Fight against Phase 2

Depending on how sophisticated the 2,nd phase of the attack is, it might be tough to fight against it.

But at least below basics should be on your list.

Some tools (including snort) on your perimeter should be able to detect a portscan.

Watch your FW logfiles frequently and do some reporting on them. Things like a slow portscan might be hard to recognize while looking at the raw data, but are easy to detect by sorting your logfile on SRC or DST addresses.

For detecting a stealth scan, start looking through your report for SYN-ACK's and FIN's.

In general anything that goes through a range of data might be a scan.

Once you have found a data that looks dodgy, try to correlate it with your other data sources like AV scan etc.

So at the end you might see a scan/attack going to one of your hosts that is known to be vulnearble.

Once you have identified a scanner/attacker, put it on a blacklist of your FW to have it's packet dropped.

Another good way of identifying dodgy sources of data is the Cyber Intelligence Framework or any other reputation services. IF you'd like to add this information as another risk multiplier or have these sources identified to be on your blacklist is up to you.

Thing you should consider of blocking anyway are sources that are pretty well known to be scary. Like the AS4808 that is in the suspicion to host the Chinese espionage.

As a personal suggestion, you should also check your "usual" traffic and considder blocking traffic from "bad" countries your not doing business with. (For the sace of political correctnes, I will not define "bad" countries here)