Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TACTICS
PRE-ATT&CK
Enterprise
Mobile
  1. Home
  2. Tactics
  3. PRE-ATT&CK
  4. People Information Gathering

People Information Gathering

People Information Gathering consists of the process of identifying critical personnel elements of intelligence an adversary will need about a target in order to best attack.  People intelligence gathering focuses on identifying key personnel or individuals with critical accesses in order to best approach a target for attack.  It may involve aspects of social engineering, elicitation, mining social media sources, or be thought of as understanding the personnel element of competitive intelligence.

ID: TA0016
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques

Techniques: 11
ID Name Description
T1266 Acquire OSINT data sets and information Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise.
T1275 Aggregate individual's digital footprint In addition to a target's social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target's username can mine to determine the target's larger digital footprint via publicly available sources.
T1268 Conduct social engineering Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
T1272 Identify business relationships Business relationship information includes the associates of a target and may be discovered via social media sites such as LinkedIn or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.
T1270 Identify groups/roles Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator.
T1267 Identify job postings and needs/gaps Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts.
T1269 Identify people of interest The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target.
T1271 Identify personnel with an authority/privilege Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers.
T1274 Identify sensitive personnel information An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online.
T1265 Identify supply chains Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain.
T1273 Mine social media An adversary may research available open source information about a target commonly found on social media sites such as Facebook, Instagram, or Pinterest. Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary.