Overview of MITRE ATT&CK Tactic: TA0043 – Reconnaissance
Introduction
Reconnaissance (TA0043) is the initial stage of an attack lifecycle, where adversaries collect information about a target before attempting any direct attack. During this phase, attackers try to understand the environment, identify weaknesses, and shape their strategy. This often involves researching publicly available data, scanning for exposed services, learning about an organization’s people and technology, and assessing potential entry points. Effective reconnaissance reduces uncertainty for the attacker and helps them plan efficient and targeted attacks.
In this article, we will explore the key techniques and sub-techniques associated with Reconnaissance and how they contribute to an attacker’s early planning. We will also discuss how F5 products can improve visibility, reduce exposure, and limit opportunities for adversaries during this initial phase.
Techniques and Sub-Techniques
T1595 - Active Scanning
Active scanning involves directly interacting with a target’s external systems to identify accessible assets and potential weaknesses. During this activity, adversaries probe networks and applications to understand what is exposed and how it responds. The information gathered helps attackers narrow their focus and plan the next stages of an attack.
-
T1595.001 - Scanning IP Blocks
In this approach, attackers scan ranges of IP addresses to identify active systems and exposed services. This allows them to map internet-facing infrastructure and identify hosts that may be suitable targets.
-
T1595.002 - Vulnerability Scanning
This sub-technique focuses on checking systems and applications for known security weaknesses. Attackers often rely on automated tools to quickly identify vulnerabilities that could be exploited later.
-
T1595.003 - Wordlist Scanning
Here, adversaries test common file names, directories, or endpoints using predefined lists. This method is commonly used to discover hidden application paths, administrative interfaces, or poorly secured resources.
T1592 - Gather Victim Host Information
This technique involves collecting details about the systems used within a target environment. Adversaries seek to understand host-level characteristics in order to identify compatible exploits, select effective attack tools, and avoid actions that may cause failures or detection. Information gathered at this stage supports more precise planning in later phases of the attack.
-
T1592.001 - Hardware
In this sub-technique, attackers collect information about physical or virtual hardware in use, such as device types, processor architecture, or virtualization platforms. This helps ensure that malicious payloads and tools are compatible with the target systems.
-
T1592.002 - Software
Here, adversaries identify operating systems, installed applications, and software versions. Knowing what software is present allows attackers to focus on known weaknesses or tailor attacks to specific environments.
-
T1592.003 - Firmware
This sub-technique focuses on gathering information about firmware used by devices such as network equipment or endpoints. Understanding firmware versions can reveal low-level weaknesses that may not be visible at the operating system level.
-
T1592.004 - Client Configurations
Attackers collect details about system and application configurations, including security settings, enabled features, or authentication mechanisms. This information helps them identify misconfigurations that could be exploited or bypassed.
T1589 - Gather Victim Identity Information
This technique focuses on collecting information about individuals associated with the target organization. Adversaries use this data to support social engineering, phishing, impersonation, and account-based attacks. Understanding who the users are and how they are identified helps attackers make their activity appear more legitimate and targeted.
-
T1589.001 - Credentials
In this sub-technique, attackers obtain usernames, passwords, or authentication data from publicly available sources, previous data breaches, or exposed systems. These credentials may be tested directly or used to craft more convincing follow-on attacks.
-
T1589.002 - Email Addresses
Here, adversaries gather employee or organizational email addresses to support phishing campaigns or identity-based attacks. Knowing valid email formats and addresses increases the success rate of malicious communications.
-
T1589.003 - Employee Names
This sub-technique involves collecting names of employees, executives, or administrators. Such information is often used to personalize phishing messages, perform impersonation, or identify high-value targets within the organization.
T1590 - Gather Victim Network Information
This technique involves collecting information about a target’s network. Adversaries use this information to understand how systems are connected, where trust relationships exist, and which components may be easier to access or bypass. Gaining visibility into the network layout helps attackers plan more effective intrusion paths and avoid defensive controls.
-
T1590.001 - Domain Properties
In this sub-technique, attackers gather details about domains associated with the target, such as domain names, registration data, and ownership information. This information can reveal related assets and assist in identifying additional attack surfaces.
-
T1590.002 - DNS
Here, adversaries collect Domain Name System information to discover subdomains, name servers, and record configurations. DNS data often provides valuable insight into internal structure and publicly exposed services.
-
T1590.003 - Network Trust Dependencies
This sub-technique focuses on identifying trust relationships between networks, systems, or organizations. Understanding these dependencies can help attackers exploit indirect paths or move through trusted connections.
-
T1590.004 - Network Topology
Attackers attempt to understand how the network is organized, including segmentation, routing paths, and connectivity between systems. This knowledge supports planning for lateral movement and control avoidance.
-
T1590.005 - IP Addresses
In this approach, adversaries collect IP address ranges and associated hosts to map externally accessible systems. This information is often combined with scanning activity to identify reachable targets.
-
T1590.006 - Network Security Appliances
Here, attackers identify security devices such as firewalls, gateways, or load balancers deployed in the environment. Knowing which controls are in place helps adversaries adapt their techniques to evade detection or bypass protections.
T1591 - Gather Victim Org Information
This technique focuses on collecting information about the target organization as a whole. Adversaries seek to understand how the organization operates, where it is located, and how its people and processes are structured. Such insight helps attackers tailor social engineering, choose optimal timing, and identify indirect paths into the environment.
-
T1591.001 - Determine Physical Locations
In this sub-technique, attackers identify office locations, data centers, or operational regions associated with the organization. Physical location data can support targeted phishing, on-site attacks, or region-specific exploitation.
-
T1591.002 - Business Relationships
Here, adversaries research partnerships, suppliers, and third-party relationships. Understanding these connections can enable supply chain attacks or trusted-party impersonation.
-
T1591.003 - Identify Business Tempo
This sub-technique involves learning the organization’s operational rhythms, such as business hours, seasonal activity, or peak operational periods. Attackers may use this information to time their actions when detection is less likely.
-
T1591.004 - Identify Roles
Attackers collect information about job functions, responsibilities, and authority levels within the organization. This helps identify high-value targets and craft more convincing impersonation or access attempts.
T1598 - Phishing for Information
This technique involves using deceptive communications to extract information from individuals associated with the target organization. Rather than delivering malware, the primary goal is to collect details such as credentials, system information, or internal processes. Information gathered through phishing can directly support later stages of an attack.
-
T1598.001 - Spearphishing Service
In this sub-technique, adversaries use legitimate third-party services to send targeted messages. Leveraging trusted platforms can increase credibility and reduce suspicion, making recipients more likely to respond.
-
T1598.002 - Spearphishing Attachment
Here, attackers send crafted attachments designed to prompt users to open documents or provide information. These attachments may request input, display misleading content, or encourage disclosure without immediately delivering malicious code.
-
T1598.003 - Spearphishing Link
This sub-technique involves sending targeted links that direct victims to attacker-controlled or spoofed websites. The sites are designed to collect information such as login details or internal data.
-
T1598.004 - Spearphishing Voice
In this approach, adversaries use voice communications to impersonate trusted individuals or services. These calls are often used to extract sensitive information by exploiting urgency or authority.Top of Form
T1597 - Search Closed Sources
This technique involves gathering information from sources that are not publicly accessible and typically require payment, membership, or special access. Adversaries use these sources to obtain deeper or more reliable intelligence about a target, which can improve the accuracy of their planning and reduce the need for noisy discovery activity.
-
T1597.001 - Threat Intel Vendors
In this sub-technique, adversaries access information from commercial or private threat intelligence providers. Such sources may offer insights into an organization’s security, known vulnerabilities, or past incidents that attackers can use to refine their approach.
-
T1597.002 - Purchase Technical Data
Here, attackers acquire technical details such as network diagrams, access information, or system data through underground markets or private brokers. Purchasing this information allows adversaries to bypass early discovery steps and move more efficiently toward exploitation.
T1596 - Search Open Technical Databases
This technique involves collecting technical information from publicly accessible databases and services. Adversaries use these sources to identify infrastructure details, hosting relationships, and exposed assets without directly interacting with the target environment.
-
T1596.001 - DNS or Passive DNS
Attackers review historical and current DNS data to identify domains, subdomains, and infrastructure changes. Passive DNS can reveal assets that may no longer be actively advertised but are still reachable.
-
T1596.002 - WHOIS
In this sub-technique, adversaries gather domain registration details such as ownership, contact information, and registration history. This information can expose related domains or infrastructure patterns.
-
T1596.003 - Digital Certificates
Attackers analyse publicly issued digital certificates to identify associated domains and services. Certificate transparency logs often reveal internal or previously unknown assets.
-
T1596.004 - CDNs
Here, adversaries study content delivery networks to understand how applications are hosted and protected. CDN data can expose origin servers or traffic routing patterns.
-
T1596.005 - Scan Databases
This sub-technique involves searching public databases that index exposed systems or services. These databases allow attackers to identify misconfigured or internet-facing assets efficiently.
T1593 - Search Open Websites or Domains
This technique focuses on gathering information from publicly available websites and online platforms related to the target organization. Such sources often reveal operational, technical, or personnel details that can support further attack planning.
-
T1593.001 - Social Media
Adversaries collect information from social media platforms to identify employees, roles, relationships, and organizational activity. This data is often used to support phishing or impersonation attempts.
-
T1593.002 - Search Engines
Here, attackers use search engines to locate exposed services, documents, or references related to the target. Advanced search techniques can uncover sensitive information unintentionally made public.
-
T1593.003 - Code Repositories
This sub-technique involves reviewing public code repositories to identify credentials, configuration files, or technology usage. Poorly secured repositories can reveal valuable technical details.
T1681 - Search Threat Vendor Data
In this technique, adversaries review reports, advisories, and datasets published by security vendors. This information can reveal defensive capabilities, known detections, or previously disclosed weaknesses related to the target.
T1594 - Search Victim-Owned Websites
This technique involves examining websites owned and operated by the target organization. Attackers analyse these sites for exposed endpoints, configuration details, error messages, or outdated components that may indicate weaknesses or additional attack surfaces.
How F5 Can Help
F5 helps reduce risk during the Reconnaissance phase by limiting exposure and improving visibility into application and network traffic. By detecting abnormal scanning and information-gathering activity, F5 makes it harder for adversaries to map environments or identify exploitable assets early in the attack lifecycle.
For further information please contact your local f5 sales team
Conclusion
Reconnaissance sets the foundation for an attack, this phase determines how effectively an adversary can operate in later stages. Understanding these techniques helps organizations identify early warning signs and reduce unnecessary exposure. Aligning defenses with the MITRE ATT&CK framework, supported by F5’s capabilities, strengthens overall security posture and limits attacker opportunities before impact occurs.
Reference Links
Employee