People Information Gathering - Pre-ATT&CK

Table of Contents

People Information Gathering - Pre-ATT&CK

  • People Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack. People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack. It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.

Acquire OSINT data sets and information

  • Acquire OSINT data sets and information - Pre-ATT&CK
    • Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise.1

Aggregate individual's digital footprint

  • Aggregate individual's digital footprint - Pre-ATT&CK
    • In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources.

Conduct social engineering

Identify business relationships

  • Identify business relationships - Pre-ATT&CK
    • Business relationship information includes the associates of a target and may be discovered via social media sites such as LinkedIn or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.

Identify groups/roles

  • Identify groups/roles - Pre-ATT&CK
    • Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator.

Identify job postings and needs/gaps

  • Identify job postings and needs/gaps - Pre-ATT&CK
    • Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts.

Identify people of interest

  • Identify people of interest - Pre-ATT&CK
    • The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target.

Identify personnel with an authority/privilege

  • Identify personnel with an authority/privilege - Pre-ATT&CK
    • Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers.

Identify sensitive personnel information

  • Identify sensitive personnel information - Pre-ATT&CK
    • An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online.

Identify supply chains

  • Identify supply chains - Pre-ATT&CK
    • Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain.

Mine social media

  • Mine social media - Pre-ATT&CK
    • An adversary may research available open source information about a target commonly found on social media sites such as Facebook, Instagram, or Pinterest. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary.