Note: This article originally appeared on the CrowdStrike blog. Look here for additional context.
Detecting reconnaissance activity is something that few blue teams spend time on. Networks are barraged with a near continuous stream of scanning, and determining targeted activity versus Internet noise can be exceedingly difficult. However, there are a few things you can do to counter activity in this early stage of an attack.
Self-Recon is the Best Recon
Knowing that reconnaissance is ubiquitous, your best defense is to get ahead of the game and scan your own networks. Schedule regular asset identification and vulnerability scans, and prioritize vulnerability patching. If someone on your team is regularly testing for SQL injection vulnerabilities in your critical web applications, you won’t have to spend your weekends remediating sqlmap pwnage. The same preparatory actions can help mitigate both active and passive reconnaissance activity. Our team regularly helps clients conduct open-source data collection to identify unnecessary information leakage by company or employee assets. This is exactly what a red team should be doing – helping the organization anticipate attacks and limit their attack surface.