Active Scanning (T1595)

Ultimate Guide to Active Scanning: Attack & Defense

Active Scanning is the process of proactively engaging with a target's network to gather intelligence, identify vulnerabilities, and map accessible systems before an attack is launched.

Table of Contents

Understanding Active Scanning in Simple Terms

Think of Active Scanning as a thief checking every window and door of a house at night, not just looking from the sidewalk. They gently push on frames, listen for loose locks, and see which rooms have lights on. They're not breaking in yet, but they are directly interacting with the property to find the easiest point of entry.

In the digital world, this means an attacker sends packets, connection requests, or specific queries directly to your company's IP addresses, domains, or cloud services. Unlike passive observation, active scanning creates a conversation, even if it's a one-sided one, with your systems. The goal is to draw a detailed map: which servers are alive, what software they run, what ports are open, and even what version of that software is installed. This map tells the attacker exactly where your digital weak spots are.

Decoding the Jargon: Key Terms for Active Scanning

The Attacker's Playbook: Executing Active Scanning

Step-by-Step Breakdown

1. Scope Definition: The attacker starts with a target organization. They gather a seed list of public IP ranges (from WHOIS) and domains.
2. Host Discovery (Ping Sweep): They use tools to send ICMP Echo Requests (pings) or TCP SYN packets to a range of IPs. Any response means a live host is found.
3. Port Scanning: For each live host, they scan thousands of ports to see which respond as "open". Common targets: 22 (SSH), 443 (HTTPS), 3389 (RDP), 445 (SMB).
4. Service Interrogation: For each open port, they attempt to connect and grab the service banner or fingerprint the application to identify type and version.
5. Vulnerability Probing: Based on the identified services, they may run more aggressive scans using tools like Nessus or Nuclei to check for specific, known vulnerabilities.
6. Data Collation: All results are compiled into a structured report, highlighting high-value targets with vulnerable or exposed services.

Red Team Analogy & Mindset

A red teamer thinks like a cartographer of the enemy's digital territory. Their job isn't to cause damage during this phase, but to create the most accurate map possible. They must balance thoroughness with stealth, scanning too fast or too aggressively might trigger alarms. They're looking for the forgotten server in the "dev_" environment, the unpatched web application firewall, or the externally-facing database that shouldn't be there. Every piece of information is a potential key.

Tools & Command-Line Examples

• Nmap: The "Swiss Army knife" of network discovery and security auditing.
• Masscan: An extremely fast Internet-scale port scanner.
• Amass / Sublist3r: Tools for extensive subdomain enumeration.

Example Nmap Commands:

# Basic TCP SYN scan (stealthy) on a single host for top 1000 ports
nmap -sS 203.0.113.10

# Aggressive scan with OS detection, version detection, script scanning, and traceroute
nmap -A -T4 203.0.113.0/24

# Specific scan for web-related ports and service version
nmap -sV -p 80,443,8000,8080,8443 203.0.113.10

# Save output in multiple formats for the attack report
nmap -oA target_scan -sS -sV 203.0.113.0/24

Real-World Campaign Example

The advanced persistent threat group known as APT29 (Cozy Bear) is a master of meticulous reconnaissance. In campaigns targeting governments and NGOs, they have been observed conducting extensive active scanning to profile victim networks. They don't just scan once; they scan persistently over time to understand normal patterns, identify new assets, and find the perfect moment and target for initial access. Their scanning is often slow, distributed, and designed to blend in with background noise, making it a significant challenge for defenders.

Learn More: Read the detailed analysis of APT29's tactics, including their reconnaissance phase, in the MITRE ATT&CK Group Profile for APT29 and associated reports from security vendors like Mandiant.

The Defender's Handbook: Stopping Active Scanning

Blue Team Analogy & Detection Philosophy

Think of yourself as a forest ranger watching for signs of poachers. You can't stop everyone from entering the vast public woods, but you have motion sensors, trail cameras, and knowledge of animal behavior. Your goal isn't to catch every hiker, but to identify the one who is moving off-trail at night, carrying unusual equipment, and checking every trap line. For active scanning, the philosophy is to detect the abnormal pattern of exploration rather than a single "bad" packet. It's about spotting the reconnaissance before the breach happens.

SOC Reality Check: What to Look For

In your SIEM, you'll see tons of noise. Legitimate security scanners, search engine bots, and misconfigured devices all cause "scan-like" activity. The key is correlation and context:

• Volume & Speed: A single IP sending SYN packets to every IP on your /24 subnet in under a minute.
• Port Spread: Connections from one source to many different ports (22, 23, 445, 3389, 5900) on a single host in quick succession.
• Failure Rate: A high percentage of connection attempts resulting in TCP RSTs or ICMP unreachable errors.
• Geographic Anomaly: Scans originating from a country with no business relationship.

Threat Hunter's Eye: Practical Query

Here is a Sigma rule to hunt for horizontal port scanning, where a single source touches many ports on a single destination. This rule can be translated to your SIEM's query language (Splunk SPL, Elasticsearch DSL, Microsoft Sentinel KQL).

# Sigma Rule: Horizontal Port Scanning Detection
# Author: Your SOC
# Description: Detects a source IP connecting to many distinct ports on a single destination IP within a short timeframe.
# Reference: MITRE ATT&CK T1595.004 (Active Scanning: Vulnerability Scanning)

title: Horizontal Port Scan Detection
id: a1b2c3d4-1234-5678-abcd-ef1234567890
status: experimental
description: Detects potential horizontal port scanning activity.
author: Your SOC
date: 2023-10-26
modified: 2023-10-26
tags:
    - attack.reconnaissance
    - attack.t1595
    - attack.t1595.004
logsource:
    category: firewall
    product: generic
detection:
    selection:
        event_type: connection_attempt
        # Adjust threshold based on your environment noise
        dst_ip_count: 1
        src_ip_count: 1
    aggregation:
        src_ip|dst_ip:
            dst_port_count: >20  # Key threshold: More than 20 distinct ports
            timeframe: 5m
    condition: selection and aggregation
falsepositives:
    - Network security scanners
    - Legitimate vulnerability assessment tools
level: medium

Key Data Sources for Detection

• Network Firewall Logs: Primary source for connection attempts, denials, and port/protocol data.
• NetFlow / IPFIX Data: Provides metadata on network conversations (source, destination, port, bytes, packets) ideal for pattern analysis.
• IDS/IPS Alerts: Rules specifically tuned for scan detection (e.g., Snort's SF_SCAN signatures).
• Cloud Provider VPC Flow Logs (AWS, Azure, GCP): Essential for detecting scans against your cloud infrastructure.
• Host-Based Firewall Logs (Windows Firewall, iptables): Can show scan patterns targeting specific critical servers.

Building Resilience: Mitigation Strategies for Active Scanning

Actionable Mitigation Controls

You can't prevent all scanning, but you can make it less fruitful and more risky for the attacker.

• Network Segmentation: Place sensitive systems on internal network segments with no direct inbound access from the internet. Use jump boxes or VPNs for administration. This limits what an external scanner can "see".
• Aggressive Egress Filtering: Configure firewalls to only allow outbound connections necessary for business. This can prevent compromised internal systems from scanning other internal targets or being used as a proxy for external scanning.
• Port Filtering & Hiding: At the network perimeter, use firewalls to block all unsolicited inbound traffic to ports that do not host a publicly advertised service. Consider port knocking or moving services to non-standard ports for sensitive admin interfaces (though this is security-through-obscurity, not a primary control).
• Banner Obfuscation: Configure web servers, SSH daemons, and other services to present generic or minimal banners that do not reveal version information. This removes low-hanging fruit for exploit research.
• Vulnerability Management Program: This is your proactive defense. Regularly scan YOURSELF with authorized tools. Find and patch the vulnerabilities before the attacker's scan does. This directly negates the value of their reconnaissance.

Red vs. Blue: A Quick Comparison

Active Scanning Cheat Sheet

Conclusion and Next Steps

Active Scanning is the foundational, noisy, yet often effective first "touch" of a cyber attack. Understanding it is not just about knowing the tools attackers use, but about internalizing their reconnaissance mindset. As a defender, your job is to make this phase as hard, noisy, and unproductive as possible.

Your Action Plan:

1. Validate Your Visibility: Can your current logging see the traffic described in the "Data Sources" section? If not, work on enabling it.
2. Test Your Defenses: With proper authorization, run a controlled Nmap scan against your external perimeter. Do your security controls alert on it?
3. Review Your Exposure: Conduct an honest inventory of what is truly required to be accessible from the internet. Can anything be moved behind a VPN or removed entirely?

To continue building your defensive skills, explore related techniques in the Reconnaissance tactic, such as Phishing for Information or Gathering Victim Host Information.

For authoritative guidance on overall network security, refer to frameworks like the NIST Cybersecurity Framework and the CISA Secure Our World campaign for foundational best practices.