Network Service Scanning

From attackics
Jump to navigation Jump to search
Network Service Scanning
ID T841
Tactic Discovery
Data Sources Network protocol analysis, Packet capture
Asset Field Controller/RTU/PLC/IED


Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap.

An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to .

Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.


  • Isolate wireless access points and data servers for wireless worker devices on their own network with documented and minimal (single if possible) connections to the ICS network.1
  • Segmenting the network with VLANs allow switches to enforce security policies and segregate traffic at the Ethernet layer. Secure and restrict authorization to the control room and the physical environment.1
  • Physical control room or control systems access often implies also gaining logical access.1
  • Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.1
  • Monitor the network and enforce access control practices, such as whitelisting, to reduce points of contact to and from control system devices, where applicable. Utilize intrusion detection system (IDS) capabilities to assist with detecting and preventing the spread of malicious files.1
  • Implement heuristics to detect monitoring and invasive probing activity on the network, such as port scanning. Filter and limit communications to and from devices. Ensure devices are patched and up-to-date.1