Reconnaissance in MITRE ATT&CK

CyberDefender 4 mins0

MITRE ATT&CK’s Reconnaissance tactic refers to the set of activities an adversary performs before launching an actual attack. Think of it as the information-gathering stage—the attacker is collecting details about a target environment, employees, technologies, or vulnerabilities to plan their operation.

Reconnaissance is passive or active:

  • Passive recon: Attacker gathers information without interacting directly with the target (e.g., searching public data).
  • Active recon: Attacker interacts with the target system/network (e.g., scanning).

🧠 Why Reconnaissance Matters

Adversaries need recon to:

  • Understand the target’s infrastructure
  • Identify weak points
  • Tailor phishing, exploits, and malware
  • Increase attack success while reducing detection

This stage often leaves minimal logs, making it harder for defenders to detect.

🕵️‍♂️ Common Reconnaissance Techniques (MITRE)

Below are the main techniques under MITRE’s Reconnaissance tactic (TA0043).

1. Active Scanning (T1595)

Attackers probe systems directly to gather:

  • Open ports
  • Services
  • Operating systems
  • Exposed devices

Examples:

  • Nmap/Zenmap scanning
  • Masscan internet-wide scans

Variants:

  • Vulnerability Scanning (T1595.002) – scanning for specific CVEs
  • IP Block Scanning (T1595.001) – scanning networks or IP ranges

2. Gather Victim Identity Information (T1589)

Collecting personal data of employees or executives to plan phishing or impersonation.

Types:

  • Email addresses (T1589.002)
  • Employee names, roles, org charts
  • Credentials leaked online (T1589.003)

Sources include LinkedIn, Facebook, GitHub, corporate websites.

3. Gather Victim Org Information (T1591)

Understanding the target organization’s structure and operation.

Examples:

  • Corporate hierarchy
  • Business partners
  • Locations
  • Public filings (SEC, financial reports)

4. Gather Victim Network Information (T1590)

Identifying network infrastructure such as:

  • IP addresses
  • DNS records
  • VPN gateways
  • Cloud services

Examples:

  • DNS enumeration
  • WHOIS lookups
  • AS number checks

Sub-techniques:

  • Domains (T1590.001)
  • DNS Records (T1590.002)
  • IP Addresses (T1590.005)

5. Gather Victim Technical Information (T1592)

Researching the organization’s technologies such as:

  • Operating systems
  • Software versions
  • Hardware devices
  • Cloud platforms

Sources:

  • Job postings (listing required tools)
  • GitHub repositories
  • Tech blogs

6. Search Open Sources (T1593)

Collecting information from publicly available resources.

Examples:

  • Search engines (Google, Bing)
  • Social media
  • Online databases
  • Public code repositories
  • Dark web forums

Sub-techniques:

  • Search Engines (T1593.001)
  • Social Media (T1593.002)

7. Phishing for Information (T1598)

Using social engineering to extract data.

Examples:

  • Email asking for employee credentials
  • Fake HR messages
  • Telephone pretexting

Sub-techniques:

  • Spearphishing Service (T1598.003)
  • Spearphishing Link (T1598.002)

8. Obtain Capabilities (T1588)

Although categorized under “Resource Development,” it is often part of recon in practice.

Adversaries acquire:

  • Malicious tools
  • Infrastructure (servers, domains)
  • Zero-day exploits

Used to support later attack stages.

🛡️ How Defenders Detect & Mitigate Reconnaissance

  • Monitor external scanning activities (traffic thresholds, unusual IPs)
  • Use threat intelligence feeds to track scanning campaigns
  • Apply web application firewalls (WAF)
  • Regularly review DNS records & certificate transparency logs
  • Employee security awareness training (phishing defense)
  • Reduce publicly exposed data
  • Implement rate-limiting and CAPTCHA on public portals.

CyberDefender