Technical Information Gathering

Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack.  Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.
ID: TA0015


Techniques: 20
T1247Acquire OSINT data sets and information

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.

T1254Conduct active scanning

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.

T1253Conduct passive scanning

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system.

T1249Conduct social engineering

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.

T1260Determine 3rd party infrastructure services

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.

T1250Determine domain and IP address space

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.

T1259Determine external network trust dependencies

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs).

T1258Determine firmware version

Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.

T1255Discover target logon/email address format

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is it is likely that others in the company will have an email in the same format.

T1262Enumerate client configurations

Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.

T1261Enumerate externally facing software applications technologies, languages, and dependencies

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary.

T1248Identify job postings and needs/gaps

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.

T1263Identify security defensive capabilities

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses.

T1246Identify supply chains

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.

T1264Identify technology usage patterns

Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.

T1256Identify web defensive services

An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.

T1252Map network topology

A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.

T1257Mine technical blogs/forums

Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.

T1251Obtain domain/IP registration information

For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization.

T1397Spearphishing for Information

Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.