Gather Victim Identity Information

G
Written By Threat NG Staff

The MITRE ATT&CK technique Gather Victim Identity Information (T1589) is a category within the Reconnaissance tactic. It describes the methods adversaries use to collect valid and valuable information about the target organization's personnel, accounts, or individuals prior to launching an actual attack.

This information collection is crucial for setting up highly effective social engineering schemes or gaining initial access through credential abuse.

T1589: Gather Victim Identity Information

The primary goal of this technique is to obtain data that makes subsequent attacks more believable, personalized, and effective. This data is gathered from sources external to the victim organization, such as social media, job boards, corporate websites, and public disclosures.

Key types of victim identity information sought by adversaries include:

  1. Names and Roles: Collecting the full names, job titles, and departmental affiliations of key personnel, particularly those in high-privilege roles (e.g., C-suite, IT Administrators, Finance/HR staff). This allows for targeted spear-phishing and executive impersonation (Business Email Compromise or BEC).

  2. Contact Information: Harvesting email addresses, phone numbers, and physical addresses that are used for business communication. This is the foundation for direct attacks like vishing (voice phishing) and smishing (SMS phishing).

  3. Account Credentials and Data: Acquiring exposed usernames, compromised passwords, and login tokens. This data is often scraped from dark web marketplaces, public code repositories, or past data dumps, and is the prerequisite for credential stuffing and Pass-the-Hash attacks.

  4. Relationships and Social Graph: Mapping relationships between individuals, vendors, or project teams. This allows an adversary to craft a plausible narrative—for instance, impersonating a known project manager to trick a subordinate into executing malicious code.

By successfully executing T1589, the adversary moves the attack from a generic, low-fidelity attempt to a highly customized, high-fidelity intrusion that bypasses automated filters and exploits human trust.

ThreatNG is designed to proactively counter the MITRE ATT&CK T1589: Gather Victim Identity Information technique by transforming the external perimeter into a continuous reconnaissance shield against an attacker's planning and preparation phase. It focuses on finding and eliminating the public data and credentials that adversaries require to craft targeted social engineering (spear-phishing, vishing) and credential stuffing attacks.

ThreatNG's Strategy for Preempting Identity Gathering

ThreatNG systematically finds and neutralizes the external data sources that adversaries use for reconnaissance:

1. External Discovery and Mapping Target Profiles:

The External Discovery process performs purely external, unauthenticated reconnaissance, mirroring the adversary's initial data collection phase.

  • Actionable Insight: ThreatNG maps the entire digital footprint to reveal exposed targets. This includes forgotten subdomains, APIs, and unsanctioned Cloud and SaaS Exposure, all of which contain metadata and contacts that an attacker can harvest to build a victim profile.

2. Detailed External Assessment of Staged Data:

ThreatNG’s assessment modules directly hunt for the high-value data that, if found, confirms the attacker has completed their initial reconnaissance and is ready to strike:

  • Data Leak Susceptibility: This capability is a direct countermeasure to the identity gathering phase. It detects if Compromised Credentials (usernames and passwords) are exposed on the Dark Web. This immediately tells the organization what data an attacker has acquired and allows for preemptive password rotation.

  • BEC & Phishing Susceptibility: This assessment quantifies the risk of targeted social engineering. It evaluates external factors (like domain impersonation setup) that increase the success rate of a BEC or vishing attack.

3. Investigation Modules and Granular Identity Hunting:

The Investigation Modules perform the granular forensics necessary to find the identity data that adversaries collect:

  • Social Media Investigation (Username Exposure Module): This module is a direct defense against the collection of Names and Roles. It actively searches the external perimeter to identify exposed User Names and high-value, role-based emails (e.g., admin@, security@, support@) that an adversary uses to craft a convincing impersonation.

  • Domain Intelligence: This module counters impersonation setup. It discovers typosquatted domains and look-alike domains (Homoglyphs) that an adversary registers for a future phishing campaign. Finding this fraudulent infrastructure provides a temporal warning window.

  • Sensitive Code Exposure: This module secures Account Credentials and Data. It hunts for exposed hardcoded credentials, API keys, and configuration files in public code repositories, eliminating the exact secrets that attackers collect for lateral movement.

  • Archived Web Pages: This module acts as a historical resource, uncovering old staff lists, usernames, or contact information that may have been present on the website in the past but is still preserved in web archives, aiding the adversary's profile building.

4. Cooperation with Complementary Solutions:

ThreatNG’s external intelligence provides the foundational data that enhances internal defenses against identity abuse:

  • Security Awareness Training (SAT) Platforms: ThreatNG’s data on exposed usernames and fraudulent domains (via Domain Intelligence) can be used to fuel the SAT platform. This allows the organization to tailor phishing simulations and training materials to the exact external threat vectors identified by ThreatNG, making training far more realistic and effective.

  • Identity Threat Detection & Response (ITDR) Solutions: If ThreatNG detects an employee's compromised credential on the Dark Web (Data Leak Susceptibility), that intelligence can be sent to the ITDR solution. The ITDR can then be used to set up hyper-specific behavioral monitoring for the exposed account or trigger an immediate password rotation and quarantine, neutralizing the acquired identity data.

  • Security Orchestration, Automation, and Response (SOAR) Solutions: If ThreatNG detects a high-fidelity precursor—like the registration of a typosquatted domain—that intelligence can be fed to a SOAR platform. The SOAR system can then automate a preemptive response, instantly updating perimeter defenses to block traffic from the malicious domain before the adversary can use it for their attack.

Threat NG Staff
Previous

Intelligence-Led Control Prioritization
Next

Travel and Lifestyle Sites