In the realm of computer security, one of the four major phases in the intrusion cycle is reconnaissance. Reconnaissance allows a malicious actor to gather intelligence about the configuration of a given network and be able to identify the next target and other operational information. For intrusions that have already been somewhat successful, the reconnaissance phase will likely occur from a host already infected inside the controlled perimeter of the network. Since the reconnaissance is performed from within the network, typical border/egress monitoring devices can play no role in detecting this phase of the attack. Often, the main goal of the reconnaissance phase is to create an inventory of hosts and services that are available inside the network.
In modern networks, passively listening to the traffic the infected host sees will only provide limited insight into the network. For this reason, most reconnaissance efforts tend to involve active techniques, where the infected host generates packets that trigger answers from other hosts in the network. This creates a situation where the attacker effectively tries to map the network by blindly poking into space hoping (and often failing) to encounter an object there, such as a computing entity (e.g. host, asset). Being able to identify hosts that are trying to construct a map of the network in this manner is a critical foundation of a good network defense. In most modern networks, these maps tend to be somewhat dynamic, making it difficult to identify hosts trying and failing to find something. Dynamic Host Configuration Protocol (DHCP) and other protocols allow devices to join the network and change their Internet Protocol (IP) address based on a scheme involving assignment from a circular queue of available IP addresses, thus facilitating the automatic use and basic configuration of devices inside the network.
Given the significant threat posed by attackers that infect a network and then attempt to spread the infection further inside the network, it would be of great value to an organization to be able to identify situations where an attacker performs this type of reconnaissance in its network. As explained, current approaches fall short because they are designed to defend or detect at the border of the network and are effectively blind towards malicious entities operating inside the network.
As is evident, there is a demand for improved approaches for defending against internal network reconnaissance.