Many of you have probably already heard about the MITRE ATT&CK framework.
The framework is an important point of reference at international level and used within thousands of projects, detection rules, platforms.
The Adversarial Tactics, Techniques, and Common Knowledge is a guideline for classifying and describing cyberattacks and intrusions. It was created by the Mitre Corporation and released in 2013.
Rather than looking at the results of an attack (aka an indicator of compromise (IoC)), it identifies tactics that indicate an attack is in progress. Tactics are the “why” of an attack technique.
The framework consists of 14 tactics categories consisting of “technical objectives” of an adversary. These categories are then broken down further into specific techniques and sub-techniques.
The framework is an alternative to the cyber kill chain developed by Lockheed Martin.
Recently I had the opportunity, thanks to the Threat Intelligence and Threat Hunting activities carried out within my team, to contribute to the project and in particular to the Reconnaissance tactic.
The Reconnaissance tactic in the MITRE ATT&CK framework refers to adversaries’ pre-attack activities to gather information about a target system, network, or environment. This tactic includes a range of actions that attackers use to identify potential entry points, valuable assets, and weak spots in defenses before they execute more overt activities like initial access or exploitation. Reconnaissance is often done passively to avoid detection, leveraging publicly accessible data sources (open-source intelligence, or OSINT) or scanning network resources from a distance.
Some key techniques within the Reconnaissance tactic include:
- Active Scanning – Searching for and probing network services, ports, or vulnerabilities.
- Search for Publicly Available Information – Using websites, social media, or open-source databases to collect information on the target organization, its employees, or third-party dependencies.
- Gather Victim Host Information – Learning about the hardware, operating systems, and software applications used by the target.
- Gather Victim Identity Information – Identifying user accounts, email addresses, and other identifying details associated with the target.
- Gather Victim Network Information – Mapping IP ranges, domain names, and infrastructure details that could assist in future attacks.
The information gathered in this stage enables attackers to plan and prioritize their efforts, often making later stages more effective by customizing the attack approach based on the target’s unique environment.
Our team has a very broad experience with this tactic, thanks to the development that has been carried out over the years within our Threat Intelligence Platform SATAYO.
We experience daily with the different elements that a Threat Actor identifies to organize its attack. We have always considered the reconnaissance phase a fundamental step in the attack process, the phase in which the attacker invests a lot in terms of time, because the quality of this phase will be what will determine the success or failure of the attack.
The contribution concerns the technique “Gather Victim Identity Information: Credentials“, which focuses on the possibility, by the Threat Actor, to identify credentials, within different sources and using different tools, to be used as initial access.
The technique is strongly related, in this historical moment, to the actions that can be realized through the use of infostealer malware and my research activities that allowed me to contribute to the project have an important focus on this theme.
Thanks to Würth Phoenix and Würth Group, who through the structure of the Cyber Defence Center give us the opportunity to carry out research activities that can then be shared with the entire community, with the common goal of increasing our resilience towards TTPs used by Threat Actors.
Massimo Giaimo
Author
