{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/network_traffic-integration/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["network_traffic integration"],"_cs_severities":["low"],"_cs_tags":["network","discovery","reconnaissance","icmp","elastic"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection brief highlights the observation of inbound ICMP Timestamp (type 13) or Information (type 15) requests originating from external IP addresses and targeting internal RFC1918 IP space. These particular ICMP message types are considered legacy diagnostic messages and are rarely used in modern production networks. Their presence, especially from external sources directed towards internal assets, is a strong indicator of reconnaissance activity. This activity often involves host and path fingerprinting, active scanning, or operating system (OS) fingerprinting as an initial step in an attack chain. While the direct impact of these requests is low, they signify that an attacker is actively probing the network perimeter, seeking vulnerabilities or gathering intelligence for subsequent exploitation. The observed behavior began to be monitored as of June 2026, with the Elastic network_traffic integration being key to detecting these activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003cp\u003eThis brief describes a specific reconnaissance technique rather than a multi-stage attack chain. The detection focuses on the initial probing phase where an attacker attempts to gather information about network topology and host characteristics.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eWhile ICMP Timestamp or Information requests themselves do not directly compromise systems, their successful execution grants an attacker valuable reconnaissance data. This information can include host existence, network path details, and potentially OS characteristics, which are crucial for tailoring subsequent, more targeted attacks. If these requests are observed targeting unintentionally exposed internal hosts or misconfigured NAT devices, it indicates a significant security misconfiguration that an attacker could leverage. The ultimate impact could range from network mapping and service enumeration to preparing for credential access, privilege escalation, or data exfiltration, depending on the information gathered and the attacker's objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;ICMP Timestamp or Information Request from the Internet\u0026quot; to your SIEM and tune for your environment to detect suspicious reconnaissance activity.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003esource.ip\u003c/code\u003e addresses from detections generated by the Sigma rule against threat intelligence feeds and historical scan activity.\u003c/li\u003e\n\u003cli\u003eDetermine whether the \u003ccode\u003edestination.ip\u003c/code\u003e addresses targeted by these requests are intentionally exposed (e.g., VPN concentrators) or if they represent misconfigured internal assets.\u003c/li\u003e\n\u003cli\u003eInvestigate for adjacent port scans, SYN sweeps, or exploit attempts from the same source IP around the time of the detected ICMP requests.\u003c/li\u003e\n\u003cli\u003eBlock or rate-limit the external source IP addresses observed in detections at the perimeter firewall if the activity is unauthorized.\u003c/li\u003e\n\u003cli\u003eVerify that any targeted internal hosts are not unintentionally exposed to the Internet, rectifying misconfigurations as needed.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T02:35:02Z","date_published":"2026-07-05T02:35:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-icmp-timestamp-info-request/","summary":"This brief identifies inbound ICMP Timestamp (type 13) or Information (type 15) requests originating from external IP addresses and targeting internal RFC1918 destinations, a legacy diagnostic activity commonly associated with host and path fingerprinting during reconnaissance, active scanning, or OS fingerprinting efforts by an unidentified actor, indicating a potential prelude to more severe attacks.","title":"ICMP Timestamp or Information Request from the Internet","url":"https://feed.craftedsignal.io/briefs/2026-07-icmp-timestamp-info-request/"}],"language":"en","title":"CraftedSignal Threat Feed - Network_traffic Integration","version":"https://jsonfeed.org/version/1.1"}