Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0807: Detection of Identify Roles

DET0807 is a detection strategy for recognizing attempts to identify roles inside an organization, tied to ATT&CK technique T1591.004. The business signifi...

EnterpriseDET0807Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0807 is a detection strategy for recognizing attempts to identify roles inside an organization, tied to ATT&CK technique T1591.004. The business significance is that role discovery often helps an adversary decide who to target next: executives, administrators, finance staff, data owners, or other personnel with useful access or influence. Even though this object does not provide a detailed detection method, it points leaders toward validating whether the organization can see early reconnaissance against people and roles before it becomes credential theft, phishing, or targeted intrusion activity.

Executive priority

Treat this as an early-warning and exposure-management issue, not just a SOC rule. Security leaders should ask whether public-facing org charts, job postings, social media, directory exposure, and phishing-intake processes reveal sensitive role/access information. The priority is to reduce unnecessary role visibility, preserve evidence of suspicious information-gathering, and ensure incident responders can connect role-focused reconnaissance to later targeting decisions.

Technical view

The supplied ATT&CK context links this strategy to Identify Roles under reconnaissance, with PRE as the related platform context. Because the detection strategy has no official detection text or platforms, SOC and detection teams should validate coverage around evidence of role-focused information gathering rather than assume a specific log source. Useful validation includes whether suspicious inquiries, phishing-for-information reports, web traffic to staff directories, repeated access to leadership/team pages, and identity-directory exposure can be correlated with later targeting of named personnel or privileged roles.

Likely telemetry

  • Phishing and suspicious inquiry reports involving requests for names, responsibilities, reporting lines, or access ownership
  • Web server, CDN, or application logs for public staff directories, leadership pages, team pages, and contact pages
  • Identity and access management audit data showing exposure or enumeration of users, groups, titles, departments, or role metadata where available
  • Email security and collaboration platform telemetry related to external messages asking about personnel roles or responsibilities
  • Help desk, reception, HR, vendor-management, or security awareness reporting channels for social-engineering attempts

Detection direction

  • Validate whether detections focus on role-discovery behavior, not only malware or post-compromise activity.
  • Correlate suspicious external inquiries with access to public role information and subsequent targeting of the same people or functions.
  • Tune carefully for benign research, recruiting, sales outreach, journalism, vendor due diligence, and customer inquiries, which can resemble role discovery.
  • Review blind spots in non-technical channels such as phone calls, web forms, social media, reception desks, and employee self-reporting, since the related technique may involve direct elicitation.
  • Use the relationship to T1591.004 as context for reconnaissance-stage alert triage; do not treat DET0807 as proof of compromise by itself.

Mitigation priorities

  • Minimize unnecessary public disclosure of sensitive responsibilities, privileged ownership, internal reporting lines, and access-related job details.
  • Review identity and directory configurations to limit exposure of titles, groups, departments, and privileged role membership to only appropriate audiences.
  • Strengthen staff guidance for handling unsolicited questions about roles, access ownership, executives, finance processes, and technical administrators.
  • Ensure phishing and social-engineering reporting workflows capture requests for organizational role information, not only malicious links or attachments.
  • Include role-reconnaissance scenarios in incident response playbooks so teams can connect early information gathering to later targeting.
Analyst notes and limits

This take is based on a sparse ATT&CK detection-strategy object. The object has no official description, detection text, tactics, or platforms of its own; the usable context comes from the external ATT&CK reference and the relationship indicating it detects T1591.004 Identify Roles in the reconnaissance tactic with PRE platform context.

Local environment evidence is required to determine actual coverage. This summary does not assert active exploitation, attribution, available vendor detections, or guaranteed visibility. Organizations with limited reporting from public web properties, identity systems, employee-submitted phishing reports, or social-engineering intake may have significant blind spots.

Official MITRE ATT&CK definition

Detection of Identify Roles

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1591.004 Identify Roles Sub-technique This object detects Identify Roles.
Relationship explorer

All related ATT&CK context

detects · Technique T1591.004: Identify Roles Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9fa02a102cbb263d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9fa02a102cbb…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0807
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use