Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.
Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Phishing for Information), establishing operational resources (ex: Compromise Accounts), and/or initial access (ex: Phishing or Valid Accounts).
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| action.hacking.variety.Footprinting | Footprinting and fingerprinting | related-to | T1589.003 | Gather Victim Identity Information: Employee Names |
| value_chain.targeting.variety.Personal Information | Information on individuals such as title, interests, physical location, etc, used to pick an organization as a target | related-to | T1589.003 | Gather Victim Identity Information: Employee Names |
| aws_security_hub | AWS Security Hub | technique_scores | T1589.003 | Employee Names |