Network Service Scanning
| Network Service Scanning | |
|---|---|
| Technique | |
| ID | T0841 |
| Tactic | Discovery |
| Data Sources | Network protocol analysis, Packet capture |
| Asset | Field Controller/RTU/PLC/IED |
Description
Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.
An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .
Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.
Mitigations
- Disable or Remove Feature or Program - Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.
- Network Intrusion Prevention - Use network intrusion detection/prevention systems to detect and prevent remote service scans.
- Network Segmentation - Ensure proper network segmentation is followed to protect critical servers and devices.
