Commercial vulnerability scanner

Tactic:

TA0043-reconnaissance

Technique:

T1595-active-scanning

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects when a commercial vulnerability scanner is performing a scan against your services.

Strategy

The detection rule leverages fingerprints from known security companies to identify activity as a commercial scanner.

The signal is set to LOW severity as the occurrence of spoofing commercial vulnerability scanners is rare, but possible. Detection results from authorized vulnerability scans are typically shared with the customer directly from the vendor or vulnerability management team.

Triage and response

Validate that the commercial vulnerability scanner is authorized to scan your systems and the scans are originating from an expected source IP address. Many commercial scans originate from a source IP address published by the vendor.

If the scan is not authorized:

  1. Block the attacking IP(s) temporarily to limit vulnerability discovery and service load.
  2. If the scans are originating from a vendor published source IP address, reach out to the vendor to determine the cause of the scan.