Technical Weakness Identification

Technical weakness identification consists of identifying and analyzing weaknesses and vulnerabilities collected during the intelligence gathering phases to determine best approach based on technical complexity and adversary priorities (e.g., expediency, stealthiness).
ID: TA0018

Techniques

Techniques: 9
IDNameDescription
T1293Analyze application security posture

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1288Analyze architecture and configuration posture

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls.

T1287Analyze data collected

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture.

T1294Analyze hardware/software security defensive capabilities

An adversary can probe a victim's network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way.

T1289Analyze organizational skillsets and deficiencies

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts.

T1389Identify vulnerabilities in third-party software libraries

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library.

T1291Research relevant vulnerabilities/CVEs

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable.

T1290Research visibility gap of security vendors

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools.

T1292Test signature detection

An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don't publicly publish results or they can test on their own internal infrastructure.