Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0890: Detection of Gather Victim Org Information

DET0890 is MITRE’s detection strategy for identifying activity associated with adversaries gathering information about a victim organization before an intr...

EnterpriseDET0890Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0890 is MITRE’s detection strategy for identifying activity associated with adversaries gathering information about a victim organization before an intrusion. The business value is early warning: this behavior may happen before credential theft, phishing, social engineering, or tailored intrusion attempts. Because the supplied ATT&CK object has no official detection text or platform detail, teams should treat it as a prompt to validate whether they can notice suspicious pre-compromise information-gathering against their organization, not as a ready-made detection rule.

Executive priority

Prioritize this as a resilience and readiness question: do security, communications, help desk, HR, and executive support teams have a way to recognize and escalate unusual requests for organizational details, employee roles, departments, or business operations? This matters for incident decision-making and audit evidence because reconnaissance often occurs outside traditional endpoint visibility. Investment decisions should focus on intake, reporting, and correlation across public-facing, email, and human-reporting channels rather than assuming the SOC already has full coverage.

Technical view

The only supported relationship is that DET0890 detects T1591, Gather Victim Org Information, under reconnaissance with platform PRE. SOC and IR teams should validate coverage for attempts to collect information about divisions, departments, operations, and key employee roles, including direct elicitation such as phishing for information. Because no official detection logic is provided, detection engineering should define environment-specific indicators, escalation paths, and correlation criteria rather than deploying this as a signature.

Likely telemetry

  • Reports of suspicious inquiries to employees, help desks, reception, HR, communications, or executive support functions
  • Email security telemetry and user-reported messages involving requests for organizational structure, roles, responsibilities, or business operations
  • Public website and contact-form submissions where organizational details are requested
  • Security awareness or phishing-reporting platform records related to information elicitation
  • Threat intelligence or brand-monitoring observations that identify unusual collection of public organizational information, where such sources are already used

Detection direction

  • Validate that reconnaissance reports are triaged even when there is no malware, login failure, or endpoint alert.
  • Correlate suspicious requests for organizational information with the targeted department, employee role, timing, sender identity, and any related phishing-for-information reports.
  • Tune for false positives from legitimate sales, recruiting, customer, partner, media, and audit inquiries; require context and escalation criteria rather than blocking all information requests.
  • Identify blind spots where pre-compromise activity occurs outside SOC-owned telemetry, especially communications teams, HR, reception, and publicly exposed contact channels.
  • Use the T1591 relationship as context: detection should focus on information-gathering about the organization, not generic internet scanning or unrelated phishing themes.

Mitigation priorities

  • Establish a clear reporting path for suspicious requests for internal organizational details.
  • Train high-exposure staff to recognize elicitation of departments, operations, roles, and responsibilities.
  • Define what organizational information is approved for public disclosure and who can authorize exceptions.
  • Integrate user-reported suspicious inquiries into SOC or IR triage workflows.
  • Review public-facing content for unnecessary detail that could support targeting, while balancing business transparency requirements.
Analyst notes and limits

This Glexia take is based on the DET0890 detection strategy object and its relationship to ATT&CK technique T1591. The ATT&CK fields supplied do not include official detection guidance, platforms, tactics on the detection strategy itself, aliases, or labels. The practical emphasis is therefore on defensible validation questions and telemetry classes related to reconnaissance and information elicitation.

Coverage cannot be inferred from this object alone. Local business processes, public disclosure practices, email reporting maturity, and cross-functional escalation paths determine whether this behavior is observable. No active exploitation, actor attribution, specific tooling, or guaranteed detection should be assumed from the supplied data.

Official MITRE ATT&CK definition

Detection of Gather Victim Org Information

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1591 Gather Victim Org Information This object detects Gather Victim Org Information.
Relationship explorer

All related ATT&CK context

detects · Technique T1591: Gather Victim Org Information Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
96f229f5569aa21a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 96f229f5569a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0890
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use