Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
T1590.004 , Network Topology
Adversaries may map the network topology of a target to understand the architecture, segmentation, and trust boundaries that govern communication between systems.
Tactic: Reconnaissance
Platform: Enterprise
Sub-technique of T1590
🛡
🔐
🌐
💾
🏢
☁
💻
FIREWALL
DMZ
WEB SERVERS
DATABASE
INTERNAL NET
CLOUD
REMOTE WORKERS
$ traceroute 10.0.0.1
1 203.0.113.1 1.2ms FW-EDGE
2 10.0.0.254 3.4ms DMZ-GW
3 10.0.1.1 5.1ms WEB-PROXY
4 10.0.2.1 12.7ms DB-NETWORK
5 10.0.3.1 28.3ms INTERNAL-SW
* * * FILTERED
▼
Why Network Topology Mapping Matters
Understanding how adversaries map your network reveals why this reconnaissance sub-technique is the foundation of sophisticated cyber attacks.
🗺
Network Layout Exposure
Network topology reveals the complete layout, segmentation, and architecture of an organization's network. Adversaries who successfully map topology gain visibility into every subnet, VLAN, DMZ, cloud interconnect, and VPN gateway , creating a comprehensive blueprint of the target environment that would normally take years of insider knowledge to acquire. This structural intelligence is the prerequisite for virtually every subsequent attack phase.
🔍
Chokepoint & Firewall Identification
Knowing the topology helps attackers identify critical chokepoints, understand firewall placement and rule sets, and plan lateral movement paths that exploit segmentation gaps. When an attacker understands where firewalls sit between network zones and which ports are filtered versus open, they can craft targeted exploitation strategies that bypass perimeter defenses entirely, entering through the path of least resistance rather than attacking hardened front doors.
📡
Abnormal Traffic Detection
SenseOn's Network Detection and Response (NDR) platform can identify abnormal traffic patterns indicative of active network mapping , including systematic port sweeps, TTL-based traceroute enumeration, and SNMP walking of network infrastructure devices. By correlating these low-and-slow reconnaissance signals across the network, defenders gain early warning of adversaries assembling topology maps before exploitation begins.
Source: SenseOn , LinkedIn
🧠
Intelligence-Gathering Phase
Vectra AI emphasizes that reconnaissance is the critical intelligence-gathering phase where adversaries methodically map systems, identities, and trust relationships across the target environment. Network topology mapping is a core component of this phase, providing the structural context needed to identify high-value targets, credential stores, and privilege escalation opportunities that enable deeper network penetration.
Source: Vectra AI , Reconnaissance
📈
Exploiting Expanding Attack Surface
Common Vulnerabilities and Exposures (CVEs) grew 39% from 2023 to 2024, dramatically expanding the attack surface that adversaries can discover through topology mapping. Each newly identified network segment, cloud workload, or IoT device represents a potential foothold. With more targets exposed across increasingly complex hybrid networks, topology mapping becomes even more valuable as it helps adversaries prioritize which vulnerabilities to exploit first.
Source: Fortinet 2025 Global Threat Landscape Report
🚩
Path of Least Resistance
Network mapping helps attackers find the path of least resistance to high-value targets such as intellectual property repositories, financial systems, and executive communications. Instead of brute-forcing well-defended entry points, adversaries use topology intelligence to identify legacy systems, misconfigured routers, shadow IT connections, and unmonitored network bridges that provide quiet, undetected access to the most sensitive data in the organization.
+39%
Year-over-year increase in CVEs from 2023 to 2024 , Fortinet 2025 Global Threat Landscape Report. More vulnerabilities means more opportunities discovered through topology mapping.
Key Terms & Concepts
Essential vocabulary for understanding network topology reconnaissance and its implications.
📖 Simple Definition
Network Topology (T1590.004) is a sub-technique of MITRE ATT&CK where adversaries systematically map the physical and logical layout of a target's network infrastructure. This includes identifying routers, switches, firewalls, subnets, DMZs, VLANs, cloud connections, VPN gateways, and the interconnections between them. Adversaries employ techniques such as traceroute, BGP route analysis, SNMP enumeration, ARP scanning, and network discovery protocols to build comprehensive network maps that reveal segmentation boundaries, network choke points, and lateral movement pathways. The resulting topology intelligence enables precise targeting of network devices and informs strategic decisions about which network segments to compromise for maximum operational impact.
🏙 Everyday Analogy
Think of network topology like a city's road map. A city planner would know exactly which roads are one-way streets, where the bridges connect different neighborhoods, which areas are gated communities with private security, and where the highway on-ramps provide rapid access between districts. An attacker who obtains your city map knows precisely which quiet residential street leads directly to the bank vault, which bridge connects the police station to the financial district, and which back alley bypasses every security checkpoint in the city. They don't need to force their way through the front gate , they simply follow the map to the weakest point in the perimeter and walk right in through an unmarked service entrance that nobody thought to lock.
Real-World Scenario
A detailed account of how T1590.004 plays out in a real organizational context.
👨💼 Robert Kim , Network Operations Center Manager
Pinnacle Aerospace, a mid-size defense contractor specializing in satellite communication systems for military and government clients. The company operates a hybrid network spanning on-premises data centers, cloud environments, and remote engineering workstations.
⚠ Before
Discoverable Network Topology
Pinnacle Aerospace's network topology was fully discoverable through multiple reconnaissance vectors. SNMP community strings on internet-facing devices responded to public queries, revealing device types, firmware versions, interface configurations, and neighboring device relationships. BGP route announcements from their ASN leaked internal network structure, including the existence of previously unknown subnets. Traceroute responses from perimeter routers showed hop-by-hop internal routing, exposing the full path from internet edge to core infrastructure. A state-sponsored APT group systematically mapped their entire network over a six-week period using these techniques. The attackers identified a legacy SCADA network segment connected through an unmapped VPN tunnel that had been configured years earlier by a contractor and forgotten by the current IT team. Exploiting a known vulnerability in the VPN tunnel endpoint, the APT gained access to classified design documents for an advanced military satellite communication system, resulting in a major national security incident and a two-year remediation program costing tens of millions of dollars.
✅ After
Secured Network Architecture
Robert Kim led a comprehensive initiative to eliminate topology exposure vectors. He disabled SNMP on all external interfaces and replaced public community strings with SNMPv3 authentication. He implemented BGP route filtering to prevent internal network structure leakage through route announcements. Robert deployed network segmentation using zero-trust microsegmentation principles, ensuring each network segment operated with least-privilege access controls. He deployed decoy routing infrastructure , honeyports and fake network responses , to actively mislead adversary mapping attempts and generate alerts when probing was detected. He implemented commercial network detection and response (NDR) tools to continuously monitor for topology reconnaissance patterns, including systematic scanning, traceroute anomalies, and SNMP enumeration attempts. Finally, Robert established monthly network topology audits to identify shadow IT, unauthorized connections, and configuration drift that could reintroduce topology exposure risks.
Attack Lifecycle , 7 Steps
How adversaries execute network topology mapping from initial access to exploitation planning.
1
Passive Reconnaissance
Adversaries begin with passive techniques , analyzing BGP routing tables, WHOIS records, DNS records, and SSL certificate transparency logs to identify network ranges, ASNs, and infrastructure providers associated with the target organization without generating any detectable traffic.
2
Perimeter Identification
Using the intelligence gathered passively, attackers scan internet-facing IP ranges to identify perimeter devices: firewalls, load balancers, VPN gateways, mail servers, and web applications. Each responding device reveals its role and approximate network position in the topology.
3
Traceroute & TTL Mapping
Adversaries execute traceroute from multiple vantage points to map the hop-by-hop path from the internet through perimeter defenses into the internal network. TTL decrement analysis reveals the number of routing hops, device types, and network segmentation boundaries.
4
SNMP & Protocol Enumeration
SNMP community string guessing and enumeration of network management protocols reveals device inventories, interface tables, routing tables, ARP caches, and neighbor relationships , building a complete picture of the physical and logical network layout.
5
Internal Segment Discovery
Once initial access is gained through a compromised endpoint, adversaries use internal network scanning tools to discover additional subnets, VLANs, domain controllers, file servers, and trust relationships that were invisible from the external perspective.
6
Cloud & Hybrid Mapping
Adversaries extend topology mapping into cloud environments by enumerating virtual networks, subnets, security groups, peering connections, and hybrid connectivity links such as site-to-site VPN tunnels and ExpressRoute circuits connecting on-premises infrastructure to cloud platforms.
7
Exploitation Path Planning
With the complete topology assembled, adversaries analyze the map to identify the optimal exploitation path , selecting the weakest network segment, the most vulnerable device, or the most permissive trust relationship to advance toward their ultimate objective while minimizing detection risk.
Mistakes & Best Practices
Common organizational failures and proven defensive measures against topology reconnaissance.
❌ Default SNMP Community Strings
Leaving default SNMP community strings like "public" and "private" on network devices provides adversaries with complete device inventories, interface configurations, routing tables, and network topology maps through standard MIB queries.
❌ Unfiltered BGP Announcements
Failing to implement BGP prefix filtering allows adversaries to analyze route advertisements and infer internal network structure, segment allocations, and interconnection topology from publicly accessible routing tables.
❌ ICMP & TTL Responses Enabled
Allowing ICMP Time Exceeded messages and unfiltered traceroute responses on perimeter devices gives adversaries direct visibility into the number of network hops, device placement, and segmentation boundaries within the internal network.
❌ Flat Network Architecture
Deploying networks without proper segmentation means that once topology mapping discovers a single entry point, adversaries can access virtually any system without encountering additional security boundaries or access controls.
✅ Disable SNMP on External Interfaces
Disable SNMP on all internet-facing interfaces and migrate internal SNMP to version 3 with authentication and encryption. Where SNMP is required, implement strict access control lists limiting queries to authorized management stations only.
✅ Implement BGP Route Filtering
Deploy prefix lists and route maps that filter BGP announcements to prevent internal network structure leakage. Use RPKI to validate route authenticity and consider using dedicated internet-exit points for public services.
✅ Deploy Network Deception
Use decoy network infrastructure , honeyports, fake routing responses, and synthetic network services , to mislead topology mapping attempts. These decoys generate high-fidelity alerts when adversaries interact with them during reconnaissance.
✅ Zero-Trust Microsegmentation
Implement zero-trust network architecture with microsegmentation that enforces least-privilege access between every network segment. Even if adversaries map the topology, each lateral movement step requires explicit authentication and authorization.
Red Team vs. Blue Team
Offensive and defensive perspectives on network topology mapping operations.
🔴 Red Team , Attack Methodology
- Execute multi-source traceroute from diverse IP ranges to build a three-dimensional view of the target's perimeter architecture, identifying routing asymmetries, redundant paths, and backup links that defenders may not actively monitor for reconnaissance activity.
- Perform SNMP enumeration across discovered management IP ranges using community string dictionaries, targeting network devices for routing tables, ARP caches, CDP/LLDP neighbor tables, and interface status that together reveal the complete physical and logical topology.
- Analyze BGP routing tables from public route collectors and Internet Exchange Points to identify the target's address allocations, transit providers, and any leaked internal prefixes that reveal organizational structure and network segmentation design.
- Use active scanning tools like Nmap with topology-aware scripts to discover network devices, operating systems, running services, and trust relationships. Correlate discovered data with passive intelligence to build a comprehensive attack roadmap.
- Map cloud infrastructure by enumerating VPC ranges, peering connections, security group rules, and VPN tunnel configurations. Identify hybrid connectivity paths between on-premises networks and cloud environments that may have weaker security controls.
🔵 Blue Team , Defense Strategy
- Deploy Network Detection and Response (NDR) platforms that establish behavioral baselines for normal network traffic patterns. Alert on systematic scanning, sequential traceroute patterns, and SNMP enumeration attempts that indicate active topology mapping operations.
- Implement rate limiting and filtering on ICMP Time Exceeded messages, TTL manipulation attempts, and SNMP queries from unauthorized sources. Block traceroute at perimeter firewalls while maintaining legitimate network diagnostics capabilities internally.
- Conduct regular external attack surface management (EASM) assessments to discover what network information is publicly accessible. Audit BGP announcements, DNS records, certificate transparency logs, and internet-facing device configurations for topology leakage.
- Deploy network deception technologies including decoy routers, honeyports, and synthetic network services that respond convincingly to topology mapping tools, generating high-confidence alerts while misleading adversaries about the true network architecture.
- Enforce zero-trust network segmentation with continuous authentication and authorization for all network flows. Implement network access control (NAC) to restrict device-to-device communication and prevent unauthorized lateral movement even if topology is fully mapped.
Threat Hunter's Guide
Hunting queries, detection logic, and investigation techniques for identifying network topology reconnaissance.
🔍 Traceroute Pattern Detection
SELECT src_ip, dest_ip, protocol, COUNT(*) AS probe_count FROM network_flow WHERE protocol = 'ICMP' AND icmp_type IN (8, 11) AND ttl < 30 GROUP BY src_ip, dest_ip HAVING probe_count > 10 AND dest_ip NOT IN (allowed_internal_ranges)Detect systematic traceroute activity by identifying sources sending sequential ICMP Echo Requests with incrementally increasing TTL values to multiple destinations. Legitimate diagnostic traffic is typically ad-hoc and limited to specific hosts, while reconnaissance traceroute targets diverse IP ranges in methodical patterns. Cross-reference with known management workstations to reduce false positives from authorized network troubleshooting.
🔍 SNMP Enumeration Detection
SELECT src_ip, dest_ip, COUNT(DISTINCT dest_port) AS snmp_targets FROM network_flow WHERE dest_port IN (161, 162) AND protocol = 'UDP' GROUP BY src_ip, dest_ip HAVING snmp_targets > 20 ORDER BY snmp_targets DESCIdentify SNMP walking by detecting single sources querying the SNMP port (161/162) on multiple destination IP addresses within a short time window. Adversaries performing topology mapping through SNMP enumeration systematically probe management interfaces across network device ranges to extract routing tables, ARP caches, and interface configurations that reveal network topology.
🔍 Internal Network Scanning
SELECT src_ip, COUNT(DISTINCT dest_ip) AS hosts_scanned, MIN(first_seen) AS scan_start, MAX(last_seen) AS scan_end FROM network_flow WHERE connection_state = 'REJ' OR bytes_sent < 100 GROUP BY src_ip HAVING hosts_scanned > 50 AND (scan_end - scan_start) < INTERVAL '4 hours'Hunt for horizontal scanning patterns where a single internal source attempts connections to an unusually high number of destinations in a short timeframe. Rapid sequential connection attempts with minimal data transfer are characteristic of topology discovery scanning, particularly when the scanning host has no legitimate administrative function. Investigate the source for signs of initial access compromise.
🔍 BGP & Routing Anomaly Detection
SELECT prefix, peer_as, announce_count, MIN(timestamp) AS first_seen, MAX(timestamp) AS last_seen FROM bgp_updates WHERE prefix LIKE '10.%' OR prefix LIKE '172.16.%' GROUP BY prefix, peer_as HAVING announce_count > 3 AND first_seen > NOW() - INTERVAL '7 days'Monitor BGP routing updates for leaks of private address space (RFC 1918) or unexpected route announcements that reveal internal network structure. Adversaries and misconfigured routers alike can expose internal topology through BGP. Additionally, monitor for new route announcements from the organization's ASN that expose previously unknown network segments, which may indicate either misconfiguration or active reconnaissance exploitation of routing infrastructure.
Strengthen Your Network Topology Defenses
Network topology mapping is the adversary's first step toward understanding your environment. Deploy NDR solutions, eliminate information leakage, implement zero-trust segmentation, and continuously hunt for reconnaissance activity. The earlier you detect mapping attempts, the more time you have to harden your defenses before exploitation begins. Review the complete T1590 technique family and related sub-techniques to build a comprehensive reconnaissance defense strategy.
View MITRE ATT&CK Official Page →Network Topology
MITIGATIONS
DETECTION STRATEGY
DONATE · SUPPORT
ROOT::DONATE
- February 13, 2026
- No Comments