Automatic Identification of Scanned IP Ranges
Identifying targets of reconnaissance amongst the noise of background network activity
Once a malicious actor has infiltrated a network, they often conduct reconnaissance activities to identify possible targets for lateral movement. They commonly use tools such as Nmap to scan CIDR ranges and identify available hosts and services in the network. When analyzing possible instances of network scanning, it is useful to identify specific CIDR ranges that may have been targeted—to identify the scope of the scan, to determine how likely it is to be malicious activity, and to determine possible targets that an attacker may have compromised.
However, background network activity can make this task difficult. For instance, an attacker scanning the 10.10.10.0/24 range may successfully connect with half of the IP addresses in this range but fail to connection with the other half. Meanwhile, there may be a background of other successful and failed connections from the same port to IP addresses both inside and outside of this range, which makes it non-trivial to determine that the range scanned was 10.10.10.0/24, and not e.g. 10.10.10.0/16 or 10.10.10.0/25.
By taking all failed connections, and traversing the binary tree of IP space, a measure of entropy can be computed based on the IP addresses represented at each node. This measure can then be used to identify potentially scanned ranges through significant changes in entropy. This technique allows for the rapid identification of scanned ranges, both for summarization and further analysis. In the future this technique might be extended to other domains, such as the assessment of directory enumeration.