Technical Information Gathering

Table of Contents

Technical Information Gathering - Pre-ATT&CK

  • Technical information gathering consists of the process of identifying critical technical elements of intelligence an adversary will need about a target in order to best attack. Technical intelligence gathering includes, but is not limited to, understanding the target's network architecture, IP space, network services, email format, and security procedures.

Acquire OSINT data sets and information

  • Acquire OSINT data sets and information
    • Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world.

Conduct Active Scanning

  • Conduct Active Scanning - Pre-ATT&CK
    • Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system.

Conduct passive scanning


Conduct social engineering


Determine 3rd party infrastructure services

  • Determine 3rd party infrastructure services - Pre-ATT&CK
    • Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization.

Determine domain and IP address space

  • Determine domain and IP address space - Pre-ATT&CK
    • Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network.1

Determine external network trust dependencies


Determine firmware version

  • Determine firmware version - Pre-ATT&CK
    • Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions.

Discover target logon/email address format

  • Discover target logon/email address format - Pre-ATT&CK
    • Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format.

Enumerate client configurations

  • Enumerate client configurations - Pre-ATT&CK
    • Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers.

Enumerate externally facing software applications technologies, languages, and dependencies


Identify job postings and needs/gaps

  • Identify job postings and needs/gaps - Pre-ATT&CK
    • Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms.

Identify security defensive capabilities


Identify supply chains

  • Identify supply chains - Pre-ATT&CK
    • Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain.

Identify technology usage patterns


Identify web defensive services

  • Identify web defensive services - Pre-ATT&CK
    • An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses.

Map network topology

  • Map network topology - Pre-ATT&CK
    • A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related.

Mine technical blogs/forums

  • Mine technical blogs/forums - Pre-ATT&CK
    • Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use.

Obtain domain/IP registration information


Spearphishing for Information

  • Spearphishing for Information - Pre-ATT&CK
    • Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn't leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means.