying and addressing potential security risks or vulnerabilities that may lead to sensitive information leakage.

First, let’s explain what is the term Vertical Scan-

The scan is focused on a single target rather than scanning multiple hosts or IP’s.

Secondly, Horizontal scanning- 

Focuses on a single port and scans multiple hosts to find hosts that have a specific service running on that port.

Finally, what are the differences between Outbound, Inbound and Internal?

• Outbound-the scan or suspicious activity is originating from within your network and is directed outward towards external systems

• Inbound-indicates that the scanning activity is directed towards your network or system from an external source. This could potentially indicate an attempt by someone to assess your network's security posture or search for potential entry points.

• Internal-Internal port scan involves scanning the ports of devices within a specific network. It is focused on assessing the security of the network's internal resources.

Scans that occur from inside source IP to insider range of destination IP addresses or ports or individual ones.

Objectives

• Ensure all unwanted communication is blocked.

• Enhance security and compliance with regulatory maintenance of FW rules

• Initiate network scans on a regular basis in order to detect suspicious movements

Actions

Host and Ports Scans

ESM

Follow the path to generate a Host and Ports Scans report for your Entities.

The report is built from six different types of Scans.

• Vertical & Horizontal Outbound scans

• Vertical & Horizontal Inbound scans

• Vertical & Horizontal Internal scans

/All Reports/Mobula/DeviceType/Firewall/Host and Port Scans

Please review your entity's report and send it to him so that he can check whether all the scans that appear in the report are familiar with the IT/ System or Security team.

How to generate a Report - Mobula - Generate Reports

Mobula App

Generate a report of Host and Ports Scan using the Mobula Application and inform your SOC Team / Platform Manager if all the scans are familiar with your team.

If so, please press Update Task to “Complete” stage.

To access the report, follow the steps:

1. Go to the Options menu

2. Check List

3. Firewall Scans

4. Related Report

5. Generate a report (the report will be sent to your email)

To Update the task:

1. Go to the Options menu

2. Check List

3. Firewall Scans

4. Task Update

5. Choose the status and click save.

Risks

Vertical Outbound Scans:

• Unauthorized data exfiltration: Attackers may attempt to transfer sensitive data outside the organization's network.

• Command and control (C2) communication: Malware or compromised devices may initiate outbound connections to command and control servers, allowing attackers to maintain control over compromised systems.

• Policy violations: Outbound scans may violate organizational policies by accessing restricted or unauthorized external resources.

• Information disclosure: Outbound scans could inadvertently leak sensitive information to external entities.

Horizontal Outbound Scans:

• Network reconnaissance: Attackers may conduct horizontal outbound scans to gather information about external networks, potentially identifying vulnerable systems or targets.

• Scanning for vulnerabilities: Outbound scans may be used to identify potential targets for future attacks or exploit known vulnerabilities in external systems.

• Resource exhaustion: Intensive scanning activities may consume network bandwidth and computing resources, impacting network performance and availability.

• Detection evasion: Attackers may use horizontal outbound scans to evade detection by spreading scanning activities across multiple external destinations.

Vertical Inbound Scans:

• Unauthorized access attempts: Attackers may use inbound scans to identify and exploit vulnerabilities in exposed services or systems, potentially gaining unauthorized access to internal networks.

• Denial of service (DoS) attacks: Inbound scans may be part of reconnaissance efforts preceding DoS attacks, aiming to identify and target critical infrastructure or services.

• Malware propagation: Inbound scans may be used to identify vulnerable systems for malware infection, enabling attackers to propagate malicious code within the internal network.

• Data exfiltration: Successful inbound scans may facilitate unauthorized data access and exfiltration from internal network resources.

Horizontal Inbound Scans:

• Coordinated attacks: Horizontal inbound scans conducted by multiple attackers or botnets can amplify the impact of attacks, increasing the likelihood of successful exploitation or compromise.

• Targeted reconnaissance: Attackers may use horizontal inbound scans to identify specific internal assets or vulnerabilities for further exploitation or attack.

• Resource exhaustion: Intensive scanning activities from multiple external sources may overwhelm network resources, leading to service degradation or disruption.

• Backdoor identification: Inbound scans may reveal the presence of backdoor access points or unauthorized entry points within the internal network, posing significant security risks.

Global Recommendations

Implement Network Segmentation:

• Segregate network assets based on their criticality and sensitivity to limit the scope of scans and mitigate the impact of potential breaches.

Deploy Intrusion Detection/Prevention Systems (IDS/IPS):

• Utilize IDS/IPS solutions to monitor network traffic and detect suspicious or malicious activities, including scanning attempts, and automatically block or alert on such activities.

Enforce Access Controls:

• Implement strict access controls to restrict unauthorized scanning activities, both inbound and outbound, and ensure that only authorized personnel or systems can initiate scans.

Regular Vulnerability Scanning:

• Conduct periodic vulnerability assessments and scans to identify and remediate security weaknesses in internal and external systems, reducing the likelihood of successful exploitation.

Encrypt Sensitive Data:

• Encrypt sensitive data both in transit and at rest to protect it from interception or unauthorized access during scanning activities, especially for outbound scans where data exfiltration risks exist.

Monitor Outbound Traffic:

• Monitor outbound network traffic for anomalies, such as unusual destinations or patterns, which may indicate unauthorized scanning or data exfiltration attempts.

Implement Logging and Auditing:

• Enable comprehensive logging of scanning activities, both inbound and outbound, to facilitate forensic analysis and incident response in case of security breaches or policy violations.

Educate Users and Employees:

• Provide regular training and awareness programs to educate employees about the risks associated with scanning activities, emphasizing the importance of adhering to security policies and procedures.

Deploy Behavior-based Detection:

• Utilize behavior-based detection mechanisms to identify suspicious scanning behaviors, such as rapid port scanning or reconnaissance activities, and trigger alerts for further investigation.

Regularly Update Security Policies:

• Review and update security policies and procedures regularly to address emerging threats, technological advancements, and changes in organizational requirements related to scanning activities.

Conclusion

In conclusion, firewall scans, whether vertical or horizontal, inbound or outbound, play a critical role in assessing and enhancing network security. By proactively identifying vulnerabilities, unauthorized access attempts, and potential security risks, organizations can effectively safeguard their networks and sensitive data from malicious activities.

The global recommendations provided offer a comprehensive framework for managing firewall scans, emphasizing the importance of network segmentation, intrusion detection, access controls, vulnerability assessments, encryption, monitoring, user education, and policy updates. By implementing these measures, organizations can mitigate security risks, detect and respond to threats promptly, and maintain a robust security posture in an evolving threat landscape.

Ultimately, effective management of firewall scans requires a proactive approach, continuous monitoring, and collaboration among IT professionals, security teams, and end-users. By prioritizing network security and adhering to best practices, organizations can mitigate the risk of security breaches, protect their assets, and uphold the trust and confidence of their stakeholders in an increasingly interconnected digital environment.