Full Report
The popular image of a cyberattack – a fast, noisy “smash-and-grab” operation – doesn’t match what Forescout’s Vedere Labs says it’s seeing in its latest threat data. In the company’s 2025 Threat Roundup, researchers argue that a growing share of intrusions look less like immediate disruption and more like quiet preparation: Attackers get in, then spend…
Analysis Summary
# Tool/Technique: Post-Breach Discovery and Quiet Preparation
## Overview
Based on Forescout’s Vedere Labs 2025 Threat Roundup, modern cyberattacks have shifted from high-speed "smash-and-grab" operations to prolonged, quiet reconnaissance phases. Attackers are spending over 90% of their post-breach time on "Discovery" activities to map networks, identify high-value assets, and establish leverage before initiating disruption or extortion.
## Technical Details
- **Type**: Technique / Phase of Attack
- **Platform**: Enterprise IT, Operational Technology (OT), Cloud Platforms, and IoT/ISP-managed networks.
- **Capabilities**: Internal network scanning, identity/permission mapping, and asset prioritization.
- **First Seen**: Observed as a dominant trend in 2025 threat data.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery]
- [T1046 - Network Service Discovery]
- [T1018 - Remote System Discovery]
- [T1069 - Permission Groups Discovery]
- [T1040 - Network Sniffing] (OT protocol probing)
- **[TA0005 - Defense Evasion]**
- [T1562 - Impair Defenses]
- [T1090 - Proxy] (Using compromised consumer IoT devices/Cloud services)
## Functionality
### Core Capabilities
- **Internal Reconnaissance**: Scanning internal systems to find high-value targets (e.g., databases, sensitive IP).
- **Identity Mapping**: Enumerating user accounts and permissions to identify paths for privilege escalation.
- **OT Protocol Probing**: Monitoring and interacting with industrial protocols, specifically **Modbus**, to identify critical infrastructure controls.
### Advanced Features
- **Residential/ISP Proxying**: Routing malicious traffic through compromised consumer devices (routers, cameras, doorbells, solar inverters) to mask the origin.
- **Cloud Infrastructure Masking**: Utilizing major cloud platforms to tunnel traffic, making malicious activity appear as legitimate routine business operations.
- **Vulnerability Arbitrage**: Targeting vulnerabilities not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog (over 70% of observed exploits fell outside KEV).
## Indicators of Compromise
- **File Hashes**: N/A (Focus is on behavioral patterns).
- **Network Indicators**:
- Traffic originating from residential ISP blocks representing compromised IoT.
- Probing of ports associated with industrial protocols (e.g., Modbus).
- Defanged C2 Example: `hXXps[:]//[cloud-provider-instance].com/`
- **Behavioral Indicators**:
- Unusual internal scanning activity from a single internal endpoint.
- Repeated "Whoami" or permission enumeration commands across multiple systems.
- Lateral movement attempts following prolonged periods of dormancy.
## Associated Threat Actors
- **Ransomware Groups**: Shifting from "encrypt and exit" to long-term extortion preparation.
- **Nation-State Actors**: Using sophisticated discovery to identify strategic targets.
- **Opportunistic Actors**: Targeting internet-facing OT systems with minimal effort.
## Detection Methods
- **Behavioral Detection**: Monitoring for "east-west" traffic anomalies and internal scanning that deviates from establish baselines.
- **Protocol Analysis**: Inspecting OT traffic for unauthorized Modbus commands or unusual polling frequencies.
- **Identity Analytics**: Detecting rapid enumeration of Active Directory or cloud IAM permissions.
- **Egress Monitoring**: Identifying traffic routed through known residential proxy networks or unexpected cloud buckets.
## Mitigation Strategies
- **Segmentation**: Implement strict network micro-segmentation to limit the scope of internal discovery.
- **Context-Based Patching**: Use the CISA KEV as a baseline, but prioritize patches based on local asset criticality and internal exposure.
- **Hardening OT**: Ensure no OT protocols (Modbus, etc.) are internet-facing and utilize industrial DMZs.
- **Zero Trust Architecture**: Minimize the "blast radius" by restricting identity permissions to the principle of least privilege.
## Related Tools/Techniques
- **Living off the Land (LotL)**: Using native binaries for discovery.
- **Modbus Probing**: Specific targeting of industrial control systems.
- **Botnet Proxies**: Using consumer botnets (Mirai-variants, etc.) to hide attack origins.