T1591.003: Identify Business Tempo
Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise or Trusted Relationship)
Analyst context for executives and security teams
Identify Business Tempo is reconnaissance focused on learning when an organization operates, buys, ships, staffs, or changes resources. Its business significance is that attackers can use ordinary public or elicited information to time follow-on activity around predictable windows, supplier interactions, or lower-staffed periods. For leaders, this is less about a single alert and more about whether the organization is unintentionally publishing operational patterns that make targeting easier.
Executive priority
Treat this as a pre-compromise exposure-management issue. Security, procurement, communications, and operations leaders should ask what business timing information is public, who can elicit it, and whether sensitive purchasing, shipment, staffing, or operating schedules are unnecessarily exposed. This supports resilience planning, third-party risk discussions, phishing readiness, and audit evidence that reconnaissance-stage risk is being managed before an incident begins.
Technical view
This sub-technique sits under Gather Victim Org Information in the reconnaissance tactic and applies to the PRE platform, so validation should focus on exposure and early-warning signals rather than endpoint compromise. SOC and threat intelligence teams should review what public websites, social media, searchable datasets, and employee-facing channels reveal about operating hours, purchase cycles, shipment timing, and resource changes. Because no official ATT&CK detection text is provided, teams should use the related DET0849 detection strategy only as a reference point and validate local telemetry and use cases against actual business data exposure.
Likely telemetry
- Public website content and change history for operating hours, events, procurement notices, shipment or implementation timelines
- Social media posts or public communications that disclose staffing, closures, business cycles, purchases, or deployments
- Search engine and open-web findings involving victim-owned sites or publicly accessible datasets
- Reports of phishing-for-information or direct elicitation attempts against employees, vendors, or support channels
- Web analytics, contact-form logs, helpdesk records, or communications metadata that may show unusual interest in operational timing
Detection direction
- Inventory where business-tempo details are publicly exposed and compare findings with what security and operations teams consider acceptable to publish.
- Tune monitoring around elicitation indicators, especially questions or contact attempts seeking schedules, purchasing timing, shipments, operational hours, or resource changes.
- Correlate suspicious information requests with public disclosures; a single question may be benign, but repeated interest in timing details can be material during reconnaissance.
- Account for false positives from customers, suppliers, job candidates, auditors, and logistics partners who may legitimately ask about schedules or delivery windows.
- Recognize the blind spot: much of this activity happens before compromise and may occur on public platforms or third-party sites outside normal SOC telemetry.
Mitigation priorities
- Apply the related pre-compromise mitigation approach by reducing unnecessary public exposure of operational timing and resource-change details.
- Review public websites, social media practices, procurement postings, and supplier communications for avoidable schedule, shipment, or purchasing disclosures.
- Train staff who handle public inquiries, support, procurement, and vendor communications to identify and report elicitation attempts about business tempo.
- Define approval rules for publishing operational schedules, closures, infrastructure changes, major purchases, or delivery information when those details could aid targeting.
- Include business-tempo exposure checks in threat intelligence, attack surface reviews, third-party risk assessments, and incident readiness exercises.
Analyst notes and limits
The key defensive value is cross-functional: this technique often requires communications, procurement, operations, supplier management, and SOC teams to agree on what timing information is acceptable to expose. The supplied relationship to M1056 supports a pre-compromise, attack-surface-reduction framing; the supplied relationship to DET0849 indicates a detection strategy exists, but its detailed logic is not included here.
The ATT&CK object provides no official detection text and only identifies the platform as PRE. This take therefore avoids claiming specific detection coverage or compromise telemetry. Local validation is required to determine which business-tempo details are exposed, which teams own them, and what monitoring is feasible.
Identify Business Tempo
Adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.
Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Supply Chain Compromise or Trusted Relationship)
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1591 | Gather Victim Org Information | This object subtechnique of Gather Victim Org Information. |
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f50e3ca1e309… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ThreatPost Broadvoice Leak
Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.
Open source URL -
[2]
mitre-attack T1591.003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.