Analyze data collected

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. [1] [2] [3] [4]

ID: T1287
Sub-techniques:  No sub-techniques
Tactic: Technical Weakness Identification
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: This can be done offline after the data has been collected.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Many of the common tools highlight these weaknesses automatically. Adversary can "dry run" against the target using known exploits or burner devices to determine key identifiers of software, hardware, and services.


  1. Jamal Raiyn. (2014). A survey of Cyber Attack Detection Strategies. Retrieved March 5, 2017.
  2. H. P. Sanghvi and M. S. Dahiya. (2013, February). Cyber Reconnaissance: An Alarm before Cyber Attack. Retrieved March 5, 2017.
  1. Rotem Kerner. (2015, October). RECONNAISSANCE: A Walkthrough of the “APT” Intelligence Gathering Process. Retrieved March 1, 2017.
  2. FireEye, Inc. (2014). APT 28: A Window into Russia’s Cyber Espionage Operations?. Retrieved March 1, 2017.