Tactics define the purpose or intent behind a particular ATT&CK technique or sub-technique. They explain why an adversary performs a certain action. Each tactic reflects the attacker’s strategic objective. For example, an adversary may aim to achieve credential access as part of their mission.
List of Enterprise Tactics (14 Total)
| ID | Name | Description |
| TA0043 | Reconnaissance | The adversary is gathering information to plan future attacks. |
| TA0042 | Resource Development | The adversary is building or acquiring resources to support operations. |
| TA0001 | Initial Access | The adversary is attempting to penetrate your network. |
| TA0002 | Execution | The adversary is trying to run malicious code on your systems. |
| TA0003 | Persistence | The adversary is establishing a long-term foothold within the environment. |
| TA0004 | Privilege Escalation | The adversary is seeking elevated permissions. |
| TA0005 | Defense Evasion | The adversary is trying to avoid detection by defenses. |
| TA0006 | Credential Access | The adversary is attempting to steal account credentials. |
| TA0007 | Discovery | The adversary is exploring your environment to gather more information. |
| TA0008 | Lateral Movement | The adversary is moving through the network to access more systems. |
| TA0009 | Collection | The adversary is gathering data relevant to their objective. |
| TA0011 | Command and Control | The adversary is maintaining communication with compromised systems for remote control. |
| TA0010 | Exfiltration | The adversary is stealing data from your network. |
| TA0040 | Impact | The adversary attempts to manipulate, disrupt, or destroy systems and data. |
Each of these tactics represents a key phase of an adversary’s campaign, from initial access to impact. Understanding them helps organizations to foresee, detect, and respond to attacks effectively.
Reconnaissance: The First Step in an Adversary’s Playbook
Reconnaissance is the most used technique in the initial phases of a cyber attack. In this phase, attackers collect information related to a target about their IP addresses, domain names, software versions, and information regarding employees. This intelligence plays an essential role in further steps.
Common Reconnaissance Techniques in the MITRE ATT&CK Framework
The MITRE ATT&CK framework outlines various techniques attackers use to gain intelligence. Below are key reconnaissance methods with examples and defense strategies:
1. Active Scanning (T1595)
Active scanning involves directly interacting with a target to search for an open port, service, or vulnerability. While this approach yields precise information, it is noisy and may trigger detection.
- Examples:
- Port Scanning using Nmap
- Vulnerability Scanning with Nessus or OpenVAS
- Defensive Strategy:
With IDS enabled and a rate limiter, scan activities should be flagged as suspicious.
2. Search Open Technical Databases (T1596)
Attackers utilize publicly available data containing their intended target’s security bulletins, GitHub repositories, or CVE databases to look for software vulnerabilities.
- Example:
Monitor public forums and Pastebin for leaked credentials and insider information.
- Defensive Strategy:
The organization can regularly monitor dark web sources for exposed data and maintain a good vulnerability management program.
3. Gather Victim Identity Information (T1589)
Adversaries collect user information or employee credentials, using which they can launch phishing campaigns or social engineering attacks.
- Examples:
- Harvesting email addresses from open sources such as LinkedIn.
- Mapping of employee roles and relationships in OSINT (Open Source Intelligence)
- Defensive Strategy:
Deploy filters in an e-mail system and use multi-factor authentication to prevent identity-based attacks.
4. Search Open Websites/Domains (T1590)
Public-facing sites, DNS records, and certificates offer juicy information for attackers to outline the structure of an organization. Subdomain enumeration is one of the most common methods in this category.
- Example:
Using tools such as Shodan or Censys to identify exposed devices and IP addresses.
- Defensive Strategy:
Practice website hardening and control what data is publicly visible to minimize exposure.
5. Gather Network Information (T1597)
Attackers would attempt to find the network architecture, the internal IP ranges, and protocols to plan their next move (such as lateral movement) inside the network.
- Examples:
- Zone transfer through DNS.
- VPN endpoint or access portal inspection
- Defensive Strategy:
Implement network segmentation and monitor for unusual traffic patterns, so that reconnaissance can be identified early.
6. Phishing for Information (T1598)
Attackers use phishing emails to trick users into revealing sensitive information, such as network configurations or passwords.
- Example:
Crafting fake login portals asking a user to reset her/his password.
Defensive Strategy:
Conduct regular security awareness training and deploy anti-phishing tools to prevent such attacks.
Why Reconnaissance Matters
Reconnaissance is like performing surveillance before the actual crime can be committed. The attacker uses this to spot any weakness or open entry and strategize how they would penetrate the network. If not recognized, the other phases allow the attackers to gain an elusive edge as they continue to exploit the vulnerabilities.
Reconnaissance activities should be identified and stopped by cybersecurity teams as early as possible to prevent attackers from advancing further.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
