shadowserver_scanning

Suggest Edits

Explanation

The shadowserver_scanning NDM is designed to detect when Shadowserver.org is scanning the network. This type of scanning is often associated with malicious activity and may indicate an attempt to identify vulnerabilities in the network.

What to Look For

To examine the results of the shadowserver_scanning event, customers should look for any signs of network traffic originating from Shadowserver.org. This may include unusual or suspicious traffic patterns, such as high volumes of requests or scans targeting specific ports or protocols. Customers should also check their endpoint logs and systems for any indications of attempted attacks or malicious activity.

Shadowserver Foundation is a non-profit organization dedicated to improving the security of the internet by collecting and analyzing data related to cyber threats, vulnerabilities, and malicious activities. Established in 2004 by Nicolas Albright, the foundation conducts internet scanning and shares its findings with network owners, security researchers, law enforcement agencies, and other stakeholders to help detect, mitigate, and prevent security threats.

Shadowserver scans the internet for several reasons:

  1. Discover vulnerable systems: Scanning the internet helps Shadowserver identify systems with known vulnerabilities or misconfigurations that can be exploited by cybercriminals. By proactively identifying these systems, Shadowserver can notify network owners to take appropriate action, such as patching software, updating configurations, or implementing better security measures.

  2. Track malicious activities: Shadowserver monitors the internet to detect activities related to malware distribution, command-and-control (C2) servers, botnets, phishing, and other cyber threats. By tracking these activities, Shadowserver can provide valuable information to network administrators, security vendors, and law enforcement agencies, enabling them to respond more effectively to emerging threats.

  3. Analyze cybercrime trends: Internet scanning allows Shadowserver to collect large-scale data on cybercrime trends and patterns. This data helps security researchers, policymakers, and industry professionals better understand the evolving threat landscape, develop more effective security solutions, and inform decision-making processes.

  4. Support takedown operations: Shadowserver collaborates with law enforcement agencies and other organizations in taking down malicious infrastructure, such as C2 servers, malware distribution sites, and phishing campaigns. By scanning the internet, Shadowserver can gather the necessary intelligence to locate and disrupt these malicious operations.

  5. Facilitate information sharing: Shadowserver shares its findings with a wide range of stakeholders, including network owners, security researchers, and law enforcement agencies. This collaborative approach enables more effective and coordinated responses to security threats and helps build a safer internet ecosystem.

By scanning the internet and sharing its findings, Shadowserver plays a crucial role in detecting, analyzing, and mitigating various security threats. Its activities contribute to a better understanding of the cyber threat landscape and help strengthen the overall security and resilience of the internet.

Related MITRE ATT&CK Categories

Active Scanning, Technique T1595 - Enterprise

Updated 13 days ago