Extracting Cyber Threat Intelligence from Port Scans: A Taxonomy- Based Approach

Abstract

Port scans are a common preliminary step for a variety of cyberattacks, from simple hackers, attempted automated exploitation, to professional groups and state actors. They serve as a reconnaissance technique that facilitates the planning and execution of future attacks and are often conducted stealthily over extended periods to evade monitoring systems, making them challenging to identify and analyse. Despite this, effective detection and analysis of port scans can yield valuable cyber threat intelligence (CTI), enabling defenders to prioritize defensive measures, deploy and optimize protective infrastructure such as Intrusion Detection and Prevention Systems (IDS/IPS), and anticipate potential attacks by analysing the characteristics and frequency of scans. However, the huge amount of data generated by port scans and other network events hides the significant operations and complicates the extraction of actionable intelligence. We present a comprehensive taxonomy designed to classify and analyse port scans systematically. We focus on interpreting detected port scans rather than their detection, leveraging the wide availability of detection tools. Our taxonomy assesses key attributes of port scans, including the intent, origin, potential hostile gain, damage potential, available intelligence, and the necessity for responsive actions. We then propose an 8-step classification process to guide this analysis. It begins with a thorough technical analysis of the scan which can be provided by various detection frameworks. Based on that, the legitimacy of a detected scan is determined, distinguishing between malicious intent and benign activities like friendly analysis, general research, or internet background noise. Next, we generate a "fingerprint" of the scan and cross-reference it against a database of known scans, compiled from historical data, CTI repositories, and incident reports. The analysis further evaluates the scan’s target, the information it may have revealed, and its success level. We also explore the broader intelligence that can be gleaned from the scan, enhancing situational awareness of our systems. Finally, we assess the technical response options, considering their feasibility and cost-effectiveness, and determine whether proactive measures are warranted. We show that our structured approach to port scan analysis improves the generation of actionable intelligence and supports informed decision-making for defensive strategies.