How to Defeat MITRE ATT&CK Reconnaissance Techniques

MITRE ATT&CK Reconnaissance (TA0043) techniques section maps out how threat actors gather information about potential targets. 

Like other ATT&CK tactics (like initial access and lateral movement), reconnaissance provides useful threat intelligence on adversary tactics, techniques, and procedures (TTPs). It is a realistic approximation of what will happen if you become a target.

Most attack chains will involve one or more techniques outlined before initial access. In one review of recently reported manufacturing cyber attacks reported by PwC, 24% of attacks started with reconnaissance activity and were then followed by hacking or system penetration. The remainder almost certainly did, too, but the reconnaissance was too stealthy to be noticed during remediation. 

Technical security controls can’t prevent all MITRE ATT&CK reconnaissance techniques. But they can mitigate the risk of some of them effectively. 

This blog reviews MITRE ATT&CK reconnaissance techniques and shows how SenseOn can help you detect and respond to some of them. 

What the MITRE ATT&CK Reconnaissance Techniques Mean

Below are 10 MITRE ATT&CK reconnaissance techniques cyber threats use to learn more about potential victims before they start their attack. 

T1595 Active Scanning

This is when threat actors start pinging your network by sending packets or requests to the target network or system to elicit responses with a tool like Nmap to do vulnerability scanning and find open ports.

Cybercriminals are keen to see if anything inside your systems matches an exploit they have in their armoury. For example, if you have a device with legacy software installed and exposed to the open web like Internet Explorer. 

T1592 Gather Victim Host Information

The threat actor’s aim here is to collect details about operating systems, IP addresses, and installed software on your hosts. They want to figure out your configuration details, assigned IPs and other data to help them determine how to compromise you.

T1589 Gather Victim Identity Information

This tactic involves collecting personal information about people inside your network (i.e., employees), like their names, job titles, email addresses, and social media profiles. 

The information collected is often used for spear-phishing or social engineering attacks aimed at privilege escalation or getting authentication credentials.

T1590 Gather Victim Network Information

This is when threats want to discover your network topology and pathways for quick lateral movement from one endpoint to another and towards your crown jewels. 

An attacker might use a tool like Wireshark to capture packets from your network traffic and figure out things like IP ranges, domain names, and network services. 

T1591 Gather Victim Org Information

This involves collecting information about what your organisation looks like, i.e., who reports to whom, and, most importantly, who will respond to phishing emails and from what compromised account with the least questions being raised. 

This helps target phishing and social engineering campaigns. To get this information, you’ll see threat actors looking for leaked employee handbooks, LinkedIn profiles, Glassdoor reviews and other OSINT sources. 

T1598 Phishing for Information

“John from your third-party IT service provider here, can you let me know what account to send our invoices to? We’ve just changed our internal systems.” 

Threat actors aren’t just looking for you to click on malware but also to give them information about how your IT and financial systems work. This kind of information gathering happens mostly through email but can also come from phone calls or social media inquiries.

Some studies say 98% of cyber attacks involve social engineering.

T1597 Search Closed Sources

This technique involves looking for information on non-public or restricted sources like data broker websites (for example, Whitepages) or password-protected forums. However, cybercriminals might also buy databases off the dark web. The aim here is to gather information for phishing and credential abuse.

T1596 Search Open Technical Databases

If you are a target, threat actors will scan your team’s GitHub for accidentally disclosed credentials or other sensitive information. They will also look at public WHOIS data and DNS data.

T1593 Search Open Websites/Domains

This is another reconnaissance tactic focused on human factor vulnerabilities. Threats will look on sites like Linkedin and forums like Reddit to find employee directories, technical documents, or any other tidbits of information that can be used for attacks or to get 

credential access.

T1594 Search Victim-Owned Websites

This involves searching websites for manuals, directories, content databases, calendars and other information repositories or bits of your knowledge base that could aid in an attack.

Using SenseOn to Defeat MITRE ATT&CK Techniques

SenseOn is a cyber security platform that collects native endpoint and network telemetry from physical, virtual and cloud-hosted IT environments with a single sensor, including networks and endpoints.

SenseOn can detect the following ATT&CK reconnaissance techniques: 

T1595 Active Scanning

SenseOn’s advanced NDR capabilities can detect unusual network scans and block the originating IP. 

SenseOn’s EDR capabilities can flag suspicious activities on endpoints.

T1590 Gather Victim Network Information

SenseOn’s advanced NDR can identify abnormal traffic patterns indicative of network mapping.

T1592 Gather Victim Host Information

SenseOn’s advanced EDR can monitor for unauthorised data collection activities on endpoints and block them.

Get Started with SenseOn

SenseOn’s advanced NDR, UEBA and EDR capabilities can help security teams spot and shut down active reconnaissance techniques such as T1595 (Active Scanning), T1590 (Gather Victim Network Information), and T1592 (Gather Victim Host Information).

SenseOn’s combination of data sources gives it incredible telemetry, so when an unusual IP starts exploring your attack surface, SenseOn can find it and block it automatically.

Contact us to learn more.