Organizational Information Gathering

From pre-attack
Jump to: navigation, search

Tactic Description

Organizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack.  Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.


Below is a list of all the Organizational Information Gathering techniques in pre-attack:

Acquire OSINT data sets and informationOrganizational Information GatheringData sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world.123
Conduct social engineeringOrganizational Information GatheringSocial Engineering is the practice of manipulating people in order to get them to divulge information or take an action.45
Determine 3rd party infrastructure servicesOrganizational Information GatheringA wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise.678
Determine centralization of IT managementOrganizational Information GatheringDetermining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards.9
Determine physical locationsOrganizational Information GatheringPhysical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility.10
Dumpster diveOrganizational Information GatheringDumpster diving is looking through waste for information on technology, people, and/or organizational items of interest.11
Identify business processes/tempoOrganizational Information GatheringUnderstanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic.122
Identify business relationshipsOrganizational Information GatheringBusiness relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.13
Identify job postings and needs/gapsOrganizational Information GatheringJob postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts.1410
Identify supply chainsOrganizational Information GatheringSupply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships.1516
Obtain templates/branding materialsOrganizational Information GatheringTemplates and branding materials may be used by an adversary to add authenticity to social engineering message.12


  1. ^  Stephen Irwin. (2014, September 8). Creating a Threat Profile for Your Organization. Retrieved March 5, 2017.
  2. a b  InfoSec Institute. (2013, September 11). OSINT (Open-Source Intelligence). Retrieved May 9, 2017.
  3. ^  Dawn Lomer. (2017). 101+ OSINT Resources for Investigators. Retrieved May 9, 2017.
  4. ^  Mathew J. Schwartz. (2011, September 14). Social Engineering Leads APT Attack Vectors. Retrieved March 5, 2017.
  5. ^  Gary Beach. (2003, October 1). Kevin Mitnick on Social Engineering Hackers. Retrieved March 5, 2017.
  6. ^  Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.
  7. ^  Bruce Schneier. (2017, April 5). APT10 and Cloud Hopper. Retrieved May 9, 2017.
  8. ^  Michael Kan. (2017, April 4). Chinese hackers go after third-party IT suppliers to steal data. Retrieved May 9, 2017.
  9. ^  Scott Rasmussen. (2002, January 28). Centralized Network Security Management: Combining Defense In Depth with Manageable Security. Retrieved March 5, 2017.
  10. a b  Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the “APT” Intelligence Gathering Process. Retrieved March 1, 2017.
  11. ^  Robert B. Fried. (n.d.). Dumpsters: Beware of Treasures. Retrieved March 5, 2017.
  12. a b  Gregory Scasny. (2015, September 14). Understanding Open Source Intelligence (OSINT) and its relationship to Identity Theft. Retrieved March 1, 2017.
  13. ^  Thor Olavsrud. (2014, September 2). 11 Steps Attackers Took to Crack Target. Retrieved March 5, 2017.
  14. ^  Jay D. Krasnow. (2000, October). The Competitive Intelligence and National Security Threat from Website Job Listings. Retrieved March 16, 2017.
  15. ^  Drew Smith. (2015). Is your supply chain safe from cyberattacks?. Retrieved March 5, 2017.
  16. ^  CERT-UK. (2016, October 01). Cyber-security risks in the supply chain. Retrieved March 5, 2017.