In this article:
Severity: Medium (in Scoring 2.0)
Low (in Scoring 3.0)
Factor: IP Reputation
Why this matters
We observed an attack directed at one of our honeypots from your network. This can mean that one or more of your internet-facing systems are infected, and the malware from those systems is scanning other systems in order to infect them. It could also indicate that an attacker is performing malicious activities from your networks.
How we discovered it
Our sensors intercepted traffic directed at a honeypot that was indicative of a malware attack or a reconnaissance scan by a malicious party.
Note: We only report an attack if the entity in question established a transmission control protocol (TCP) connection with a three-way handshake (SYN, SYN-ACK, ACK). We disregard SYN-only TCP requests.
How you can remediate it
Take the following actions to investigate, contain, and correct the issue:
Find the attack source(s) on your network
- Click the Observations link in your Findings table to see port connections for your network IP address from which the attack originated.
Note: You can only see destination IPs if you have a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
- Search your logs for connections to our honeypots by timestamp, honeypot IP address, and honeypot port. From there you can see your IP addresses and ports from which the connections were made.
- Use Intrusion Detection and Prevention System (IPS/IDS) rules to identify malware by their traffic properties.
- If you are knowingly running designated, segmented networks for research or other purposes, remove them from your Digital Footprint.
Isolate and remove malware infections
Examine any assets implicated in the attack for evidence of infection. Remove the malware or the assets.
Take preventative measures
Monitor all incoming and outgoing traffic for suspicious behavior using IDS solutions such as Snort or Web Application Firewalls (WAFs). Block any suspicious traffic, and add associated IP addresses to a deny list.
How you can resolve it in SecurityScorecard
When submitting a resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Attack detected findings:
I have fixed this
- Tell us if you have:
- Isolated and removed any infections on your implicated assets
- Remove infected assets from your Digital Footprint
This is not my IP or domain
- Tell us if the IPs or domain from where the attack originated do not belong to you.
I cannot reproduce this issue and I think it’s incorrect
- Tell us if you manually and intentionally connected to honeypot IP, and provide the reason.