Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1590.006: Network Security Appliances

Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.[1] Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

EnterpriseT1590.006Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This is pre-compromise reconnaissance focused on learning what firewalls, proxies, bastion hosts, content filters, NIDS, and other network security appliances an organization uses. The business risk is that these details can help an adversary choose later reconnaissance paths, prepare capabilities, or identify potential initial-access routes such as exposed remote services.

Executive priority

Treat this as an attack-surface and information-exposure problem, not just a SOC alerting problem. Leaders should ask whether internet-facing security appliances are inventoried, whether public websites or documents disclose defensive architecture, and whether pre-compromise reconnaissance evidence is retained well enough to support incident decisions. The ATT&CK relationships to Volt Typhoon and the 2025 Poland Wiper Attacks make this especially relevant for critical infrastructure and cyber-physical resilience planning, without implying exposure in any specific environment.

Technical view

T1590.006 is a reconnaissance sub-technique under Gather Victim Network Information on the PRE platform. ATT&CK provides no official detection text, but the related DET0889 detection strategy indicates defenders should look for attempts to identify network security appliances. SOC and IR teams should validate visibility across external perimeter traffic, rejected connection attempts, web requests to appliance portals, scans of firewall/proxy/VPN/bastion infrastructure, and phishing or information requests seeking network-defense details. Because the behavior can occur through active scanning, phishing for information, victim-owned websites, or open technical/public sources, endpoint telemetry alone is unlikely to be sufficient.

Likely telemetry

  • External firewall and edge device logs, including denied and allowed connection attempts
  • Web server, reverse proxy, VPN, bastion host, and appliance management portal access logs
  • Network IDS/NIDS alerts and packet or flow metadata for reconnaissance patterns
  • Public attack-surface inventory and external exposure scan results
  • DNS, certificate, and domain records that may reveal security appliance names or roles

Detection direction

  • Validate the related DET0889 strategy against local telemetry, since ATT&CK does not provide detection logic for this object.
  • Look for repeated probing of perimeter services, appliance login paths, management interfaces, or security-product-specific endpoints, while accounting for legitimate researchers, search engines, vendors, and internal monitoring.
  • Correlate reconnaissance activity with exposed asset inventory so analysts can distinguish generic internet noise from targeted interest in security appliances.
  • Review public-facing content and open technical data for disclosures that would not generate internal security alerts.
  • Identify blind spots such as unlogged denied traffic, third-party-hosted documentation, unmanaged internet-facing appliances, and public datasets outside SOC collection.

Mitigation priorities

  • Use the related M1056 Pre-compromise mitigation as the control frame: reduce what adversaries can learn before initial access.
  • Maintain an accurate inventory of internet-facing security appliances, proxies, bastion hosts, and remote access infrastructure.
  • Limit public disclosure of security architecture details in websites, documentation, job postings, support artifacts, and shared diagrams.
  • Prioritize vulnerability management and configuration review for externally visible network security appliances and remote access paths.
  • Restrict and monitor appliance management interfaces, especially where exposure is unnecessary for business operations.
Analyst notes and limits

This technique is most useful for prioritizing pre-compromise visibility and attack-surface governance. Its value increases when combined with local asset inventory, public exposure data, and perimeter telemetry. The relationship context shows use by a named group and campaign in ATT&CK, including critical infrastructure relevance, but those relationships should inform threat modeling rather than be treated as evidence of activity in a specific environment.

The official ATT&CK object has no detection text and provides only high-level behavior. The mitigation description supplied is truncated. Practical detection and prioritization require local evidence about exposed appliances, logging depth, public disclosures, and normal internet scanning noise.

Official MITRE ATT&CK definition

Network Security Appliances

Adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information.[1] Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1590 Gather Victim Network Information This object subtechnique of Gather Victim Network Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Campaign Enterprise

C0063: 2025 Poland Wiper Attacks

2025 Poland Wiper Attacks is a Russian state-sponsored campaign that conducted destructive cyberattacks against Polish energy infrastructure in December 2025. Targets included more than 30 wind and photovoltaic farms, a combined heat and power (CHP) plant, and a manufacturing sector company. The attacks on the distributed energy resources (DER) disrupted communications between affected facilities and the distribution system operator, but did not impact electricity generation or heat supply. Across the campaign, threat actors deployed two previously undocumented wiper tools, DynoWiper, a Windows-based wiper and LazyWiper, a PowerShell wiper, distributed via malicious Group Policy Objects. At the CHP plant, threat actors had maintained access since at least March 2025, using that foothold to obtain credentials and move laterally before attempting wiper deployment. Some reporting has assessed the activity to be consistent with Russian Federal Security Service (FSB) threat activity group Dragonfly, also tracked as STATIC TUNDRA, while other reporting attributes the destructive wiper activities to the Russian General Staff Main Intelligence Directorate (GRU) threat activity group ELECTRUM, also tracked as Sandworm Team.[1][2][3][4]

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1056: Pre-compromise Enterprise detects · Detection Strategy DET0889: Detection of Network Security Appliances Enterprise uses · Campaign C0063: 2025 Poland Wiper Attacks Enterprise subtechnique of · Technique T1590: Gather Victim Network Information Enterprise uses · Group G1017: Volt Typhoon Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
479fd67b1e8e43d8...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 479fd67b1e8e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Nmap Firewalls NIDS

    Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1590.006
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use