Reconnaissance in the MITRE ATT&CK Framework: A Deep Dive into the Adversary’s First Move

by | Sep 6, 2025 | Cybersecurity

Table of Contents
2
3

Introduction

In the ever-evolving landscape of cybersecurity, defenders often focus on malware payloads, ransomware encryption, and command-and-control (C2) channels. But before adversaries deliver a single line of malicious code, they invest time in an often-overlooked phase: reconnaissance.

Reconnaissance is the digital equivalent of casing a building before a break-in. Threat actors spend days, weeks, or even months gathering information about their target’s environment, employees, and vulnerabilities before launching an attack.

The MITRE ATT&CK framework, widely adopted across security operations centers (SOCs), maps out adversarial behavior across the entire intrusion lifecycle. Within this matrix, Reconnaissance stands as the earliest stage — a crucial foundation upon which attackers build the rest of their campaign.

This article provides an in-depth, 5000-word exploration of Reconnaissance in MITRE ATT&CK: its techniques, tools, case studies, detection strategies, and best practices for defenders. Whether you’re a SOC analyst, a red team operator, or a CISO, understanding reconnaissance is key to anticipating and disrupting adversary campaigns.

Understanding Reconnaissance in the MITRE ATT&CK Framework

What Is Reconnaissance?

In MITRE ATT&CK, Reconnaissance is defined as “techniques that involve adversaries actively or passively gathering information they can use to support targeting.”

This activity happens before initial access. It does not necessarily involve malicious software or exploits; instead, it focuses on building a knowledge base about the target.

Adversaries may gather:

  • Technical information: IP ranges, domains, SSL certificates, open ports, VPN gateways.
  • Organizational data: subsidiary companies, supply chain vendors, cloud providers.
  • Human intelligence: employee names, job titles, emails, phone numbers.
  • Defensive controls: security vendors, SOC locations, or firewall types (e.g., FortiGate, Palo Alto).

Think of reconnaissance as the recon mission in a military campaign: knowing the terrain before advancing.

Reconnaissance in the ATT&CK Matrix

Reconnaissance sits at the very top of the MITRE ATT&CK enterprise matrix. It is often overlooked because many SOCs concentrate on post-compromise tactics like lateral movement or exfiltration. Yet, the better an attacker’s reconnaissance, the smoother the rest of the operation becomes.

MITRE’s Reconnaissance tactics span techniques T1590 to T1599, covering information gathering about people, infrastructure, and technologies.

Reconnaissance Techniques in MITRE ATT&CK

Let’s break down some of the most important reconnaissance techniques documented in ATT&CK.

T1590 – Gather Victim Network Information

Adversaries collect details about the victim’s network infrastructure. This may include IP address ranges, subdomains, cloud services, or VPN gateways.

  • Example: Using Shodan or Censys to find publicly exposed firewalls or RDP servers.
  • Risk: Helps attackers plan port scans or phishing campaigns targeting exposed services.

T1591 – Gather Victim Org Information

Adversaries profile endpoint devices, operating systems, or installed applications.

  • Example: Checking job postings for “Linux administrator with Red Hat experience” to guess internal OS use.
  • Risk: Informs exploit choice (Windows SMB vs Linux SSH brute force).

T1593 – Search Open Websites/Domains

Using OSINT to examine websites, domains, and DNS records.

  • Example: WHOIS queries, DNS zone transfers, subdomain enumeration with Amass.
  • Risk: Maps out external attack surface.

T1595 – Active Scanning

Direct probing of target systems to identify open ports, services, and vulnerabilities.

  • Example: Running Nmap or Masscan against a target subnet.
  • Risk: May trigger SOC alerts but provides precise system information.

T1597 – Search Engines

Adversaries leverage search engines like Google, Bing, or specialized dorks.

  • Example: “site:example.com filetype:pdf” to locate sensitive documents.
  • Risk: Reveals misconfigured data exposure.

T1598 – Phishing for Information

Not all phishing aims to drop malware. Some phishing attempts simply gather credentials or employee information.

  • Example: Fake surveys or job recruitment emails.
  • Risk: Lays groundwork for later credential theft.

T1599 – Network Boundary Bridging

Adversaries attempt to understand how networks connect across boundaries, such as VPNs, proxies, or segmented networks.

  • Example: Identifying a remote access portal used by contractors.
  • Risk: Enables lateral attacks through trusted connections.

Tools and Methods Used in Reconnaissance

Attackers have an ever-expanding toolkit for reconnaissance. Here’s what they commonly use:

1. OSINT Tools

  • Maltego: Builds graphs of people, domains, and organizations.
  • Recon-ng: A modular framework for OSINT automation.
  • theHarvester: Collects email addresses and domain data.

2. Search Engines and Dorks

  • Google Dorks: Targeted queries revealing exposed files or credentials.
  • Censys & Shodan: Specialized search engines for internet-connected devices.

3. Scanning Tools

  • Nmap: Classic network scanner for open ports.
  • Masscan: Internet-wide scanning at scale.
  • Nessus/Qualys: Vulnerability scanners used for footprinting.

4. Social Engineering

  • LinkedIn Scraping: Gathering employee roles for spear phishing.
  • Fake recruitment emails: Collecting resumes for credential harvesting.

5. Dark Web Research

  • Monitoring underground forums for leaks about the target.

Real-World Case Studies

Case Study 1: APT29 and Government Reconnaissance

APT29 (Cozy Bear) has been observed performing long-term reconnaissance against Western governments. They scrape LinkedIn profiles, monitor press releases, and analyze cloud providers before launching phishing campaigns.

Case Study 2: SolarWinds Attack

Before inserting malicious code into SolarWinds’ Orion software, attackers conducted deep reconnaissance on the company’s build environment. Without reconnaissance, such a supply-chain compromise would have been impossible.

Case Study 3: Corporate Espionage

An Asian financial institution discovered adversaries performing weeks of active scanning on its VPN gateways. Logs revealed repeated Shodan queries tied to their IP space, highlighting the reconnaissance footprint left behind.

Detection of Reconnaissance Activities

For SOC analysts, reconnaissance detection is tricky because much of it happens outside the monitored network. Still, there are ways:

Network Traffic Analysis

  • Monitor DNS queries for unusual subdomain lookups.
  • Flag large-scale port scanning from suspicious IPs.

Endpoint Detection (EDR)

  • Identify unauthorized use of recon tools like Nmap on endpoints.
  • Alert on script-based enumeration (PowerShell Get-ADUser).

Splunk Use Cases

  • Correlation searches for repeated login attempts across multiple accounts.
  • Dashboards showing failed RDP/SSH attempts from foreign IP ranges.

Threat Intelligence Feeds

  • Track IPs associated with Shodan scans or OSINT automation.

Mitigation Strategies Against Reconnaissance

1. Proactive Defense

  • Deploy threat hunting focused on recon TTPs.
  • Use deception technology (honeypots, honey users) to mislead attackers.

2. Employee Awareness

  • Train staff to recognize social engineering attempts.
  • Discourage oversharing on LinkedIn.

3. Security Controls

  • Harden external services (disable unused ports, apply MFA).
  • Configure WAFs and IDS to block scanning behavior.

4. Red Team vs Blue Team

  • Run red team recon exercises to mimic attacker behavior.
  • Use lessons to tune SOC detections.

Reconnaissance vs Other MITRE ATT&CK Tactics

While reconnaissance is often confused with initial access, they are distinct:

  • Reconnaissance: Information gathering.
  • Initial Access: Exploiting an entry point.

Reconnaissance also overlaps with Resource Development, since attackers sometimes buy tools, domains, or credentials during the recon phase.

Best Practices for Organizations

  • Maintain external attack surface monitoring (ASM).
  • Use SOAR automation for alert triage.
  • Log and analyze failed login attempts.
  • Perform regular recon simulations using red teams.
  • Establish a playbook for handling suspected reconnaissance attempts.

Conclusion

Reconnaissance may seem harmless at first glance — after all, attackers are “just gathering information.” But in reality, it is one of the most critical stages of an attack lifecycle. A well-prepared adversary with solid reconnaissance will know exactly where to strike, how to bypass defenses, and which employees are most vulnerable.

By mapping reconnaissance techniques in the MITRE ATT&CK framework, defenders gain visibility into the adversary’s mindset. Detection and mitigation at this stage can stop attacks before they begin, saving organizations millions in potential damages.

Cybersecurity is not just about responding to breaches — it’s about anticipating the adversary’s moves. And the first move is always reconnaissance.