1. Home
  2. ATT&CK Techniques
  3. T1597
  4. T1597.001
Reconnaissance

T1597.001: Threat Intel Vendors

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data...

T1597.001 · Sub-technique ·1 platforms

Description

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)

Adversaries may search in private threat intelligence vendor data to gather actionable information. If a threat actor is searching for information on their own activities, that falls under Search Threat Vendor Data. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Exploit Public-Facing Application or External Remote Services).

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.

References

Frequently Asked Questions

What is T1597.001 (Threat Intel Vendors)?

T1597.001 is a MITRE ATT&CK technique named 'Threat Intel Vendors'. It belongs to the Reconnaissance tactic(s). Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data...

How can T1597.001 be detected?

Detection of T1597.001 (Threat Intel Vendors) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1597.001?

There are 1 documented mitigations for T1597.001. Key mitigations include: Pre-compromise.

Which threat groups use T1597.001?

While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.