Why Reconnaissance Matters in the Attack Lifecycle
Reconnaissance is the first phase of the MITRE ATT&CK framework for good reason. Before an adversary deploys malware, moves laterally, or exfiltrates data, they must first understand the target environment. The intelligence gathered during reconnaissance directly shapes the tools, exploits, and social-engineering lures an attacker will use in subsequent phases.
For defenders, this presents both a challenge and an opportunity. Reconnaissance activity is inherently noisier than later-stage tactics because the attacker is still probing the unknown. If security teams can detect and respond to reconnaissance early, they can disrupt an intrusion before any real damage occurs.
This post examines three critical reconnaissance techniques catalogued by MITRE ATT&CK: T1595 (Active Scanning), T1592 (Gather Victim Host Information), and T1589 (Gather Victim Identity Information). It outlines practical detection strategies for each.
T1595: Active Scanning
What It Is
Active scanning encompasses any technique where an adversary directly probes the target's infrastructure to discover live hosts, open ports, running services, and software versions. Common sub-techniques include:
- T1595.001, Scanning IP Blocks: Systematically sweeping IP ranges with tools such as Nmap, Masscan, or ZMap to identify internet-facing assets.
- T1595.002, Vulnerability Scanning: Using automated scanners like Nessus, OpenVAS, or Nuclei to fingerprint services and test for known CVEs.
- T1595.003, Wordlist Scanning: Brute-forcing URI paths, subdomains, or API endpoints to discover hidden resources.
Detection Strategies
Active scanning generates distinctive network patterns that defenders can monitor:
- Threshold-based alerting on connection volume: A single source IP establishing connections to an unusually high number of destination ports or hosts within a short window is a strong indicator. Configure your network detection and response (NDR) sensors to flag this behaviour.
- SYN-to-SYN/ACK ratio analysis: Port scans typically produce a high ratio of SYN packets to completed handshakes. Monitoring this ratio at the perimeter can surface scanning activity that simple firewall logs might miss.
- User-Agent and header anomaly detection: Vulnerability scanners often leave identifiable signatures in HTTP headers. Maintaining a list of known scanner User-Agent strings and alerting on matches is a low-effort, high-value detection.
- DNS query volume spikes: Subdomain enumeration tools generate bursts of DNS queries for non-existent records (NXDOMAIN responses). Monitoring authoritative DNS logs for sudden spikes in NXDOMAIN rates can reveal wordlist-based reconnaissance.
How SenseOn Detects Active Scanning
SenseOn's network micro-sensor captures full packet metadata at the endpoint level, meaning scanning activity is visible even when the attacker is inside the network perimeter. The cross-domain correlation engine correlates connection patterns across supervised models (known scanner signatures), unsupervised models (anomalous connection volumes), and deep-learning sequence models (temporal patterns in packet flows) to surface scanning with extremely low false-positive rates.
T1592: Gather Victim Host Information
What It Is
Before crafting an exploit, attackers need to know what software, hardware, and configurations their targets are running. T1592 covers the collection of host-level details such as:
- T1592.001, Hardware: Identifying device types, firmware versions, and architecture (e.g., ARM vs x86) through banner grabbing or exposed management interfaces.
- T1592.002, Software: Enumerating installed applications, operating system versions, and patch levels via exposed service banners, error pages, or publicly accessible configuration files.
- T1592.003, Firmware: Targeting IoT and OT devices to determine firmware versions with known vulnerabilities.
- T1592.004, Client Configurations: Harvesting browser versions, plugin inventories, and security-tool presence through JavaScript fingerprinting on attacker-controlled websites.
Detection Strategies
Because much of this information gathering occurs passively or on attacker-controlled infrastructure, detection requires a blend of internal and external monitoring:
- Monitor for information-disclosure vulnerabilities: Regularly audit your web applications and APIs for endpoints that leak version strings, stack traces, or server configuration details. Automated DAST tools can help, but manual review of error-handling paths is also important.
- Track JavaScript fingerprinting attempts: If you operate a web application, deploy Content Security Policy (CSP) headers that restrict script execution. On the defensive side, monitor outbound traffic for connections to known fingerprinting services.
- Baseline outbound data flows: Unusual outbound connections from servers that typically only handle inbound requests can indicate that an attacker has planted a reconnaissance payload. Behavioural baselines help surface these anomalies.
- Endpoint telemetry correlation: Tools that collect endpoint-level data, such as process trees, loaded modules, and file-system events, can detect when an attacker runs local enumeration commands like
systeminfo,uname -a, orwmicafter gaining initial access.
How SenseOn Detects Host Reconnaissance
SenseOn's lightweight endpoint agent continuously monitors process execution and command-line arguments. When a sequence of host-enumeration commands is executed, particularly by a process tree that does not match normal administrative activity, the platform raises a contextual alert that includes the full command chain, the parent process, and the user account involved.
T1589: Gather Victim Identity Information
What It Is
Identity reconnaissance targets the people within an organisation rather than the infrastructure. Adversaries seek:
- T1589.001, Credentials: Searching paste sites, dark-web marketplaces, and breach databases for leaked usernames and passwords associated with the target domain.
- T1589.002, Email Addresses: Harvesting corporate email addresses from LinkedIn, company websites, GitHub commits, and WHOIS records to build phishing target lists.
- T1589.003, Employee Names: Compiling organisational charts and reporting structures to craft convincing business-email-compromise (BEC) lures.
Detection Strategies
- Dark-web and breach monitoring: Subscribe to threat intelligence feeds or services that monitor for your organisation's credentials appearing in breach dumps. Promptly force password resets for any affected accounts.
- Email-address enumeration detection: If your mail server responds differently to valid versus invalid recipients (e.g., different SMTP response codes), attackers can enumerate valid addresses. Configure your mail transfer agent to return uniform responses regardless of address validity.
- Phishing simulation and awareness: While not a technical detection, regular phishing simulations help gauge your organisation's susceptibility to lures built from identity reconnaissance and improve staff vigilance.
- Impossible-travel and credential-stuffing detection: Monitor authentication logs for sign-in attempts from geographically improbable locations or for high-velocity login attempts across many accounts, strong indicators that harvested credentials are being tested.
How SenseOn Detects Identity-Based Attacks
SenseOn ingests authentication telemetry from endpoints, cloud identity providers, and network authentication protocols. Its behavioural analytics engine builds per-user baselines covering login times, source locations, devices, and access patterns. When a credential-stuffing campaign or an impossible-travel event deviates from these baselines, the platform generates a high-confidence alert enriched with full session context.
Building a Unified Reconnaissance Defence
Detecting reconnaissance in isolation is helpful, but the real defensive advantage comes from correlating reconnaissance signals across all three categories. An attacker who scans your perimeter (T1595), fingerprints your web servers (T1592), and harvests employee email addresses (T1589) is likely in the early planning stages of a targeted intrusion.
Security teams should:
- Centralise telemetry: Ensure network, endpoint, identity, and threat-intelligence data flows into a single analytics platform so that weak signals from different reconnaissance techniques can be correlated into a strong composite indicator.
- Automate enrichment: When a scanning alert fires, automatically enrich it with threat-intelligence lookups on the source IP, recent credential-breach data for your domain, and any related host-fingerprinting events.
- Implement deception: Deploy honeypots, honey tokens, and canary files that are invisible to legitimate users but irresistible to attackers performing reconnaissance. Any interaction with these decoys is a near-certain indicator of malicious intent.
- Adopt a continuous-validation mindset: Use breach-and-attack simulation (BAS) tools to periodically test whether your detection capabilities actually catch the reconnaissance techniques described above. Detection rules degrade over time as infrastructure changes; regular validation keeps them sharp.
By treating reconnaissance not as mere noise but as actionable intelligence, security teams can shift from reactive incident response to proactive threat disruption, stopping attacks before they begin.
Related reading:
