A classifier to detect when repeated attempts to connect to unavailable services on a host are occurring.
This feature contributes to the detection of reconnaissance and survey activities occurring on the network. Coupled with the pre-existing network scanning classifiers, these alerts build a clearer picture of these reconnaissance activities. The classifier can also be a good indicator of device misconfiguration.
The major benefit of Network Monitoring systems like Perception is that they are able to identify malware after the exploit, but before the damage is done. Identifying as much of the typical activity of malware as possible during this process is therefore hugely important to Perception. This new classifier is built on the back of our research into malware, and designed to complement our existing reconnaissance and survey activity detection capabilities.
When certain types of malware are deployed to a network they need to first of all gather an idea of where they are in that network, and what else is around them. Typical scanning activities are already detected by Perception, however, other methods of randomly checking connections to any and all services is a feature that’s becoming more and more prevalent in the malware we research. As a result, these complementary classifiers help the analyst build a picture of malicious reconnaissance (as opposed to legitimate user behaviour).
As an added bonus, during pre-deployment testing, these classifiers have been incredibly useful in detecting misconfigurations on a network. This may be due to human error, or potentially active malware modifying something, but it all helps you to understand weaknesses in your network.
This update is sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time. Self-monitored customers can update their own sensors using the software upgrade process. If you have any further questions about this upgrade please contact us at firstname.lastname@example.org