The Battleground:  

A local County’s network infrastructure. 

The Presumption: 

Informing the necessary people about scans and vulnerability checks being conducted on the network. 

The Discovery: 

An analyst was monitoring networks when a large number of alarms were generated for a customer. The analyst investigated the alarms to find that a program was scanning their network. The analyst found that the program was the Nessus scanning tool. The customer was promptly notified and ask if they could verify that a scan was being conducted on their network. The response back confirmed they were using Nessus to scan their network. 

Our Solution: 

Since Nessus scanning patterns resemble other scanning tools, NIDS and HIDS will pick this activity up as malicious. Informing the necessary people to avoid false positives in the future. 

Lessons Learned: 

Having people informed about the scan can help save time and resources when conducting a scan on a network.