The MITRE Att&ck Matrix has specified ten techniques to classify as reconnaissance.
Active-Scanning means the threat actor used a tool such as Nmap to scan the network.
Gather Victim Host Information would mean that through Active-Scanning or other methods, the threat actor obtains information about a victim’s host machine.
Gather Victim Identity Information would mean the threat actor likely performed some form of OSINT investigation to obtain details on the identity of their target.
Gather Victim Network Information would mean that the threat actor, through, Active-Scanning, or data obtained from previously infiltrated hosts, gathers intel regarding the victim’s network.
Gather Victim Org Information would be like Gather Victim Identity Information would be the same thing as Gather Victim Identity Information. However, the entire organization is targeted instead of an individual.
Phishing -for-Information. The threat actor seeks information via phishing emails. These emails work similarly to what is phishing only, tailored to trick the victim into releasing information.
Search Closed Sources would mean the threat actor gained access to data that the threat actor had no authorization to have.
Search Open Technical Databases would be part of the OSINT process as the threat actor searches various online resources to uncover information regarding the victim. This information could be publicly available when it shouldn’t be.
Search Open Websites/Domains would mean that the threat actor is browsing available websites such as Twitter or Facebook for potential intel regarding their victim to use against them.
Search Open Victim Owned websites would be another part of the OSINT process where the threat actor digs into the available website’s code to see if anything of value is available. Files found on the web server are skimmed over for intel as well.