How the MITRE ATT&CK Framework Uses Reconnaissance to Plan & Carry Out Attacks

A hacker doing MITRE ATT&CK reconnaissance to gather data for a cyber attack


Our opening post in this series introduced our readers to the Modern Cybersecurity Framework. While the threat landscape is clearly dangerous, efforts to understand and adapt to the hazards are ongoing. Thankfully, helpful information is readily available.

As a Managed IT Services provider serving the SMB community in West Chicago, Dupage County, Kane County, and the other collar counties surrounding Chicago, we pay particular attention to incidents that can kill the dreams of small business owners and, by extension, their employees.


This post will address the first of fourteen tactics, namely, Reconnaissance. Per MITRE:

“Reconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.”

If this sounds war-like, it’s not by accident. Modern warfare is ongoing, whether from nation-states, state-sponsored criminal enterprises, or private groups and individuals. While their goals vary, the tactics employed are nearly identical.

Reconnaissance is the military term for exploration of enemy territory to gain vital information about opposing forces and the environment they inhabit. This activity originally involved “scouts” who were tasked with the responsibility to learn everything they can about the enemy, often at great personal risk. 

In this context, reconnaissance involves efforts to gain information from unsuspecting potential cybercrime victims. Adversaries use both active and passive scanning tools to identify weak targets with exploitable vulnerabilities.

Reconnaissance Techniques

The MITRE ATT&CK Framework lists the following techniques used by cybercriminals:

  • Active Scanning – Adversaries often execute scans to probe networks for vulnerabilities. If you are connected to the network, you are no doubt being scanned on a daily basis.
  • Gathering Victim Host Information – Adversaries will gather and compile information about the servers, workstations, and applications used in a given target. This information is often catalogued for future use as vulnerabilities are disclosed.
  • Gathering Victim Identity Information – Adversaries often gather specific information about their potential targets, such as names, email addresses, employee lists, organization charts, and the like.
  • Gathering Victim Network Information – Adversaries may gather information about the specific network topology, security appliances, DNS structure, IP addresses and domain properties.
  • Gathering Victim Org Information – Adversaries often dig deeper to learn the details of a given business including their clients, locations, business tempo, business relationships, and so on.
  • Phishing for Information – Adversaries usually resort to trickery when attempting to infiltrate a business. Soliciting sensitive credentials through deception is common. Spearphishing is a term used to describe specific targeting efforts based on the knowledge gained in the previous steps.
  • Searching Closed Source Information – Adversaries may subscribe to legitimate business information services to learn additional details about their potential victims.
  • Searching Open Technical Databases – Because of the distributed nature of the internet, many important technical details about victims is publicly available. 
  • Searching Open Websites/Domains – Adversaries often search various social media services to glean useful information.
  • Searching Victim-Owned Websites – The information you share about your company on your website is often used in targeting decisions.

Bad actors will scout your businesses – it’s unavoidable. What you expose to their efforts makes a huge difference in your risk management strategy. We at Thom Infotech are in war footing every hour of every day to identify and thwart cyber threats, including reconnaissance. We design networks to minimize risk, and we advise our customers of the strategies and training needed to fight the efforts of cyberthieves and hackers.