ICMP Scan

Identifying an ICMP (Internet Control Message Protocol) Scan is a critical aspect of network reconnaissance detection and overall cybersecurity. An ICMP scan, often used in the initial stages of network reconnaissance, involves sending ICMP echo request packets ("pings") to various hosts on a network to determine which ones are active. While ICMP is a standard network tool for diagnosing and managing network issues, its use in scanning can signal the preliminary phase of a more targeted attack, where attackers seek to identify potential vulnerabilities in active hosts. Detecting ICMP scans promptly is essential as it can be an early warning of an impending cyber attack, allowing network administrators to tighten security measures, monitor suspicious activities more closely, and protect vulnerable systems before they can be exploited.

ElastiFlow provides a collection of anomaly detection jobs designed to identify ICMP scans comprising a series of monitoring strategies and analytics techniques, focused on detecting unusual ICMP traffic patterns that are indicative of scanning activities.

Attributes

Attribute	Information
Analysis Type	temporal
MITRE ATT&CK Technique	Network Denial of Service (T1498)
MITRE ATT&CK Sub-Technique	Reflection Amplification (T1498.002)
MITRE ATT&CK Tactic	Impact (TA0040)

Downloads

Schema	Perspective	Window	Link
CODEX	edge	fast	elastiflow_codex_netsec_icmp_scan_direct_edge_fast
CODEX	edge	slow	elastiflow_codex_netsec_icmp_scan_direct_edge_slow
CODEX	inbound	fast	elastiflow_codex_netsec_icmp_scan_direct_in_fast
CODEX	inbound	slow	elastiflow_codex_netsec_icmp_scan_direct_in_slow
CODEX	outbound	fast	elastiflow_codex_netsec_icmp_scan_direct_out_fast
CODEX	outbound	slow	elastiflow_codex_netsec_icmp_scan_direct_out_slow
CODEX	private	fast	elastiflow_codex_netsec_icmp_scan_direct_priv_fast
CODEX	private	slow	elastiflow_codex_netsec_icmp_scan_direct_priv_slow
ECS	edge	fast	elastiflow_ecs_netsec_icmp_scan_direct_edge_fast
ECS	edge	slow	elastiflow_ecs_netsec_icmp_scan_direct_edge_slow
ECS	inbound	fast	elastiflow_ecs_netsec_icmp_scan_direct_in_fast
ECS	inbound	slow	elastiflow_ecs_netsec_icmp_scan_direct_in_slow
ECS	outbound	fast	elastiflow_ecs_netsec_icmp_scan_direct_out_fast
ECS	outbound	slow	elastiflow_ecs_netsec_icmp_scan_direct_out_slow
ECS	private	fast	elastiflow_ecs_netsec_icmp_scan_direct_priv_fast
ECS	private	slow	elastiflow_ecs_netsec_icmp_scan_direct_priv_slow

By implementing this suite of anomaly detection jobs, organizations can effectively monitor and swiftly identify ICMP scanning activities. Early detection of such reconnaissance activities is crucial in pre-emptively addressing potential cybersecurity threats, allowing for timely and appropriate defensive actions to protect the network infrastructure.