Technical Information Gathering

Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack.  Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.

ID: TA0015
Created: 17 October 2018
Last Modified: 17 October 2018


Techniques: 20
ID Name Description
T1247 Acquire OSINT data sets and information Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.
T1254 Conduct active scanning Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.
T1253 Conduct passive scanning Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system.
T1249 Conduct social engineering Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
T1260 Determine 3rd party infrastructure services Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.
T1250 Determine domain and IP address space Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.
T1259 Determine external network trust dependencies Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs).
T1258 Determine firmware version Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.
T1255 Discover target logon/email address format Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is it is likely that others in the company will have an email in the same format.
T1262 Enumerate client configurations Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.
T1261 Enumerate externally facing software applications technologies, languages, and dependencies Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary.
T1248 Identify job postings and needs/gaps Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.
T1263 Identify security defensive capabilities Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses.
T1246 Identify supply chains Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.
T1264 Identify technology usage patterns Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques.
T1256 Identify web defensive services An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.
T1252 Map network topology A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.
T1257 Mine technical blogs/forums Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.
T1251 Obtain domain/IP registration information For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization.
T1397 Spearphishing for Information Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.