Identify security defensive capabilities

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. [1] [2]

ID: T1263
Sub-techniques:  No sub-techniques
Tactic: Technical Information Gathering
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: Technically, the defender has the ability to detect. However, this is typically not performed as this type of traffic would likely not prompt the defender to take any actionable defense. In addition, this would require the defender to closely review their access logs for any suspicious activity (if the activity is even logged).

Difficulty for the Adversary

Easy for the Adversary (Yes/No): No

Explanation: The adversary will have some insight into defenses based on dropped traffic or filtered responses. It is more difficult to pinpoint which defenses are implemented (e.g., [ FireEye] WMPS, [ Hewlett Packard Enterprise] Tipping Point IPS).


  1. InfoSec Institute. (2014, June 19). What You Must Know About OS Fingerprinting. Retrieved March 1, 2017.
  1. Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017.