- Tactics
- Reconnaissance
- Platforms
- PRE
- Reference
- attack.mitre.org/techniques/T1597
Description
Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)
Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Reconnaissance tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1589 — Gather Victim Identity Information
- T1590 — Gather Victim Network Information
- T1591 — Gather Victim Org Information
- T1592 — Gather Victim Host Information
- T1593 — Search Open Websites/Domains
- T1594 — Search Victim-Owned Websites
- T1595 — Active Scanning
- T1596 — Search Open Technical Databases
- T1598 — Phishing for Information
- T1681 — Search Threat Vendor Data
- T1682 — Query Public AI Services