Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TACTICS
PRE-ATT&CK
Enterprise
Mobile
  1. Home
  2. Tactics
  3. PRE-ATT&CK
  4. Organizational Information Gathering

Organizational Information Gathering

Organizational information gathering consists of the process of identifying critical organizational elements of intelligence an adversary will need about a target in order to best attack.  Similar to competitive intelligence, organizational intelligence gathering focuses on understanding the operational tempo of an organization and gathering a deep understanding of the organization and how it operates, in order to best develop a strategy to target it.

ID: TA0017
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques

Techniques: 11
ID Name Description
T1277 Acquire OSINT data sets and information Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world.
T1279 Conduct social engineering Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action.
T1284 Determine 3rd party infrastructure services A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise.
T1285 Determine centralization of IT management Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards.
T1282 Determine physical locations Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility.
T1286 Dumpster dive Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest.
T1280 Identify business processes/tempo Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic.
T1283 Identify business relationships Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship.
T1278 Identify job postings and needs/gaps Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts.
T1276 Identify supply chains Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships.
T1281 Obtain templates/branding materials Templates and branding materials may be used by an adversary to add authenticity to social engineering message.