The sub-techniques beta is now live! Read the release blog post for more info.

Technical Weakness Identification

Technical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).

ID: TA0018
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques

Techniques: 9
ID Name Description
T1293 Analyze application security posture

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1288 Analyze architecture and configuration posture

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls.

T1287 Analyze data collected

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture.

T1294 Analyze hardware/software security defensive capabilities

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1289 Analyze organizational skillsets and deficiencies

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.

T1389 Identify vulnerabilities in third-party software libraries

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library.

T1291 Research relevant vulnerabilities/CVEs

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable.

T1290 Research visibility gap of security vendors

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools.

T1292 Test signature detection

An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure.