Network Topology (T1590.004)
Network Topology [T1590.004]
Last updated
Network Topology [T1590.004]
Last updated
Name: Network Topology
ID: T1590.004
Tactics:
Technique:
Network Topology (T1590.004) is a sub-technique within MITRE ATT&CK's Reconnaissance tactic, specifically under the Gather Victim Network Information technique (T1590). This sub-technique involves adversaries systematically gathering information about the target's network topology, including network architecture, devices, connectivity, and layout. Attackers typically perform this reconnaissance to identify potential entry points, critical assets, and vulnerabilities that can be exploited in subsequent attack phases.
Adversaries utilize various active and passive reconnaissance methods to map out and understand the victim's network topology. Detailed knowledge of network architecture significantly enhances an attacker's ability to plan and execute effective attacks.
Common execution methods and mechanisms include:
Network Scanning and Enumeration Tools:
Tools such as Nmap, Zenmap, Masscan, and Angry IP Scanner are frequently employed to actively probe networks, enumerate hosts, and identify open ports and services.
SNMP enumeration tools (e.g., SNMPwalk, onesixtyone) can reveal detailed information about network devices, including routers, switches, and firewalls.
Passive Reconnaissance Techniques:
Analyzing publicly available information online (e.g., network diagrams inadvertently posted on websites or repositories).
Leveraging DNS records (such as MX, NS, PTR records) to infer network structure and identify subdomains, mail servers, and infrastructure components.
OSINT (Open Source Intelligence):
Gathering network diagrams, IP ranges, and device configurations from publicly accessible sources, such as vendor documentation, forums, and social media.
Utilizing platforms like Shodan or Censys to identify exposed devices and infrastructure details.
Credential-Based Reconnaissance:
Using compromised credentials to log into network devices and extract topological information directly from device configurations, routing tables, or management interfaces.
Real-world procedures often involve a combination of these methods, allowing adversaries to build comprehensive maps of the victim's network infrastructure, including subnets, VLANs, routing protocols, firewall placements, and critical operational assets.
Adversaries typically employ this sub-technique during the early reconnaissance stages of an attack lifecycle, prior to initial access or exploitation. However, it can also be revisited in later stages for lateral movement, privilege escalation, or persistence.
Common attack scenarios and stages include:
Initial Reconnaissance:
Identifying potential entry points, external-facing systems, and perimeter devices.
Mapping external network architecture to plan initial access strategies.
Pre-Exploitation Phase:
Profiling internal network segmentation, VLAN configurations, and firewall rules to identify exploitable weaknesses.
Determining network choke points, critical servers, and sensitive data repositories.
Post-Exploitation Phase:
Conducting detailed internal reconnaissance after initial foothold to understand internal network structure.
Identifying lateral movement paths, pivot points, and potential targets for privilege escalation or data exfiltration.
Persistence and Long-term Operations:
Continuously updating network topology intelligence to adapt to network changes, security improvements, or remediation actions taken by defenders.
Detection of network topology reconnaissance activities involves monitoring network traffic, analyzing system logs, and applying behavioral analysis techniques. Specific detection methods and indicators include:
Network Traffic Monitoring and IDS/IPS:
Detecting unusual scanning activities, such as repeated port scans, ping sweeps, or SNMP enumeration attempts.
Monitoring for abnormal DNS queries that might indicate reconnaissance efforts.
Log Analysis and SIEM Tools:
Reviewing firewall, router, and switch logs for repeated connection attempts from suspicious IP addresses.
Identifying anomalous login attempts or unusual access patterns to network devices or management interfaces.
Endpoint Detection and Response (EDR) Solutions:
Detecting reconnaissance tools execution on endpoints (e.g., Nmap, Masscan binaries).
Identifying suspicious command-line arguments or scripts associated with network enumeration activities.
Honey Tokens and Deception Technologies:
Deploying fake network devices, services, or credentials to detect adversaries attempting network mapping.
Alerting on interactions with decoy devices or services.
Indicators of Compromise (IoCs) specific to this technique include:
Repeated scanning from single or multiple IP addresses.
Unusual SNMP queries or unauthorized SNMP community string usage.
Suspicious DNS zone transfers or enumeration attempts.
Detection of reconnaissance tools or scripts on compromised hosts.
Early detection of network topology reconnaissance is critical to preventing more damaging stages of cyber-attacks. The importance of detecting this technique includes:
Preventing Initial Access and Exploitation:
Early identification allows defenders to block or mitigate reconnaissance activities before attackers gain detailed insights into network vulnerabilities.
Reducing the Risk of Lateral Movement:
Detecting internal reconnaissance helps prevent attackers from identifying pathways for lateral movement, privilege escalation, or persistence.
Protecting Critical Infrastructure and Assets:
Early detection supports proactive defense measures, ensuring sensitive systems, data repositories, and critical infrastructure components remain secure.
Improving Incident Response and Threat Intelligence:
Understanding reconnaissance activities provides valuable intelligence about attacker objectives, tactics, and potential next steps.
Enables timely response actions, such as network segmentation, blocking malicious IP addresses, or adjusting security controls.
Minimizing Operational and Financial Impact:
Preventing attackers from gaining detailed network topology reduces the likelihood of successful exploitation, data breaches, ransomware deployment, or denial-of-service attacks.
Reduces potential costs associated with incident response, remediation, downtime, and reputational damage.
Real-world examples demonstrating the use of network topology reconnaissance include:
APT29 (Cozy Bear):
Utilized extensive network scanning techniques, including Nmap and custom scripts, to map victim networks during the SolarWinds supply chain attack.
Leveraged SNMP enumeration to identify internal network devices, configurations, and potential pivot points.
FIN7 Financial Crime Group:
Conducted detailed internal network reconnaissance using customized scanning tools to identify payment processing systems and point-of-sale (POS) terminals.
Mapped internal network segments to facilitate lateral movement and targeted exploitation of financial systems.
Operation Aurora (Attributed to APT17):
Performed comprehensive DNS enumeration and network scanning to identify externally accessible systems and network architecture.
Used gathered network topology information to exploit vulnerabilities and maintain persistent access within targeted organizations.
Mirai Botnet:
Conducted mass scanning and network enumeration to identify vulnerable IoT devices and network infrastructure.
Leveraged reconnaissance data to rapidly spread malware, launch distributed denial-of-service (DDoS) attacks, and compromise large numbers of devices.
These examples highlight how adversaries across different threat actor categories leverage network topology reconnaissance to facilitate targeted attacks, compromise critical systems, and achieve strategic objectives.