Subnets - Point of Interest: Target Selection and Defense

In the realm of enterprise cybersecurity, the initial compromise of a workstation is rarely the end of an attack. For threat actors, a single compromised endpoint is merely a beachhead. To achieve their objectives, whether data exfiltration, ransomware deployment, or long-term espionage, they must traverse the internal network. This process of lateral movement requires a map. In a modern corporate infrastructure, that map is defined by the IP subnetting scheme. To an attacker, not all subnets are created equal. Some subnets are quiet backwaters containing guest devices, while others are high-value targets containing domain controllers, database servers, and backups. These high-value zones are what penetration testers and adversaries refer to as subnet "Points of Interest" (POIs). Understanding how attackers discover, analyze, and select these targets is critical for designing networks that can contain and defeat modern threats.

Examples of Local Networks: Flat vs. Segmented

To understand how target selection works, we must first compare the structural differences of local network designs. Most corporate networks utilize private address space designated by RFC 1918. These address blocks include 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. The way these ranges are carved up dictates the difficulty of an attacker's job.

1. The Vulnerable Flat Network

In a flat network architecture, all hosts share a single large broadcast domain, often a /16 or /8 range. For example, a company might place all its employees, servers, printers, and guest devices in a single 10.100.0.0/16 space. In this environment, there are no internal boundaries. Every device can directly communicate with every other device at Layer 2 and Layer 3 without routing through a firewall.

2. The Secure Segmented Network

In contrast, a secure architecture segments the private IP space into multiple logical subnets mapped to specific security zones. Each subnet is typically assigned a /24 prefix (providing 254 IP addresses) or a size appropriate for its host count. Communication between these subnets must cross a Layer 3 firewall or router enforcing strict Access Control Lists (ACLs).

Below is a typical subnet assignment for a segmented enterprise network:

Below is a visual representation of how traffic flows in these two architectures:

How Hackers Choose Their Targets

When an attacker establishes a foothold on a workstation, they do not immediately launch loud, aggressive port scans across the entire corporate network. Doing so would quickly trigger Intrusion Detection Systems (IDS). Instead, target selection is a methodical, multi-phase process.

Phase 1: Local Subnet Mapping (Passive Discovery)

Before sending a single packet, the attacker listens to the noise already present on the local wire. They examine local system configurations and cache tables to map the immediate environment.

• ARP Table Examination: By running arp -a, the attacker views the IP and MAC addresses of devices that the compromised host has recently spoken to.
• Route Table Queries: Commands like route print or netstat -r reveal the default gateway and any static routes to other subnets.
• Multicast/Broadcast Listening: Using tools like Wireshark or Responder, the attacker listens for LLMNR, NBT-NS, mDNS, and DHCP traffic.
• DNS Cache Analysis: Reviewing the local DNS cache reveals what servers (such as mail, collaboration tools, or databases) the system connects to regularly.

Phase 2: Finding Other Subnets (Active Discovery)

Once the local subnet is understood, the attacker looks for adjacent subnets. If they are on 10.100.10.50, they will probe the surrounding space to see if other 10.100.X.0 ranges exist. They may perform a fast, low-noise ping sweep or send ICMP echo requests to the first IP of adjacent /24 subnets (e.g., 10.100.20.1, 10.100.30.1, 10.100.40.1). A response from a gateway indicating a live route confirms the existence of a neighboring subnet.

Phase 3: Pinpointing the "Points of Interest"

Once a list of active subnets is compiled, the attacker analyzes them to identify the high-value targets. They look for specific ports that act as beacons for critical infrastructure.

• Active Directory Subnet: The presence of port 389 (LDAP), 636 (LDAPS), and 88 (Kerberos) indicates a Domain Controller. This is the ultimate target for credential harvesting.
• Database Subnet: Probing ports like 1433 (Microsoft SQL), 3306 (MySQL), or 5432 (PostgreSQL) reveals the presence of structured database storage.
• Backup Subnet: Attackers search for open ports related to common backup services (e.g., Veeam, Commvault) or network file systems (SMB on 445, NFS on 2049). Ransomware actors target these first to prevent recovery.
• Management Subnet: High concentrations of SSH (22), RDP (3389), and hypervisor management consoles (such as VMware vCenter on 443) mark the management plane.

Protection Tactics and Best Strategies

Defending subnet points of interest requires a defense-in-depth approach. Blue teams cannot rely solely on edge firewalls. They must implement controls that limit visibility, detect lateral reconnaissance, and contain compromises.

1. One-to-One VLAN to Subnet Mapping

Every subnet should map directly to a dedicated Virtual Local Area Network (VLAN). This ensures logical boundary enforcement at Layer 2 and Layer 3. Trunk ports on switches must be tightly controlled, and unused ports should be disabled or assigned to an unrouted quarantine VLAN.

2. Microsegmentation and Host-Based Firewalls

Traditional subnetting prevents traffic from crossing between subnets, but it does not stop lateral movement within the same subnet. If a workstation subnet contains 200 PCs, a compromised machine can attack the other 199. Implementing host-based firewalls (via Group Policy or Endpoint Detection and Response tools) that block client-to-client communication within the same subnet halts this lateral spread. Only outbound connections to approved gateways should be allowed.

3. Deploying Honey-Subnets and Decoy Assets

One of the most effective ways to catch attackers during the reconnaissance phase is the use of honey-subnets. These are subnets populated entirely with decoy servers and simulated high-value targets.

• AD Decoys: Create a fake Domain Controller (e.g., 10.100.99.10) with realistic but unused accounts.
• Database Decoys: Deploy a simulated database server responding on port 1433.
• Alerting: Since these subnets have no legitimate users, any connection attempt, ping, or port scan immediately triggers a high-severity incident response alert.

4. Zero Trust Network Access (ZTNA)

Zero Trust moves away from network-location-based security. Instead of granting access based on whether a device sits on a "trusted" subnet, every access request must be authenticated, authorized, and cryptographically verified regardless of origin. Users should only be granted access to the specific applications they need, rather than broad IP routing access to entire subnets.

Monitoring Inter-Subnet Reconnaissance

Below is a Python demonstration showing how a network monitoring script or syslog analyzer can detect horizontal scanning patterns directed at high-value ports within enterprise subnets.

"""
subnet_scanner_detector.py — Detects horizontal scanning and target selection.
 
Analyzes Netflow/syslog logs to identify when an IP on a client subnet
is scanning ports or probing high-value subnets (points of interest).
"""
 
import collections
from typing import Dict, List, Set, Tuple
 
 
# ── Configuration Constants ────────────────────────────────────────────
 
# Target ports indicating high-value services (Points of Interest)
HIGH_VALUE_PORTS: Set[int] = {
    88,    # Kerberos (Active Directory)
    389,   # LDAP (Active Directory)
    445,   # SMB (File sharing, lateral movement)
    1433,  # Microsoft SQL Server
    3389,  # Remote Desktop Protocol (RDP)
}
 
# Scanning thresholds
MAX_UNIQUE_HOSTS_PER_MINUTE: int = 5
MAX_PORT_PROBES_PER_MINUTE: int = 10
 
 
# ── Class Definitions ──────────────────────────────────────────────────
 
class ConnectionAlert:
    """
    Represents a detected security alert for subnet reconnaissance.
 
    Attributes:
        source_ip: The IP address initiating the scan.
        alert_type: The type of alert triggered (e.g., 'horizontal_scan').
        details: Additional context about the alert.
    """
 
    def __init__(self, source_ip: str, alert_type: str, details: str) -> None:
        self.source_ip = source_ip
        self.alert_type = alert_type
        self.details = details
 
    def trigger(self) -> None:
        """Logs the alert to the terminal using structured prefixes."""
        print(f"[!] Alert: {self.alert_type} detected from {self.source_ip}!")
        print(f"[*] Details: {self.details}")
 
 
class SubnetScannerDetector:
    """
    Monitors traffic logs to detect scanning of subnet 'points of interest'.
    """
 
    def __init__(self) -> None:
        # Track connection history: {source_ip: [(dest_ip, dest_port, timestamp)]}
        self._history: Dict[str, List[Tuple[str, int, float]]] = (
            collections.defaultdict(list)
        )
 
    def process_log(self, source_ip: str, dest_ip: str, dest_port: int, timestamp: float) -> None:
        """
        Processes a single connection log entry and checks for scanning activity.
        """
        print(f"[*] Processing connection: {source_ip} -> {dest_ip}:{dest_port}")
        self._history[source_ip].append((dest_ip, dest_port, timestamp))
        self._evaluate_source(source_ip, timestamp)
 
    def _evaluate_source(self, source_ip: str, current_time: float) -> None:
        """
        Evaluates a specific source IP for scanning behaviors.
        """
        # Filter history to only include events from the last 60 seconds
        one_minute_ago = current_time - 60.0
        recent_connections = [
            conn for conn in self._history[source_ip] if conn[2] >= one_minute_ago
        ]
        self._history[source_ip] = recent_connections
 
        # Analyze unique destinations and high-value port probes
        unique_destinations: Set[str] = {conn[0] for conn in recent_connections}
        high_value_probes: List[Tuple[str, int]] = [
            (conn[0], conn[1])
            for conn in recent_connections
            if conn[1] in HIGH_VALUE_PORTS
        ]
 
        # Detect horizontal subnet scanning
        if len(unique_destinations) > MAX_UNIQUE_HOSTS_PER_MINUTE:
            alert = ConnectionAlert(
                source_ip=source_ip,
                alert_type="Horizontal Subnet Scan",
                details=f"Probed {len(unique_destinations)} hosts in 60s."
            )
            alert.trigger()
 
        # Detect high-value service targeting
        if len(high_value_probes) > MAX_PORT_PROBES_PER_MINUTE:
            alert = ConnectionAlert(
                source_ip=source_ip,
                alert_type="Targeted Points of Interest Probe",
                details=f"Probed {len(high_value_probes)} high-value ports in 60s."
            )
            alert.trigger()

Conclusion: Turning the Map Against the Attacker

Subnets are the structural foundation of local network architecture. If left flat or poorly managed, they provide an attacker with open corridors to roam freely. By implementing strict segment boundaries, monitoring inter-subnet traffic, and using microsegmentation to block internal workstation traffic, organizations can severely limit lateral movement. Furthermore, the strategic deployment of honey-subnets turns the attacker's search for "points of interest" into their own undoing. Instead of being a vulnerable playground, the network map becomes a web of detection points, ensuring that the adversary's first step toward lateral movement is also their last.

Related Cybersecurity Guides and Tutorials:

networking

Ports and SOCKS Explained: Socket Proxying and Dynamic Forwarding

A comprehensive guide explaining the mechanics of network ports, the difference between ports and sockets, and how SOCKS proxying enables dynamic port forwarding and network pivoting.

Jun 1, 2026Networking

active-directory

Active Directory Domains

A comprehensive guide to Active Directory Domains, exploring their architecture, purpose, and common cybersecurity attack surfaces for both defenders and penetration testers.

Feb 17, 2026Windows

kerberoasting

Kerberoasting: The Silent Identity Thief

A comprehensive deep dive into the Kerberoasting attack technique, explaining how attackers exploit Service Principal Names (SPNs) to crack service account passwords offline. This guide covers the mechanics, tools, OpSec considerations, and robust defense strategies.

Feb 17, 2026Windows

curl

curl in Cybersecurity: Practical Use Cases for Offensive and Defensive Operations

Learn how the curl command is used in cybersecurity for API testing, threat hunting, incident response, malware analysis, and secure data transfer.

Jan 23, 2026Tools

proxies

SOCKS4 vs SOCKS5: Differences from a Cybersecurity Perspective

An in-depth comparison of SOCKS4 and SOCKS5 proxies, highlighting their features, differences, and implications for cybersecurity.

Dec 7, 2025Networking

penetration-testing

Understanding MSFVenom - Payload Generation for Penetration Testing

An in-depth article on MSFVenom, covering its usage from both offensive and defensive perspectives, with code examples and pro tips.

Oct 1, 2025Tools

mitm-attack

Understanding Man-in-the-Middle (MitM) Attacks

An in-depth article on Man-in-the-Middle (MitM) attacks, exploring their mechanisms from both offensive and defensive viewpoints, with examples, code samples, and pro tips.

Oct 1, 2025Networking

Wi-Fi

Fragment Attack (FragAttacks): A Technical Analysis

A technical breakdown of Fragmentation and Aggregation Attacks (FragAttacks), a set of Wi-Fi vulnerabilities affecting WPA2, WPA3, and billions of devices worldwide.

Sep 20, 2025Networking