Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
T1591.001 · MITRE ATT&CK Reconnaissance
Determine Physical Locations
An adversary may gather information about the physical locations of a target organization to inform future operations, including physical and cyber attacks.
New York, USA
Global Headquarters
● CRITICAL
São Paulo, Brazil
Regional Branch Office
● MEDIUM
London, UK
Primary Data Center
● CRITICAL
Dubai, UAE
Branch Office
● MEDIUM
Mumbai, India
Regional Headquarters
● HIGH
Singapore
Disaster Recovery Site
● HIGH
Tokyo, Japan
Manufacturing Facility
● HIGH
Website OSINT
Map Recon
Social Geotags
Job Listings
Property Records
Permit Search
Full Map Built
HQ, New York
Executive offices + data floor
DC, London
Tier-4 data center facility
Branch, Dubai
Sales office + employee lounge
DR, Singapore
Disaster recovery + backup
Headquarters
Data Center
Branch Office
Context
Why Physical Location Intelligence Matters
Understanding how adversaries exploit publicly available location data is the first step toward defending your organization's physical and digital perimeters against targeted reconnaissance campaigns.
72%
Organizations negatively impacted by supply chain breaches
Source: Infosecurity Magazine
62%
Energy sector attacks occur on weekends or holidays when security is reduced
Source: Semperis / IndustrialCyber
78%
Of publicly reported incidents are ransomware, often targeting physical infrastructure
Source: MDPI
80%
Of companies reported increased security incidents year-over-year
Source: AppSecure
Physical location data reveals far more than addresses on a map. Adversaries systematically catalog office buildings, data centers, warehouses, and manufacturing facilities to build comprehensive target profiles. Each location becomes a potential entry point, whether for a physical intrusion, a tailored phishing campaign referencing a specific building, or a supply chain attack exploiting known vendors who visit your facilities. The convergence of physical and cyber threats means that a single overlooked detail, such as a building permit listing your new server room expansion, can provide the intelligence an adversary needs to plan a devastating attack.
Location data directly enables physical social engineering, tailgating attacks, and on-site reconnaissance. When attackers know your building layout, security camera positions, employee shift patterns, and delivery schedules, they can craft highly convincing pretext scenarios. A fake delivery driver, an impersonated maintenance worker, or a seemingly lost visitor, all become viable attack vectors when armed with accurate location intelligence. Organizations that treat physical and cybersecurity as separate domains create dangerous gaps that sophisticated threat actors are eager to exploit.
The financial and reputational consequences of location-enabled attacks are severe. Beyond immediate breach costs, organizations face regulatory fines, litigation, intellectual property theft, and loss of customer trust. For critical infrastructure sectors, the stakes are even higher: a physical intrusion at a power substation or water treatment facility can have cascading effects on public safety and national security. Proactively managing your physical location footprint and monitoring for adversarial reconnaissance is no longer optional, it is a fundamental component of modern defense-in-depth strategy.
Definitions
Key Terms & Concepts
A clear understanding of the terminology and real-world analogies behind T1591.001 helps security teams recognize and respond to location-based reconnaissance activity.
◆ Simple Definition
Determine Physical Locations (T1591.001) is a sub-technique under MITRE ATT&CK's Reconnaissance tactic (TA0043) where adversaries identify the physical locations of a target organization's offices, data centers, warehouses, and other facilities. This includes headquarters, branch offices, manufacturing plants, research laboratories, and co-located facilities at third-party sites. Location data is gathered from a wide range of open-source intelligence (OSINT) sources: corporate websites with "Our Offices" pages, Google Maps and Street View imagery, job postings that mention specific facilities and equipment, public property records and building permits, social media geotagged posts and check-ins, conference and event registrations, DNS records tied to physical facilities, SEC filings for public companies, and even satellite imagery services. This intelligence enables physical social engineering, site-specific cyber attacks, supply chain targeting, and pre-incident surveillance planning.
◆ Everyday Analogy
Imagine a burglar scoping out a neighborhood before a break-in. They don't just note street addresses, they learn which houses display security company signs, which have regular delivery patterns indicating when residents are home, which properties have side gates with old locks, and which homes back up to unlit alleys perfect for a quick escape. Physical location reconnaissance works exactly the same way at the enterprise level: attackers systematically learn your building layout from Street View, identify your security measures from job postings and vendor contracts, map employee entrances from social media photos, pinpoint server room locations from building permits, and track delivery schedules from logistics partners, all without ever setting foot on your property. By the time they execute their attack, whether physical or digital, they know your facilities better than most of your own employees do. The reconnaissance phase is silent, invisible, and entirely legal, making it one of the most difficult threat activities to detect and prevent.
Case Study
Real-World Scenario
A fictional but realistic scenario illustrating how T1591.001 reconnaissance enables devastating real-world attacks on organizations with exposed physical location data.
MC
Michael Chen, Director of Physical Security
Zenith Pharmaceuticals, a global drug manufacturer with 12 research and manufacturing facilities across North America, Europe, and Asia-Pacific, specializing in oncology and rare disease treatments.
⚠ Before: The Breach
Zenith's corporate website listed detailed addresses for all 12 facilities, including specific building names and floor information. Google Street View provided high-resolution imagery showing building entrances, loading docks, parking lot layouts, and perimeter fencing. Job postings on LinkedIn and Indeed revealed specific laboratory equipment models, department names, and shift schedules at each location. LinkedIn check-ins and Instagram geotagged photos from employees showed internal areas, badge reader styles, and even security camera placements.
A sophisticated criminal group operating in Eastern Europe spent four months building a comprehensive physical profile of Zenith's facilities. Using only publicly available information, they identified the research facility in Basel, Switzerland as the highest-value target, it housed the company's most proprietary drug formulations. They cataloged the building layout, identified all security camera positions from Street View and employee photos, determined that the night shift employed only two guards, and learned that maintenance contractors accessed the building through a rear entrance with a key code that rotated quarterly.
The group executed a coordinated physical intrusion on a Saturday night during a holiday weekend. They impersonated a fire safety inspector responding to a "reported gas leak," gaining access through the contractor entrance. Once inside, they disabled the minimal night-shift security, accessed the research server room, and exfiltrated proprietary drug formulas representing an estimated $2.1 billion in research and development investment. The breach triggered a mandatory FDA investigation, 18 months of compliance audits, product launch delays, and a total financial impact exceeding $340 million including direct losses, regulatory fines, legal fees, and competitive damage from the leaked formulas reaching competitors.
Total impact: $2.1B IP theft + $340M in losses, fines, and remediation costs
✅ After: The Fix
Michael Chen led a comprehensive overhaul of Zenith's physical security posture after the breach. He immediately removed specific facility addresses from the corporate website, replacing them with regional contact forms. He implemented a counter-surveillance program that included regular sweeps for unusual photography, monitoring of social media for employee geotagged posts, and engagement with Google to blur sensitive facility imagery on Street View. Building photography restrictions were posted at all facilities and enforced through security patrols.
He deployed enhanced physical access controls including multi-factor authentication at all entry points, mobile credential systems that can be instantly revoked, mantraps at high-security areas, and 24/7 monitored CCTV with AI-based anomaly detection. He established a security awareness program specifically addressing social engineering and physical reconnaissance, training all employees to recognize and report suspicious behavior, unusual requests for facility information, and the dangers of sharing location data on social media.
Michael also worked with local law enforcement on quarterly security assessments, implemented vendor access management protocols requiring background checks and escort requirements for all non-essential visitors, and established a threat intelligence program that monitors the dark web, social media, and OSINT sources for any indication that Zenith facilities are being targeted. Within 12 months, Zenith's physical security maturity score improved from a failing grade to industry-leading, and the company became a case study in proactive physical-cyber convergence security.
Result: Industry-leading physical security maturity, zero successful intrusions post-remediation
Action Plan
7-Step Mitigation Guide
A structured approach to reducing your organization's physical location exposure and hardening facilities against reconnaissance-driven attacks aligned with MITRE D3FEND and NIST frameworks.
1
Audit Your Public Location Footprint
Conduct a comprehensive audit of all publicly available information about your physical locations. Search Google for your company name combined with "office," "address," "facility," "headquarters," and "location." Check your own website, press releases, SEC filings, job postings, and social media profiles. Document every instance where a specific address, building name, floor plan, or facility detail is exposed. This audit should be repeated quarterly and after any corporate change such as mergers, office moves, or new facility openings. Assign a dedicated team to monitor and manage your public location data on an ongoing basis.
2
Minimize Publicly Disclosed Facility Details
Remove or obscure specific street addresses from your public-facing websites, replacing them with regional descriptions or PO boxes. Avoid listing building names, floor numbers, suite details, or campus maps. Review all marketing materials, case studies, and press photos for inadvertent location disclosures. Implement a content review process requiring security team sign-off before any facility information is published externally. For public companies, work with legal counsel to determine the minimum location disclosure required by regulations and provide nothing beyond that minimum in public filings.
3
Control Social Media Location Exposure
Establish and enforce a social media policy that prohibits employees from geotagging posts at company facilities, sharing photos that reveal building interiors or security features, or disclosing facility-specific information. Provide regular training on the risks of social media reconnaissance, using real-world examples of how adversaries use platforms like LinkedIn, Instagram, and Facebook to build facility profiles. Monitor social media for posts that violate the policy and address violations promptly. Consider deploying social media monitoring tools that can detect when employees inadvertently expose sensitive location information.
4
Manage Street View and Imagery Exposure
Request Google to blur or remove imagery of your sensitive facilities through their Street View reporting tool. Erect physical barriers, landscaping, or signage that discourages aerial and street-level photography of critical infrastructure. Work with satellite imagery providers to understand what resolution imagery of your facilities is publicly available. Consider installing privacy screens, tinted windows, or architectural features that prevent casual observation of building interiors, server rooms, loading docks, and security equipment from public spaces.
5
Secure Job Postings and Public Documents
Sanitize job postings to remove facility-specific details such as building names, specific equipment models, floor locations, and shift schedules. Use generic location descriptions like "East Coast Region" rather than specific addresses. Review public permits, building plans, and government filings for sensitive information and work with relevant authorities to determine what can be redacted. Implement document classification procedures that flag any document containing physical location details as sensitive, requiring additional review before public release.
6
Implement Counter-Surveillance Measures
Deploy counter-surveillance programs that detect and deter physical reconnaissance activity around your facilities. This includes security patrols that look for unusual photography or observation behavior, CCTV systems with analytics that can detect loitering, and relationships with local law enforcement for rapid response to suspicious activity. Train front desk staff, receptionists, and security guards to recognize and report reconnaissance indicators such as people asking unusual questions about building operations, photographing security equipment, or testing access control mechanisms.
7
Integrate Physical and Cyber Security Programs
Break down organizational silos between physical security and cybersecurity teams. Physical location intelligence gathered by adversaries informs both physical intrusion attempts and cyber operations. Your security operations center (SOC) should correlate physical access events with network anomalies. Guard tour management systems should feed into your SIEM. Vendor access logs should be correlated with phishing campaign timing. Regular joint exercises that simulate adversary reconnaissance combining physical and digital techniques will identify gaps that neither team would find independently. Appoint a convergence security leader who owns both physical and cyber threat intelligence programs.
Lessons Learned
Common Mistakes & Best Practices
Avoiding the most frequent pitfalls and adopting proven strategies can dramatically reduce your exposure to physical location reconnaissance by state-sponsored and criminal threat actors.
❌ Common Mistakes
Publishing detailed "Our Offices" pages with full addresses, photos, building names, and floor information, providing adversaries with a complete facility inventory on a silver platter.
Allowing unrestricted social media posting from facilities, including geotagged photos, check-ins, and videos that reveal security camera positions, access control types, and interior layouts.
Job postings that reveal too much, specifying exact locations, security clearance levels, shift times, and specialized equipment that tells adversaries exactly what assets exist where.
Ignoring Street View and satellite imagery, failing to request blurring of sensitive facilities, leaving high-resolution building and perimeter imagery freely accessible to anyone with a web browser.
Treating physical and cyber security as separate domains, creating blind spots where physical reconnaissance goes undetected by cyber teams and digital indicators go unnoticed by facility security.
No vendor or visitor location monitoring, allowing contractors, delivery personnel, and visitors to move freely through facilities and share observations without oversight or tracking.
✅ Best Practices
Implement a public information minimization program that continuously audits and reduces the amount of facility-specific information available publicly, treating location data as a sensitive asset class.
Deploy comprehensive social media monitoring with automated alerts for employee posts that contain location data, facility photos, or security-relevant information about your physical sites.
Sanitize all public-facing documents including job postings, press releases, marketing materials, and regulatory filings to remove or generalize any facility-specific details that could aid reconnaissance.
Request imagery blurring and install physical countermeasures including privacy barriers, window treatments, and signage that makes it clear photography is prohibited and monitored.
Establish a physical-cyber security convergence program with shared intelligence feeds, joint incident response procedures, and regular combined exercises that simulate location-aware attack scenarios.
Conduct regular red team physical assessments that test your organization's ability to detect and respond to adversarial surveillance, social engineering attempts, and physical access probing at all facilities.
Adversary Playbook
Red Team vs Blue Team
Understanding both sides of the physical location intelligence battle helps organizations build more resilient defenses and anticipate adversarial tradecraft before it is deployed.
⚔ Red Team, Attack Methodology
OSINT Collection: Scrape corporate websites, LinkedIn, Glassdoor, and press releases for facility addresses, building names, and organizational charts tied to specific locations.
Imagery Analysis: Use Google Maps, Street View, Bing Maps, and satellite imagery services to catalog building layouts, perimeter security, parking configurations, and loading dock positions.
Social Media Harvesting: Monitor employee social media for geotagged posts, facility photos, check-ins at specific buildings, and discussions about workplace location or commute patterns.
Property Record Mining: Search county assessor databases, building permits, and zoning records for facility ownership, construction details, renovation plans, and capacity information.
Job Posting Analysis: Parse job listings for facility-specific intelligence including equipment models, security system vendors, shift schedules, department names, and clearance requirements.
Conference Tracking: Monitor industry conference registrations, speaker lists, and attendee directories to identify which employees work at which facilities and their specific roles.
VS
🛡 Blue Team, Defense Strategy
Information Audit: Conduct quarterly reviews of all publicly accessible location data and implement remediation workflows for any discovered exposure, assigning owners and deadlines.
Imagery Management: Request blurring of sensitive facilities on mapping platforms, install physical privacy measures, and monitor for new imagery captures after facility modifications.
Social Media Governance: Deploy monitoring tools, enforce posting policies, train employees regularly, and provide anonymous reporting channels for policy violations.
Public Record Review: Work with legal and government affairs to minimize sensitive disclosures in public filings and request redactions where legally permissible.
Posting Sanitization: Implement mandatory security review for all job postings, standardize location descriptions to region-level only, and train HR on the intelligence value of posting details.
Counter-Surveillance: Deploy detection capabilities for physical surveillance, train frontline staff on reconnaissance indicators, and maintain law enforcement partnerships for rapid response.
Detection & Response
Hunter's Toolkit
Practical detection queries, data sources, and analytical techniques that security teams can use to identify adversarial physical location reconnaissance targeting their organization.
DNS & Network Intelligence
Monitor for unusual DNS queries, reverse lookups, and certificate transparency logs that may indicate adversaries mapping your network infrastructure associated with physical facilities. Look for increased enumeration from foreign IPs targeting your facility-associated subnets.
SELECT dns.query_name, dns.query_type,
count(*) as query_count
FROM dns_logs
WHERE dns.query_name LIKE '%facility%'
OR dns.query_name LIKE '%office%'
AND source_ip NOT IN (internal_ranges)
GROUP BY dns.query_name
HAVING query_count > threshold
Social Media OSINT Monitoring
Use automated tools to monitor social media platforms for posts containing your facility names, addresses, or geotagged locations. Track employee mentions of specific buildings, campus locations, and workplace photos that reveal interior details or security measures.
# Social media monitoring keywords
keywords = [
"CompanyName" + ("office"|"building"|"campus"),
"CompanyName" + ("headquarters"|"data center"),
facility_addresses,
building_permit_numbers,
"@employee_handle" + geotagged_posts
]
alert_when: post_found AND NOT authorized
Web Access Log Analysis
Analyze web server logs for reconnaissance patterns targeting your "Contact Us," "Locations," "About Us," and careers pages. Look for automated scraping, unusual User-Agent strings, and high-volume enumeration from single IPs or IP ranges.
SELECT remote_addr, request_uri,
user_agent, count(*) as hits
FROM access_logs
WHERE request_uri LIKE '%location%'
OR request_uri LIKE '%office%'
OR request_uri LIKE '%contact%'
OR request_uri LIKE '%facility%'
GROUP BY remote_addr
HAVING hits > 50 AND duration < 1h
Physical Access Anomaly Detection
Correlate physical access control logs with visitor management systems to detect unusual access patterns, repeated failed badge attempts, unauthorized area access attempts, and tailgating indicators that may indicate on-site reconnaissance by adversaries.
SELECT badge_id, door_name, timestamp,
result, COUNT(*) as attempts
FROM access_control_logs
WHERE result = 'DENIED'
AND door_name IN (restricted_doors)
GROUP BY badge_id, door_name
HAVING attempts > 3 AND time_window < 24h
Job Board & Public Record Monitoring
Regularly search major job boards and public records databases for postings and filings that mention your facilities. Compare job posting content against your approved disclosure policies and flag any postings that exceed authorized information sharing.
# Automated job board sweep
FOR EACH platform IN [LinkedIn, Indeed, Glassdoor]:
SEARCH "CompanyName" + facility_keywords
EXTRACT: location, equipment, clearances,
shifts, building_details
COMPARE: extracted_data vs approved_policy
ALERT: IF disclosure_violation_detected
Threat Intelligence Correlation
Integrate physical security incident data with cyber threat intelligence feeds. Correlate observed physical surveillance reports with known APT TTPs for location reconnaissance. Cross-reference dark web forum mentions of your facilities or locations with access attempts.
-- Correlate physical incidents with cyber IOCs
SELECT p.incident_time, p.location,
p.surveillance_type, c.source_ip,
c.target_system, c.malware_family
FROM physical_incidents p
JOIN cyber_alerts c
ON DATE(p.incident_time) = DATE(c.alert_time)
WHERE p.facility_name = c.target_facility
ORDER BY p.incident_time DESC
Next Steps
Take Action Now
Physical location reconnaissance is a silent, pervasive threat that enables some of the most damaging attacks in modern cybersecurity. The time to audit your exposure and harden your defenses is today, before an adversary completes their map of your facilities.
🚀 View T1591.001 on MITRE ATT&CK
🔍 Parent Technique: T1591 Gather Victim Org Info
🛡 CISA Cybersecurity Best Practices
Explore the full T1591 technique family and related reconnaissance sub-techniques:
Network Security Appliances
MITIGATIONS
DETECTION STRATEGY
DONATE · SUPPORT
ROOT::DONATE
- April 2, 2026
- No Comments