T1597 Search Closed Sources
Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.1 Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.2
Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).
| Item | Value |
|---|---|
| ID | T1597 |
| Sub-techniques | T1597.001, T1597.002 |
| Tactics | TA0043 |
| Platforms | PRE |
| Version | 1.0 |
| Created | 02 October 2020 |
| Last Modified | 15 April 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G1011 | EXOTIC LILY | EXOTIC LILY has searched for information on targeted individuals on business databases including RocketReach and CrunchBase.3 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
References
-
Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020. ↩
-
Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩