Detecting Actors Activity with Threat Intel
Last Updated: 2020-12-04 03:30:47 UTC
by Guy Bruneau (Version: 1)
Over the past three weeks I have applied threat intel to all the inbound traffic going to my honeypot and the stats have shown some interesting trends. The top 20 TCP ports targeted have been between 1-50 and top 20 UDP 7-11211. During this period, the sensor recorded over 301K indicators matching threat intel from known actors.
A Look at the Top 3 IPs
The port the most targeted over that period has been the Telnet (TCP/23) service with over 97% of the traffic.
As a security practitioner, I have stopped using Telnet years ago (a honeypot being the exception). To find out how widespread Telnet is available, a query for this service on Shodan shows there are still thousand of host showing this port as open and/or active. This map from Censys  illustrate a list of 2090422 hosts matched the search query where Telnet was open. Censys only shows the first 500 locations on the map.
IP 188.8.131.52 launched a large scan on the 30 Nov (12:00-06:00) lasting for 6 hours actively scanning various TCP ports multiple times (46836 records). However, IP 184.108.40.206 has been a lot more consistent over time, scanning mostly TCP ports between 1000-1100 illustrated below:
The third IP 220.127.116.11 has been scanning a single port over the past few and it is MemoryCache (UDP/11211). This source was first report in DShield on the 14 Nov 2020 with a last report today. The reports in DShield are mostly against LDAP (UDP/389) and only one record for 11211.
Last, this is the list of top 10 IPs with Intel source, techniques and total.
Two freely and widely available intel platform Anomali Staxx after registration is available for download and installed locally (has API) and AlienVault can be accessed via API and is widely supported.
Guy Bruneau IPSS Inc.
My Handler Page
gbruneau at isc dot sans dot edu