MITRE ATT&CK • Enterprise • TA0043

T1590, Gather Victim Network Information

Adversaries systematically map your network infrastructure before striking. Every domain, DNS record, IP range, and trust relationship is a piece of the puzzle that enables precision attacks.

Target
Organization
Network

Attacker
Recon

DNS

WHOIS

BGP

TLS

CERT

Domains

DNS Records

IP Ranges

Trust Relationships

Network Topology

Security Appliances

Reconnaissance Progress 94%

Context & Impact

Why T1590 Matters

T1590 is the overarching reconnaissance technique within MITRE ATT&CK's TA0043 (Reconnaissance) tactic that covers all aspects of target network discovery. It encompasses six sub-techniques—from domain property enumeration and DNS record harvesting to IP range mapping, trust dependency analysis, network topology mapping, and security appliance identification. Adversaries ranging from opportunistic script kiddies to sophisticated nation-state APT groups rely on T1590 as the critical first phase of their kill chain. The intelligence gathered here directly informs which vulnerabilities to exploit, which entry points to target, and how to navigate the network once initial access is achieved. Without robust network exposure management, organizations are essentially handing adversaries a detailed blueprint of their infrastructure.

358% DDoS attack surge in Q1 2025, 20.5M attacks blocked (Cloudflare/DeepStrike)

8.6 CVE-2025-40778 BIND9 flaw CVSS, 5,900+ DNS servers at risk (The Hacker News)

31.4 Record Tbps DDoS attack in Nov 2025, largest ever recorded (Security Affairs)

30% Breaches via third-party/supply chain, DBIR/DeepStrike

CISA has issued multiple alerts on DNS infrastructure hijacking campaigns (Advisory AA19-024A), emphasizing that adversary reconnaissance of DNS infrastructure remains a persistent and evolving threat. Organizations that fail to minimize their network intelligence exposure provide adversaries with reconnaissance data that can be gathered passively, without triggering any security alerts, enabling months of silent preparation before a single malicious packet is sent to the target network.

MITRE ATT&CK T1590 CISA AA19-024A Fortinet 2025 Report NIST SP 800-61r2 CISA KEV Catalog

Definitions

Key Terms & Concepts

📖 Simple Definition

Gather Victim Network Information (T1590) is a MITRE ATT&CK reconnaissance technique where adversaries systematically collect details about a target organization's network infrastructure. This encompasses domain registrations, DNS configurations, IP address allocations, network trust relationships, topological layout, and security appliance deployment. This intelligence forms the foundation for all subsequent attack planning, enabling threat actors to identify exploitable entry points, map internal network dependencies, and craft highly targeted intrusion strategies that maximize their probability of success while minimizing detection risk.

🎯 Everyday Analogy

Imagine a military scout mapping an enemy's territory before any engagement. They photograph every building, map every road, identify guard posts, discover which buildings are connected by tunnels, and learn which territories are allied. The complete map they build reveals every weakness, every entry point, and every high-value target. That's exactly what T1590 provides for cyber attackers. Through passive observation of publicly available information—DNS records, WHOIS data, BGP routing tables, certificate transparency logs—an adversary constructs a comprehensive map of your network without ever touching a single system inside your perimeter.

🔐 DNS Enumeration

The process of discovering DNS records (A, AAAA, MX, NS, TXT, SRV, CNAME) associated with a target domain. Adversaries use this to identify mail servers, name servers, subdomains, and service discovery records that reveal the target's network architecture and technology stack.

🌐 Trust Dependencies

Network relationships between organizations, including federated authentication, VPN tunnels, API integrations, and shared cloud infrastructure. Adversaries exploit these trust boundaries to pivot from a less-secured partner network into the primary target.

🖥 Network Topology Mapping

Discovery of the logical and physical arrangement of network components—routers, switches, firewalls, DMZs, VLANs, and cloud regions. Through traceroute, BGP data, and passive DNS analysis, adversaries build complete infrastructure maps.

Case Study

Real-World Scenario

Daniel Okafor, Network Security Architect at TransGlobal Logistics, a global shipping company operating across 40+ countries.

⚠ Before

TransGlobal's network infrastructure was fully discoverable through passive reconnaissance. Public WHOIS records exposed administrative contacts and network blocks. Unsecured DNS zone transfers (AXFR) allowed complete domain enumeration. No BGP route filtering meant their AS number and IP allocations were trivially mapped. Most critically, the company maintained interconnected networks with 40+ logistics partners—none segmented properly. A nation-state APT group mapped their entire network topology in under 72 hours using only publicly available sources. They discovered a legacy VPN link to a partner network with weak authentication and no MFA. The threat actors used this as initial access, spreading across 3 countries through lateral movement. The breach compromised shipping manifests for over 50,000 containers, disrupted operations for 18 days, and triggered $12 million in regulatory penalties and remediation costs.

$12M in damages • 50,000+ records breached

✅ After

Daniel led a comprehensive network exposure reduction initiative. He implemented DNSSEC across all domains to prevent DNS spoofing and cache poisoning. Zone transfers were restricted to authorized secondary servers only. Network segmentation was redesigned with micro-segmentation policies isolating partner connections into dedicated DMZs with strict egress filtering. Zero-trust partnership agreements were established, requiring mutual authentication for all inter-organization links. BGP security was hardened with RPKI (Resource Public Key Infrastructure) to prevent route hijacking. Continuous network exposure monitoring was deployed using passive DNS sensors and certificate transparency log watchers. Within the first month of deployment, the team detected and attributed three separate reconnaissance campaigns from distinct threat actors. Their network intelligence exposure was reduced by 88%, and they established a 4-hour detection-to-response SLA for any new infrastructure discovery attempts.

88% exposure reduction • 3 campaigns detected in month 1

Actionable Guide

7-Step Network Exposure Hardening Guide

Follow this structured approach to systematically reduce your organization's network intelligence exposure and close the reconnaissance gaps that adversaries exploit during the T1590 phase of their attack lifecycle.

Map Your Complete Network Attack Surface

Begin by conducting a comprehensive audit of all externally accessible network infrastructure. Document every public IP block, every domain and subdomain, every DNS record, and every externally facing service. Use passive reconnaissance tools (Shodan, Censys, SecurityTrails) to discover what adversaries can see about your organization. Create an inventory of all cloud assets across AWS, Azure, and GCP, including forgotten development and staging environments. This baseline is essential for measuring improvement and identifying blind spots in your infrastructure visibility.

Tools: Shodan, Censys, SecurityTrails, amass, dnsrecon, theHarvester

Secure DNS Infrastructure

Deploy DNSSEC on all authoritative zones to prevent DNS spoofing attacks. Disable AXFR zone transfers or restrict them to authenticated secondary name servers only. Remove unnecessary TXT, SRV, and HINFO records that leak server information. Implement DNS query logging and anomaly detection to identify reconnaissance patterns. Consider using managed DNS providers with built-in DDoS protection and query analytics. Regularly audit your DNS records for stale entries that expose deprecated infrastructure or reveal internal naming conventions that could aid attacker reconnaissance.

Tools: BIND DNSSEC tools, PowerDNS, Cloudflare DNS, Route53, DNSViz

Implement Network Segmentation

Design and enforce network segmentation that limits what an adversary can discover and access even after gaining initial access. Separate partner networks into isolated DMZs with strict access controls. Implement micro-segmentation within your internal network so that compromising one segment does not expose others. Deploy next-generation firewalls with application-layer inspection between segments. Ensure cloud environments use VPCs, security groups, and network ACLs to enforce isolation. Document all segmentation policies and regularly test them through segmentation verification exercises.

Tools: VMware NSX, Cisco ACI, AWS Security Groups, Azure NSGs, iptables

Audit and Secure Trust Dependencies

Identify every third-party organization with network connectivity to your infrastructure—VPN tunnels, API integrations, shared cloud environments, federated authentication providers, and supply chain partners. For each trust relationship, verify that the principle of least privilege is enforced. Implement mutual authentication (mTLS) for all API connections. Deploy monitoring on all inter-organization links. Establish security requirements for partners and conduct regular assessments of partner security posture. Remember: adversaries exploit your trust relationships because they know these paths are often less secured than your primary perimeter.

Tools: ServiceNow, Tenable.io, SecurityScorecard, BitSight, vendor risk platforms

Protect IP Address Information

Minimize public exposure of your IP address space. Use WHOIS privacy services to protect registration details. Implement RPKI for BGP security to prevent route hijacking and unauthorized announcement of your IP ranges. Consider using CDN and DDoS protection services that mask your origin IP addresses behind proxy infrastructure. Regularly scan for leaked IP addresses in threat intelligence feeds, paste sites, and public vulnerability databases. Implement IP reputation monitoring to detect if your addresses appear in botnet or spam lists, which could indicate compromise or misuse by threat actors.

Tools: RPKI Validator, ARIN/LACNIC/APNIC WHOIS, Cloudflare Spectrum, Akamai Prolexic

Harden Network Security Appliances

Prevent adversaries from discovering your defensive capabilities by obscuring security appliance fingerprints. Disable banner grabbing on firewalls, IDS/IPS, and load balancers. Use generic responses that don't reveal vendor and version information. Ensure management interfaces are not accessible from the public internet. Deploy deception technology (honeypots, honeytokens) to create false infrastructure that misleads reconnaissance efforts. Keep all security appliance firmware updated and patched. Monitor for vulnerability scanners targeting your security appliances, as this often indicates active reconnaissance of your defensive posture.

Tools: Attivo Networks, Tenable OT, CrowdStrike Falcon, Cisco FTD, Palo Alto NGFW

Deploy Continuous Network Monitoring

Establish 24/7 monitoring of your external network attack surface using automated tools that alert on changes in DNS records, certificate deployments, port exposure, and cloud asset configurations. Integrate threat intelligence feeds that correlate your infrastructure indicators with known adversary reconnaissance activities. Deploy passive DNS monitoring to detect domain name changes or new subdomain creation that could indicate compromise or unauthorized infrastructure. Implement a formal process for responding to newly discovered exposure—assigning ownership, setting remediation SLAs, and tracking closure. Conduct quarterly attack surface assessments and red team exercises to validate your exposure reduction efforts.

Tools: RiskIQ (Microsoft), Digital Shadows, CyCognito, Mandiant Advantage, Recorded Future

Pitfalls & Principles

Common Mistakes & Best Practices

❌ Common Mistakes

Leaving DNS zone transfers unsecured Unrestricted AXFR queries allow adversaries to download your complete DNS zone file, revealing every subdomain, mail server, and internal host. This single misconfiguration can expose your entire infrastructure topology in seconds.

Ignoring WHOIS privacy for public IP blocks WHOIS records expose administrative contacts, network allocation details, and organizational hierarchy. Adversaries use this for social engineering, spear phishing, and identifying high-value targets within your IT department.

Failing to audit third-party trust relationships Partner networks are the path of least resistance. Organizations routinely maintain VPN tunnels, API keys, and shared authentication with dozens of partners without regular security reviews, creating massive attack surfaces.

Exposing cloud management interfaces publicly Leaving AWS, Azure, or GCP management consoles accessible from the internet without IP restrictions or MFA is a critical exposure that enables direct compromise of cloud infrastructure.

No continuous attack surface monitoring Most organizations conduct annual penetration tests but have no continuous visibility into their external attack surface. New subdomains, exposed services, and credential leaks can exist for months before discovery.

✅ Best Practices

Implement DNSSEC and restrict zone transfers DNSSEC provides cryptographic validation of DNS responses, preventing cache poisoning and spoofing. Restricting AXFR to authenticated servers eliminates bulk zone enumeration. Both are foundational DNS security controls that every organization should deploy.

Adopt zero-trust architecture for all partner connections Treat every partner connection as potentially compromised. Require mutual TLS authentication, implement least-privilege access policies, monitor all inter-organization traffic, and segment partner networks into isolated DMZs with strict egress filtering.

Deploy RPKI for BGP route security Resource Public Key Infrastructure prevents unauthorized announcement of your IP address space by cryptographically validating route origins. This is critical protection against BGP hijacking, which can redirect your traffic through adversary-controlled infrastructure.

Use automated attack surface management (ASM) platforms Deploy continuous external attack surface monitoring tools that automatically discover new assets, detect exposed services, identify credential leaks, and correlate findings with threat intelligence. Integrate alerts into your SOC workflows for rapid response.

Conduct regular red team reconnaissance exercises Periodically have red teams perform pure-reconnaissance assessments against your organization to measure what can be learned from passive observation alone. Compare findings against your asset inventory to identify unknown exposures and measure your reconnaissance resistance over time.

Opposing Perspectives

Red Team vs Blue Team View

🔴 Red Team, Offensive Perspective

The red team views T1590 as the highest-leverage phase of the entire attack lifecycle. Effective network reconnaissance eliminates guesswork, reduces operational risk, and dramatically increases success rates for every subsequent tactic from initial access to exfiltration.

Passive DNS reconnaissance is undetectable by the target—query public databases and certificate transparency logs without generating any network traffic to the victim.
BGP and routing data reveals network topology, hosting providers, and disaster recovery site locations that are often less secured than primary infrastructure.
DNS record analysis (SPF, DMARC, DKIM) reveals email infrastructure, third-party security vendors, and SaaS applications in use.
SSL/TLS certificate transparency logs provide a complete inventory of subdomains and internal hostnames, updated in near real-time as new services are deployed.
WHOIS and ARIN data expose organizational contacts, network allocation changes, and merger/acquisition activity that creates transition-period security gaps.
Shodan and Censys scans of discovered IP ranges reveal running services, software versions, and known vulnerabilities without triggering IDS alerts.

🔵 Blue Team, Defensive Perspective

The blue team focuses on minimizing the intelligence available to adversaries while detecting active reconnaissance campaigns through anomaly detection and threat intelligence correlation.

Deploy passive DNS monitoring to detect volumetric subdomain enumeration patterns, suspicious record types, and unauthorized zone changes that indicate active reconnaissance.
Implement WHOIS privacy and monitor public data sources for leaked organizational information using automated OSINT alerting systems.
Use certificate transparency log monitors to track new certificate issuance for your domains and detect unauthorized SSL certificates that could indicate phishing or infrastructure takeover.
Maintain RPKI-signed BGP routes and monitor routing tables (BGPstream, RIPE RIS) for unauthorized announcements of your IP space or hijacking attempts.
Deploy deception infrastructure (honeypots, canary tokens, honeydns) across network perimeters to detect and profile active reconnaissance activities with high-fidelity alerts.
Integrate threat intelligence feeds that correlate your external IP ranges and domain names with known adversary scanning patterns, dark web mentions, and compromise indicators.

Proactive Detection

Threat Hunter's Eye

Threat hunting for T1590 focuses on detecting the artifacts and behavioral patterns that indicate active or recent network reconnaissance against your organization. Since much of T1590 activity occurs against third-party services (DNS, WHOIS, certificate logs) rather than your infrastructure directly, effective hunting requires monitoring external data sources and correlating them with internal telemetry. The following detection hypotheses and data sources provide a structured approach to hunting for adversary network reconnaissance campaigns targeting your organization.

🔍

Detection Hypothesis: DNS Enumeration

Monitor authoritative DNS servers for volumetric query patterns targeting non-existent subdomains (NXDOMAIN floods), unusual record type queries (TXT, SRV, AXFR attempts), and repeated zone transfer requests from unauthenticated sources. Correlate query volumes with threat intelligence to identify known scanning infrastructure.

📊

Detection Hypothesis: Certificate Monitoring

Continuously monitor certificate transparency logs (crt.sh, Censys Certificates) for new certificates issued containing your domain names, especially wildcard certificates or certificates issued by unknown CAs. New certificate issuance may indicate subdomain takeover attempts or phishing infrastructure preparation.

🌍

Detection Hypothesis: BGP Anomaly Detection

Monitor BGP routing tables for unauthorized announcements of your AS number or IP address ranges. Use RPKI validation and route collector data (RIPE RIS, BGPstream) to detect route hijacking attempts that could enable traffic interception or reconnaissance of network connectivity patterns.

🔐

Detection Hypothesis: Trust Relationship Abuse

Monitor partner VPN tunnels, API integrations, and federated authentication logs for unusual authentication patterns, data access attempts, or lateral movement from partner networks. Baseline normal partner traffic patterns and alert on deviations that could indicate an adversary pivoting through a compromised trust relationship.

🧪

Detection Hypothesis: Service Discovery Scanning

Monitor perimeter firewalls and IDS/IPS for connection attempts to large numbers of sequential IP addresses or ports from single sources. Track SYN scan patterns, service fingerprinting attempts (banner grabbing, version probes), and vulnerability scanner signatures that indicate systematic infrastructure enumeration.

📈

Detection Hypothesis: OSINT Exposure Tracking

Automatically monitor paste sites (Pastebin, GitHub Gists), dark web forums, and OSINT aggregation platforms for leaked credentials, network diagrams, configuration files, or internal documentation that could provide adversaries with detailed network intelligence. Set up keyword-based alerts for your domain names, IP ranges, and internal service names.

Explore Sub-Techniques

Dive Deeper into T1590 Sub-Techniques

T1590 encompasses six distinct sub-techniques, each targeting a specific category of network intelligence. Explore each sub-technique to understand the adversary's methodology and build targeted defenses for every aspect of your network exposure.

Network Trust Dependencies

Network Security Appliances

View on MITRE ATT&CK →

Gather Victim Network Information

SUB-TECHNIQUES

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Gather Victim Network Information DET0869

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
February 13, 2026
No Comments