Certification Courses
Hands-On Labs
Threat Intelligence
Latest Cyber News
MITRE ATT&CK Breakdown
All Cyber Keywords
Latest News
T1591.004 — Reconnaissance
Gather Victim Org Info: Identify Roles
Adversaries map organizational hierarchies to identify high-value targets for precision social engineering and whaling attacks...
// TARGET ORG ROLE MAPPING — RECON IN PROGRESS
Chief Executive Officer
Robert Hargrove
★ Gold Access
● Target Priority: HIGH
⚖ Whaling Target
Chief Financial Officer
Elena Voss
★ Gold Access
● Target Priority: HIGH
⚖ Whaling Target
Chief Technology Officer
James Nakamura
★ Gold Access
● Target Priority: HIGH
⚖ Whaling Target
VP Engineering
Diana Reyes
◇ Silver Access
● Target Priority: MEDIUM
Director of IT
Michael Osei
◇ Silver Access
● Target Priority: MEDIUM
System Administrator
Alex Petrov
◆ Bronze Access
● Target Priority: MEDIUM
Reconstructing hierarchy
Mapping access levels
Flagging C-suite targets
Whaling candidates locked
LinkedIn scrape
→
Corporate website
→
Press releases
→
SEC filings
→
Role mapping
→
Whaling list
§ Why It Matters
The Strategic Value of Role Identification
Identifying who holds which roles within a target organization is one of the most consequential reconnaissance activities an adversary can perform. Armed with a clear understanding of the organizational hierarchy — from C-suite executives to mid-level managers and IT administrators — attackers can craft precision-targeted social engineering campaigns that exploit the specific responsibilities, authorities, and communication patterns associated with each role. This granular intelligence transforms generic phishing attacks into highly convincing, role-appropriate impersonations that bypass both technical controls and human skepticism. An attacker who knows the CFO manages wire transfers and the CEO’s communication style can engineer a business email compromise that looks, sounds, and feels authentic at every level of the organization.
80%
of BEC scams impersonate
high-level executive roles
high-level executive roles
27%
of all phishing attacks
are whaling campaigns
are whaling campaigns
70%+
of breaches involve
social engineering tactics
social engineering tactics
$4.67M
average cost per
BEC attack incident
BEC attack incident
AI
powering unprecedented
role-targeted attacks
role-targeted attacks
⚠ The Escalating Threat Landscape
AI-powered social engineering is enabling adversaries to achieve unprecedented levels of personalization in role-targeted attacks. Machine learning models can now analyze thousands of emails, social media posts, and recorded presentations to replicate an executive’s communication style, tone, and decision-making patterns with chilling accuracy. Executive leadership faces increasingly sophisticated spear-phishing and whaling campaigns backed by extensive open-source reconnaissance that maps not only organizational roles but also personal schedules, travel plans, professional relationships, and even family details. This deep contextual knowledge allows attackers to time their attacks for maximum impact — striking when an executive is traveling, during quarterly financial closings, or when a key staff member is on vacation and verification protocols are relaxed.
§ Key Terms & Concepts
Understanding Identify Roles (T1591.004)
📚 Simple Definition
Identify Roles (T1591.004) is a sub-technique of the MITRE ATT&CK Reconnaissance tactic where adversaries systematically gather information about the identities, job titles, department affiliations, and hierarchical positions of individuals within a target organization. This includes mapping the organizational structure from the CEO down through vice presidents, directors, managers, and individual contributors, with particular attention to identifying those who hold privileged access, financial authority, or administrative control over critical systems. Role identification goes beyond simply collecting names — it seeks to understand what each person does, what systems they access, who reports to whom, and how organizational communication flows. This intelligence enables attackers to craft role-appropriate social engineering lures, such as impersonating a CEO to pressure a CFO into authorizing an emergency wire transfer, or posing as IT support to trick a system administrator into resetting a password or installing remote access software.
♔ Everyday Analogy
Imagine a chess game where you already know exactly which piece is which and how each one moves before making your first move. The queen (the CEO) has the most power but is heavily guarded by layers of protection — executive assistants, legal counsel, and multi-factor verification protocols. The bishops (IT administrators) control diagonal pathways into the most critical systems, granting them unusual access that makes them high-value targets despite their relatively low public visibility. The knights (HR managers) can bypass standard communication channels and have access to sensitive employee data including credentials and onboarding processes. The pawns (regular employees) are numerous and individually limited, but collectively they represent the organization’s largest attack surface. An attacker who maps every piece’s role can craft a strategy that uses the least-defended piece to reach the most valuable target — like sacrificing a pawn in an email thread to eventually position a compromised account to capture the queen through a carefully timed, role-appropriate impersonation during a corporate acquisition or financial quarter-end.
Open Source Intel
OSINT gathering
Access Mapping
Privilege levels
Whaling
C-suite targeting
BEC Prep
Email compromise
Social Graph
Relationship mapping
Spear Phishing
Targeted lures
§ Real-World Scenario
The $18.7 Million Deepfake Whaling Attack
👤 Target: Jennifer Walsh, CHRO at Meridian Capital Partners
Jennifer Walsh serves as Chief Human Resources Officer at Meridian Capital Partners, a mid-tier investment bank with approximately 2,500 employees across offices in New York, London, and Hong Kong. Her role places her at the intersection of employee data management, executive staffing, and organizational policy — making her both a gatekeeper of sensitive personnel information and a potential relay point for adversary communications designed to reach other executives through trusted internal channels.
⚠ Before: Complete Role Exposure Across Public Channels
Meridian Capital’s corporate website listed all C-suite executives with professional photographs and detailed biographies, including their reporting structures and departmental oversight responsibilities. The company’s LinkedIn presence displayed the complete organizational hierarchy with over 1,800 employee profiles showing reporting lines, tenure, and prior work history. Press releases from major deal announcements named key team members, their specific roles in transactions, and their direct contact information. Industry conference speaker lists publicly identified the firm’s IT leadership by name, role, and areas of technical responsibility. A sophisticated business email compromise group operating from Southeast Asia spent six weeks building a comprehensive role map of the entire organization, ultimately identifying that the CFO managed all wire transfers exceeding $1 million and that his executive assistant had been in the role for only three weeks. Using AI-generated deepfake voice technology trained on publicly available recordings of the CEO’s keynote speeches and earnings call appearances, the attackers placed a phone call to the new executive assistant, perfectly impersonating the CEO’s voice, tone, and characteristic phrasing. The fabricated CEO instructed the assistant to process an “urgent acquisition payment” of $18.7 million to a previously unknown vendor account, citing confidentiality requirements and board-level authorization. Recognizing the CEO’s voice and knowing the CFO’s authority over large transfers, the assistant initiated the wire before standard verification protocols could be completed. The funds were dispersed across multiple accounts within 90 seconds of receipt and remain unrecovered.
✅ After: Comprehensive Role Protection Program
Jennifer Walsh led the implementation of a sweeping executive protection and role minimization program. All detailed executive biographies were removed from the public website, replaced with minimal role descriptions that convey organizational function without revealing individual identities, reporting relationships, or access privileges. Anti-whaling and social engineering awareness training was deployed to all executive assistants, legal staff, and financial officers, with quarterly simulated phishing exercises featuring AI-generated voice and video content. Mandatory out-of-band verification was established for all financial transactions exceeding $50,000, requiring a physical phone call to a pre-registered number (not the number provided in the transaction request) and dual authorization from both the requesting and receiving executive. Voice authentication technology was deployed on executive communication channels to detect deepfake audio in real time. A “role information minimization” policy was created governing all public communications, including press releases, conference appearances, and social media activity, ensuring that no single publicly available source reveals both a person’s identity and their organizational role with sufficient detail to enable targeted impersonation.
From: [email protected]
To: [email protected]
Subject: URGENT — Acquisition Payment Authorization Required
Lisa,
I need you to process an immediate wire transfer of $18.7M to: Acme Holdings Ltd — Account #4829-XXXX-7731
This is for the NexusTech acquisition closing. Board has approved. Keep this strictly confidential — do not discuss with anyone. I'll confirm with James once it's done.
Thanks,
Robert
I need you to process an immediate wire transfer of $18.7M to: Acme Holdings Ltd — Account #4829-XXXX-7731
This is for the NexusTech acquisition closing. Board has approved. Keep this strictly confidential — do not discuss with anyone. I'll confirm with James once it's done.
Thanks,
Robert
⚠ This email was AI-generated. The sender's voice was deepfaked using public keynote recordings.
§ Attack Lifecycle
7 Steps: How Adversaries Identify Roles
01
Initial Target Selection
Adversaries begin by identifying a target organization through industry research, supply chain analysis, or competitive intelligence. They assess the organization's size, sector, and potential financial value to determine whether the reconnaissance investment is justified by the potential return from a successful social engineering campaign.
02
Corporate Website Enumeration
The organization's website is scraped for leadership pages, team directories, board member listings, and investor relations sections. Press releases are mined for named executives, their titles, and their specific responsibilities. About pages and annual reports often reveal the complete C-suite with photos and biographical details.
03
Social Media & LinkedIn Harvesting
LinkedIn is the primary source for role identification. Adversaries map the organizational hierarchy by examining employee profiles, their listed job titles, reporting relationships (using LinkedIn's “reports to” field or connection patterns), tenure, and mutual connections. Twitter/X, GitHub, and industry forums provide additional context about technical roles and responsibilities.
04
Public Records & Regulatory Filings
SEC filings (10-K, 10-Q, proxy statements), UK Companies House records, and other regulatory documents reveal executive compensation, board compositions, and organizational structure. These official documents provide authoritative confirmation of roles that may be obfuscated on social media or company websites.
05
Conference & Event Intelligence
Conference speaker lists, panelist bios, webinar registrations, and industry event attendee directories are rich sources of role information. Adversaries cross-reference these with social media to build comprehensive profiles that include communication styles, expertise areas, and professional networks.
06
Hierarchy Mapping & Access Analysis
All collected role data is synthesized into a complete organizational hierarchy map. Each individual is assigned a target priority based on their access level, financial authority, and position within communication chains. Special attention is paid to “choke points” — individuals whose compromise would grant access to multiple downstream targets or critical systems.
07
Social Engineering Preparation
With the role map complete, attackers prepare targeted social engineering materials. This includes drafting role-appropriate email templates, training AI voice models on executive recordings, creating convincing pretexting scenarios, and timing attacks to coincide with periods of reduced vigilance such as executive travel, holiday seasons, or major organizational transitions.
📊 Role-Based Access & Target Priority Matrix
| Role | Access Level | Target Priority | Common Attack Vector | Recon Source |
|---|---|---|---|---|
| CEO / President | ★ Gold | HIGH | Whaling / BEC | Website, SEC filings |
| CFO | ★ Gold | HIGH | Wire transfer fraud | Press releases, LinkedIn |
| CTO / CIO | ★ Gold | HIGH | Supply chain compromise | Conference bios, GitHub |
| VP / Director | ◇ Silver | MEDIUM | Spear phishing | LinkedIn, company pages |
| System Admin | ◇ Silver | MEDIUM | Credential harvesting | Job postings, forums |
| HR Manager | ◆ Bronze | MEDIUM | Pretexting / recruitment | LinkedIn, job boards |
| Executive Assistant | ◆ Bronze | MEDIUM | Trust exploitation | LinkedIn, org charts |
| Regular Employee | ◆ Bronze | LOW | Phishing / watering hole | Social media, breaches |
§ Mistakes & Best Practices
Common Failures vs. Proven Defenses
❌ Common Mistakes
- Publishing full C-suite bios with photos, tenure, and detailed responsibilities on the corporate website, giving adversaries everything they need to craft convincing impersonations
- Allowing employees to list direct reporting relationships and granular job descriptions on LinkedIn without any organizational policy restricting what information can be publicly shared
- Failing to implement out-of-band verification for financial transactions, relying solely on email-based approval chains that are trivially compromised through role impersonation
- Neglecting to train executive assistants and administrative staff on whaling threats, leaving the most vulnerable communication relay points unprotected
- Using the same email signatures, templates, and communication styles across all executives, making it easier for attackers to learn and replicate the organization's voice
- Ignoring job postings and conference speaker lists as reconnaissance sources, inadvertently broadcasting organizational structure through recruitment and marketing activities
✓ Best Practices
- Implement a “role information minimization” policy that governs what executive and employee role details can appear on public-facing websites, social media, and marketing materials
- Deploy mandatory multi-factor out-of-band verification for all financial transactions, executive communications involving sensitive decisions, and access privilege changes
- Conduct quarterly AI-powered social engineering simulations that include deepfake voice, video, and highly personalized spear-phishing tests for all executive-adjacent staff
- Establish a “challenge protocol” that empowers any employee to question and independently verify unusual requests from executives, regardless of the apparent urgency or seniority
- Implement voice authentication and email authentication (DMARC/DKIM/SPF) technologies to detect AI-generated impersonations across all executive communication channels
- Maintain an up-to-date reconnaissance self-assessment that continuously monitors what role information about your organization is publicly available and from which sources
§ adversarial perspectives
Red Team vs. Blue Team Views
Red Team
👁 Attacker Perspective
For red team operators, role identification is the foundational intelligence that determines the success or failure of every subsequent social engineering engagement. During reconnaissance phases, operators prioritize building a complete organizational map that includes not just titles and names, but communication patterns, decision-making authority, technology stack ownership, and interpersonal relationships. The most valuable targets are not always the most senior executives — a system administrator with domain admin rights and a predictable password reset process may represent a higher-value target than a CEO whose emails are screened by multiple gatekeepers. Red teams use Maltego, theHarvester, and custom LinkedIn scraping tools to automate role enumeration, then manually enrich the data with OSINT from conference videos, podcast appearances, and social media activity. The key operator skill is identifying communication choke points — individuals who serve as relay points between executives and operational staff, as compromising these intermediaries provides the most reliable path to executive-level access without triggering the heightened scrutiny that direct executive targeting attracts.
Maltego
theHarvester
SpiderFoot
LinkedIn API
Shodan
Blue Team
🛡 Defender Perspective
Blue teams must operate under the assumption that adversaries have already mapped their organization's roles through publicly available sources. The defensive strategy focuses on three pillars: information reduction (minimizing what role data is publicly accessible), detection enhancement (monitoring for reconnaissance activities that indicate active role mapping), and resilience building (ensuring that even successful role identification cannot be translated into successful compromise). Defenders implement Google Alerts and dark web monitoring for mentions of executive names and titles, deploy deception technology including fake LinkedIn profiles and honeytokens embedded in executive contact directories, and establish behavioral analytics that detect anomalous communication patterns targeting specific roles. The most effective blue team programs treat role protection as a continuous process rather than a one-time audit, regularly testing their own organization's public exposure through automated OSINT assessments and adjusting information disclosure policies in response to evolving adversary tactics. Employee training programs must specifically address the psychological manipulation techniques used in role-based attacks, including authority bias, urgency exploitation, and the social engineering of trust relationships.
DMARC/DKIM/SPF
Canary Tokens
SIEM UEBA
Zero Trust
OSINT Audits
§ Threat Hunting
Hunting for Role Identification Activity
🔎 Detection Opportunities & Hunting Queries
Threat hunters tracking T1591.004 activity should focus on identifying patterns consistent with organizational reconnaissance rather than individual suspicious events. Active role identification campaigns typically produce detectable signals across multiple data sources, including web server logs showing systematic scraping of leadership and team pages, LinkedIn API anomalies indicating bulk profile enumeration from suspicious IP ranges, and unusual increases in failed authentication attempts targeting specific known administrative accounts. Hunters should also monitor dark web marketplaces and paste sites for organizational charts or employee role lists that may indicate completed reconnaissance being sold or shared among threat groups.
🔍 Web Server Log Indicators
Monitor for systematic GET requests to /about, /team, /leadership, /company/management paths with short intervals between requests. Look for user agents associated with known scraping tools (Scrapy, curl, python-requests) accessing employee directory pages. High volumes of 200 responses from leadership biographical pages from a single IP or ASN within a short timeframe strongly suggest automated role enumeration.
👥 LinkedIn & Social Media Anomalies
Detect bulk profile viewing patterns where multiple employees at your organization are viewed in rapid succession from the same LinkedIn account, particularly if the viewer has no apparent connection to your industry or region. Monitor for fake LinkedIn profiles that attempt to connect with multiple employees while displaying inconsistencies in work history, profile photo metadata, or connection patterns typical of legitimate industry professionals.
🔒 Authentication Targeting Patterns
Analyze authentication logs for failed login attempts that systematically target accounts associated with specific roles (IT admins, executives, finance staff) rather than random usernames. Sequential failed attempts across multiple high-privilege accounts from the same source IP, especially when combined with successful enumeration of valid usernames from public sources, indicate an adversary is validating discovered role information against live systems.
📄 Data Exposure Monitoring
Search for your organization's name combined with keywords like “org chart,” “employee directory,” “organizational structure,” or individual executive names on paste sites, GitHub repositories, document sharing platforms, and dark web forums. Employee data inadvertently exposed through misconfigured cloud storage, third-party vendor breaches, or departing employee personal archives represents completed T1591.004 reconnaissance available to any adversary.
🌐 DNS & Network Recon Correlation
Correlate web scraping indicators with DNS reconnaissance activity targeting your organization. Adversaries conducting comprehensive T1591.004 reconnaissance typically perform parallel enumeration across multiple sub-techniques. DNS queries for internal hostnames combined with web scraping of employee directories from the same external IP range provide high-confidence detection of coordinated reconnaissance campaigns.
Join the Discussion
How Is Your Organization Protecting Role Information?
Share your experiences defending against role identification and whaling attacks. What policies, technologies, and training programs have proven most effective in your organization? Connect with other defenders working to reduce organizational exposure to reconnaissance-based social engineering campaigns.
Network Security Appliances
MITIGATIONS
DETECTION STRATEGY
DONATE · SUPPORT
ROOT::DONATE
- April 2, 2026
- No Comments