Network-based vulnerability scanners are very different than the network-level tools described in the previous section. The network-level tools are used primarily to passively observe and analyze network activity, good or bad, whereas network vulnerability scanners actively send packets out over a network in search of vulnerabilities, malicious code, etc., on other hosts on the network. It’s the real-world equivalent of the weatherman sticking his head outside the window to see if it’s raining compared to doing research to figure out why it is raining and how much rain should be expected. As such, we have placed them in an entirely different category. Their applicability to incident response operations includes these tasks:
Often while handling an incident, one major concern is that an intruder may have placed unauthorized software on one or more of the computers under investigation. Such so-called back doors on systems allow an attacker to access the compromised systems with ease (and low chance of detection) again later. One of the best and quickest ways of detecting whether this has been done is to perform a network-based sweep of the potentially affected systems, specifically looking for common back door software. Although by no means foolproof, it is a useful process while handling an incident and can often alert you to things that you might otherwise overlook.