Triggers
- An internal host is generating many more unsuccessful attempts to connect to external services than successful ones
Possible Root Causes
- An internal host is part of a botnet and is being used by its bot herder to find other external services that could subsequently be attacked
- An internal host is misconfigured and is making many connection attempts to different IP addresses on the Internet
Business Impact
- Botnet activity presents several risks to the organization: (1) it creates noise which may hide more serious issues; (2) there is a chance your organization’s IP will end up on black lists; and (3) the compromised host can always be instructed to perform a direct attack on the organization
- A misconfigured internal host may be using unnecessary bandwidth and slowing down both the host itself and other applications as a result of the traffic it is sending
Steps to Investigate
- Look at the pattern of IP addresses being scanned to determine the intent of the scan
- Verify whether there is misconfigured software on the host which is causing the scan
- If the behavior cannot be explained by user action or known software behavior, the host is likely infected and should be remediated