T1597, Reconnaissance (TA0043)

Search Closed Sources

Adversaries pay for access to private databases, data brokers, threat intel feeds, and
dark web intelligence markets to gather premium victim intelligence before
launching targeted attacks...

🔒

CLOSED DATABASE

AUTHENTICATING...

Data Brokers

Credit Bureaus

Dark Web Markets

Gov Databases

TI Vendors

PI Services

Section 01

Why Search Closed Sources Matters

While open-source intelligence (OSINT) dominates public awareness of cyber reconnaissance, the truth is that the most valuable and dangerous information often lives behind paywalls, authentication layers, and closed ecosystems. T1597 represents the付费 (paid) dimension of adversarial reconnaissance, where threat actors invest real money to acquire intelligence that is simply not available through free channels.

The dark web intelligence market alone was valued at $0.4 billion in 2022 and is projected to reach $1.7 billion by 2030, growing at a compound annual growth rate (CAGR) of 21.8%. This explosive growth reflects a grim reality: criminals and nation-state actors are willing to pay significant sums for privileged access to victim data, vulnerability intelligence, and technical information that gives them a decisive advantage in planning their attacks.

Unlike open sources, closed sources provide verified, structured, and often real-time intelligence. A data broker can deliver complete employee directories with verified emails and job titles. A threat intelligence vendor's private feed may contain indicators of compromise (IOCs) that haven't been publicly shared yet. A purchased credential dump may contain passwords from breaches that haven't been publicly reported. This intelligence asymmetry is what makes T1597 so dangerous and so difficult to defend against.

$1.7B

Dark web intelligence market
projected by 2030

21.8%

CAGR growth rate in
dark web intelligence market

$2,700

Average price for initial
access broker credentials

Zero-day exploits discovered
and exploited in 2024

Why This Technique Is Particularly Dangerous

According to CISA (Cybersecurity and Infrastructure Security Agency), threat actors increasingly leverage data from initial access brokers and underground markets to pre-position themselves within target networks before launching full-scale attacks. The information purchased through closed sources often includes:

▶ Valid credentials, usernames and passwords from recent, unreported breaches
▶ Network topology maps, internal IP ranges, VPN configurations, and firewall rules
▶ Zero-day vulnerability details, exploit code and technical information not yet patched
▶ Employee PII, social security numbers, home addresses, and financial records for social engineering

MITRE ATT&CK T1597 CISA Advisories NIST Cybersecurity CSO Online Infosecurity Magazine

Section 02

Key Terms & Concepts

Definition

Closed Sources are information repositories that require payment, credentials, special access, or membership to obtain data. Unlike open sources (OSINT), which are freely available to anyone with internet access, closed sources gate their data behind commercial agreements, authentication walls, or legal restrictions. Examples include paid threat intelligence feeds, data broker databases, credit bureau reports, government record portals, private investigator networks, and dark web marketplaces.

Everyday Analogy

Think of searching closed sources like paying for a premium background check service. While anyone can Google someone's name and find basic public information (like open sources), a premium service can pull credit reports, employment history, court records, property ownership, and financial data, all things you cannot access for free. Threat actors do exactly this, but at industrial scale and often through illicit channels, purchasing dossiers on target organizations and key individuals before crafting their attacks.

Essential Terminology

Term	Definition	Everyday Analogy
Data Broker	A company that collects, aggregates, and sells personal and corporate information from multiple sources	Like a giant个人信息 (personal info) supermarket that buys data from stores and resells it in organized aisles
Threat Intelligence Feed	A paid subscription service providing real-time IOC data, malware signatures, and threat actor profiles	Like a premium weather alert service that warns you about incoming storms before anyone else knows
Initial Access Broker (IAB)	A threat actor who compromises networks and sells that access to other attackers for a fee	Like someone who picks locks on houses and then sells the keys to burglars
Credit Bureau Data	Financial history, credit scores, loan records, and account information maintained by agencies like Equifax, Experian, TransUnion	Like your financial report card, shows how trustworthy you are with money, but can be exploited for social engineering
Dark Web Marketplace	Encrypted online marketplaces operating on Tor or similar networks where stolen data, exploits, and services are traded	Like a black market bazaar where criminals buy and sell stolen goods anonymously
Zero-Day Exploit	A vulnerability unknown to the software vendor, for which no patch exists, often sold on underground markets	Like discovering a secret door in a bank vault that nobody knows about, extremely valuable to the right buyer
Commercial Data Aggregator	Services like LexisNexis, Dun & Bradstreet that compile business records, legal filings, and corporate intelligence	Like a super-powered phone book that includes every business detail you could ever want
Private Investigator Database	Specialized databases accessible only to licensed PIs, containing DMV records, court filings, and surveillance data	Like a detective's toolkit, specialized resources not available to the general public

T1597 Sub-techniques

This technique has two documented sub-techniques in the MITRE ATT&CK framework:

▶ T1597.001, Threat Intel Vendors: Adversaries search private data from threat intelligence vendors for information used during targeting. This includes subscribing to commercial TI feeds, accessing vulnerability databases, and reviewing security reports that are behind paywalls.
▶ T1597.002, Purchase Technical Data: Adversaries purchase technical information about victims including employee contact info, credentials, network details, and proprietary data through data brokers, dark web markets, and underground forums.

Related Techniques: T1589, Gather Victim Identity Info T1592, Gather Victim Host Info T1598, Phishing for Information T1595, Active Scanning

Section 03

Real-World Scenario

The Case of David Chen, When Data Brokers Became the Weapon

David Chen is a 38-year-old senior security analyst at Meridian Financial Services, a mid-size wealth management firm handling $4.2 billion in assets across three offices in New York, Chicago, and San Francisco. David's team of four is responsible for monitoring threats, managing firewalls, and responding to security incidents. Like many security professionals at mid-size firms, David believed his team was doing everything right, strong firewalls, endpoint detection, regular phishing training, and multi-factor authentication across all systems.

Phase 1: The Silent Purchase (Week 1-2)

On the other side of the world, a threat group tracked as FINANCE_SPIDER was preparing a targeted attack on Meridian Financial. Rather than scanning the company's perimeter (which would trigger alerts), they opened accounts with three commercial data brokers. Using cryptocurrency payments through a mixing service, they purchased a complete employee directory including 847 staff members' full names, verified corporate email addresses, job titles, department affiliations, and direct phone numbers. Cost: approximately $12,000 in Bitcoin. The data was delivered within 48 hours through an encrypted channel, no logins, no scans, no alerts at Meridian.

Phase 2: Deep Intelligence Gathering (Week 3-4)

With the employee directory in hand, FINANCE_SPIDER cross-referenced the names against a dark web database of breached credentials. They found that 23 Meridian employees had reused passwords from a 2021 third-party SaaS breach. They also purchased credit bureau reports on 12 senior executives, revealing home addresses, mortgage details, vehicle registrations, and family member names. An additional purchase from a private investigator forum provided cell phone numbers and recent travel itineraries for the CFO and CTO. Total additional spend: approximately $8,500.

Phase 3: The Spear Phishing Campaign (Week 5-6)

Armed with deep personal intelligence, FINANCE_SPIDER crafted hyper-personalized spear phishing emails. An email to the CFO referenced her recent trip to Miami, her daughter's school fundraiser, and a specific vendor invoice, all details obtained from closed sources. The email contained a malicious attachment that appeared to be a legitimate wire transfer authorization. When the CFO opened it, a sophisticated payload deployed a reverse shell, granting the attackers persistent access to Meridian's network.

Phase 4: Data Exfiltration and Impact (Week 7-8)

Over 14 days, FINANCE_SPIDER exfiltrated 2.3 million client records including Social Security numbers, account balances, and investment portfolios. They also intercepted three wire transfers totaling $1.7 million by modifying legitimate payment instructions. The breach was finally detected when a client reported unauthorized account activity, triggering David's incident response team. By then, the damage was done, regulatory fines, client lawsuits, reputational destruction, and $3.2 million in total remediation costs.

Phase 5: Aftermath, David's New Approach

The investigation revealed that 100% of the reconnaissance was conducted through closed sources. Not a single port scan or network probe had been performed against Meridian's perimeter. David realized that traditional perimeter defenses were blind to this type of threat. He implemented a comprehensive data exposure reduction program: requesting data broker opt-outs for all employees, subscribing to dark web monitoring services, registering with haveibeenpwned.com for corporate domains, implementing strict data minimization policies, and conducting quarterly data exposure audits. Meridian also filed complaints with the FTC against unauthorized data sharing practices.

Key Takeaway

The Meridian Financial breach demonstrates a critical lesson: the most dangerous reconnaissance is the kind you never see coming. When adversaries pay for intelligence through legitimate-seeming channels (data brokers, credit bureaus, commercial databases), they bypass every technical defense. The attack surface isn't your firewall, it's the data ecosystem that already knows everything about your organization. Defending against T1597 requires a fundamental shift in mindset from "protect our network" to "minimize our data footprint across all channels."

Related Intelligence Techniques: T1589.001, Credentials T1589.002, Email Addresses T1598.002, Spearphishing Attachment T1591.004, Identify Roles

Section 04

Step-by-Step Protection Guide

Protective Framework

Defending against T1597 requires a multi-layered approach that focuses on reducing your organization's data footprint in closed-source databases. The following seven-step guide provides actionable measures to limit adversarial access to your intelligence through paid and private channels.

Conduct a Data Exposure Audit

Systematically identify where your organization's data exists in closed-source databases and commercial platforms.

Search data broker opt-out portals (Datatrust, Acxiom, Epsilon, Experian) for your company name and executive names
Use services like haveibeenpwned.com to check if employee credentials appear in known breach databases
Engage a third-party data exposure assessment firm to discover unknown data sharing by vendors and partners

AUDIT DATA MINIMIZATION COMPLIANCE

Exercise Data Broker Opt-Out Rights

Remove or limit your organization's and employees' data from commercial data broker databases that sell to unknown parties.

File opt-out requests with major data brokers under CCPA, GDPR, and state privacy laws (see NIST Privacy Framework)
Create a standardized data removal request template for HR to use on behalf of all employees
Subscribe to automated data removal services (DeleteMe, OneRep, Incogni) for continuous monitoring

OPT-OUT CCPA GDPR

Implement Dark Web Monitoring

Subscribe to services that actively monitor closed-source underground markets for mentions of your data, credentials, and intellectual property.

Deploy commercial dark web intelligence platforms (Recorded Future, Digital Shadows, Flashpoint) for continuous threat monitoring
Configure alerts for company domain names, executive PII, internal project codenames, and proprietary technology terms
Establish relationships with law enforcement cyber task forces for rapid takedown of stolen data listings

MONITOR THREAT INTEL DARK WEB

Enforce Strict Data Minimization Policies

Reduce the amount of data your organization shares with third parties, vendors, and public-facing platforms to limit the intelligence available through threat intel vendors and data aggregators.

Audit all vendor contracts for data sharing clauses and eliminate unnecessary data provisions
Implement privacy-by-design principles in all customer-facing systems (collect only what you need)
Regularly review and purge stale data from CRM systems, marketing databases, and partner portals

MINIMIZE PRIVACY POLICY

Deploy Proactive Identity Protection

Protect employees and executives from having their identities weaponized through identity intelligence gathering purchased from closed sources.

Provide corporate identity monitoring subscriptions for all employees (especially C-suite and finance staff)
Implement social media guidelines that limit public sharing of work details, travel plans, and organizational information
Use executive protection services that monitor for deepfakes, impersonation attempts, and targeted surveillance

IDENTITY EXECUTIVE PROTECTION AWARENESS

Assume Breach & Verify Data Integrity

Since you cannot prevent adversaries from purchasing data about your host infrastructure, assume the attacker already has partial knowledge and design defenses accordingly.

Implement zero-trust architecture that does not rely on network perimeter assumptions
Rotate credentials regularly and enforce unique, complex passwords across all systems (no reuse)
Deploy behavioral analytics to detect anomalous access patterns that indicate an attacker using purchased intelligence

ZERO TRUST CREDENTIAL HYGIENE BEHAVIORAL ANALYTICS

Engage Legal & Regulatory Frameworks

Use legal mechanisms to hold data brokers accountable and create deterrence against unauthorized data collection and resale.

File complaints with the FTC and state attorneys general when data brokers refuse opt-out requests or sell data without consent
Ensure all organizational data practices comply with CCPA, GDPR, HIPAA, and state-level privacy legislation
Include data protection clauses in all contracts with vendors and require breach notification within 24 hours

LEGAL REGULATORY CONTRACTUAL

Related Technique Protection: T1597.001, Threat Intel Vendors T1597.002, Purchase Technical Data T1589, Identity Info T1592, Host Info

Section 05

Common Mistakes & Best Practices

⚠ Common Mistakes

Assuming perimeter defenses block reconnaissance. Many organizations focus exclusively on firewalls and intrusion detection systems, ignoring the fact that T1597 bypasses the network entirely by purchasing data from third parties. No firewall can block a data broker from selling your employee directory.
Ignoring data broker opt-out rights. Most organizations never check what data brokers know about them. Under CCPA and GDPR, companies have the right to request data deletion, but fewer than 5% of businesses exercise these rights proactively.
Allowing excessive public employee information. LinkedIn profiles, conference speaker bios, and company "Meet the Team" pages often provide attackers with organizational charts, job titles, and direct contact info, the exact intelligence that data brokers package and sell.
Neglecting executive and C-suite exposure. Senior executives have the highest public data footprints, SEC filings, press releases, property records, and social media activity, making them prime targets for closed-source intelligence gathering.
Failing to monitor dark web marketplaces. By the time stolen data appears on a closed-source marketplace, it's already been sold multiple times. Organizations without dark web monitoring are flying blind to this entire intelligence channel.

✅ Best Practices

Treat data exposure as a first-class security risk. Elevate data footprint reduction to the same priority as patch management and vulnerability scanning. Conduct quarterly data exposure assessments and track metrics over time.
Implement automated data removal workflows. Use services like DeleteMe, OneRep, or Privacy Bee to continuously monitor and remove employee data from data broker databases. Automate opt-out requests for new hires and departing employees.
Deploy dark web intelligence monitoring. Subscribe to commercial platforms like Recorded Future, Flashpoint, or CrowdStrike Falcon Intelligence that continuously monitor underground markets for your data, credentials, and brand mentions.
Adopt zero-trust principles for all access. Since attackers may already possess valid credentials and network information from closed sources, implement continuous authentication, least-privilege access, and behavioral anomaly detection.
Create a data minimization culture. Train all employees to share only necessary information in public forums, limit social media exposure of work details, and understand how seemingly harmless disclosures contribute to the closed-source intelligence ecosystem.

Section 06

Red Team vs Blue Team

RED TEAM

👁 Attacker Perspective

How adversaries weaponize closed sources during reconnaissance:

Objective: Acquire maximum intelligence about the target while remaining completely undetected by technical defenses.

Phase 1, Source Identification: Identify the most cost-effective closed sources for the target type. For a financial firm, prioritize employee directories from data brokers and credit bureau data on executives. For a technology company, focus on threat intel vendor feeds and technical documentation from premium sources. Budget allocation typically ranges from $5,000 to $50,000 depending on target value.

Phase 2, Intelligence Acquisition: Use cryptocurrency (Bitcoin, Monero) to purchase data through anonymized channels. Engage with initial access brokers on dark web forums to acquire pre-compromised credentials. Subscribe to trial accounts of commercial threat intelligence platforms to access vulnerability databases and IOC feeds. Use social engineering to gain access to industry-specific closed databases.

Phase 3, Cross-Referencing & Enrichment: Merge data from multiple closed sources to build comprehensive victim profiles. Cross-reference employee names from data brokers with credentials from breach databases, financial data from credit bureaus, and network information from purchased technical data. The enriched intelligence enables precision targeting.

Phase 4, Attack Planning: Use the gathered intelligence to craft hyper-personalized phishing campaigns, select the most vulnerable entry points, and time attacks based on business tempo data (working hours, travel schedules, board meetings).

STEALTH FINANCED PRECISION DETERRED

BLUE TEAM

🛡 Defender Perspective

How defenders detect, prevent, and respond to closed-source intelligence gathering:

Objective: Reduce the organization's data footprint across all closed-source channels and detect when purchased intelligence is being used against them.

Prevention, Data Minimization: Proactively remove organizational data from data broker databases through opt-out requests under CCPA, GDPR, and state privacy laws. Implement strict data sharing policies with vendors and partners. Reduce public exposure of employee information on company websites, social media, and conference materials. Deploy privacy-preserving technologies that minimize data collection at the source.

Detection, Dark Web Monitoring: Subscribe to commercial dark web intelligence services that continuously scan underground marketplaces for stolen data, credential dumps, and threat actor discussions mentioning your organization. Set up automated alerts for company domains, executive names, internal project codenames, and proprietary technology fingerprints. Correlate detections with internal security events to identify active targeting.

Response, Rapid Mitigation: When intelligence gathering is detected, immediately rotate all potentially compromised credentials, notify affected employees, and escalate to law enforcement cyber task forces. File takedown requests with hosting providers and domain registrars. Conduct a thorough investigation to determine the full scope of data exposure and implement additional controls.

Resilience, Assume Compromise: Design defenses under the assumption that adversaries already possess significant intelligence about your organization. Implement zero-trust architecture, continuous authentication, behavioral analytics, and defense-in-depth strategies that remain effective even when the attacker has prior knowledge.

MINIMIZE MONITOR RESPOND RESILIENCE

Section 07

Threat Hunter's Eye

🔎 How Attackers Exploit Closed Source Intelligence

Understanding how adversaries abuse closed-source data requires looking at the entire intelligence supply chain. Every piece of data that leaves your organization, whether through legitimate business operations, employee social media activity, or third-party data sharing, potentially enters the closed-source intelligence market. Here's what threat hunters should look for:

Intelligence Supply Chain Weaknesses

These are the common weaknesses that allow closed-source intelligence to be weaponized. All of these can be understood without any technical expertise, they represent fundamental gaps in how organizations think about their data.

HIGH Third-party data sharing without oversight. Vendors, partners, and service providers routinely share organizational data with data brokers, credit agencies, and marketing platforms. Most organizations have no visibility into where their data ends up after it leaves their control.

HIGH Credential reuse across platforms. When employees use the same password for corporate systems and personal services, a breach at any third-party service provides attackers with valid credentials for your network. Data from credential breaches is a top seller on dark web markets.

MED Regulatory filing exposure. Public SEC filings, property records, UCC filings, and court documents contain rich organizational intelligence including financial data, executive compensation, business relationships, and legal vulnerabilities.

MED Employee social media oversharing. LinkedIn profiles, Twitter/X posts, and GitHub repositories reveal job titles, project involvement, technology stacks, internal team structures, and working patterns, all aggregated and sold by data brokers.

MED Outdated data removal requests. Data broker opt-outs are not permanent. Many brokers re-add data within months as they ingest new public records and commercial datasets. Organizations that filed opt-outs years ago may have data back in circulation.

LOW Conference and event attendance. Speaker lists, attendee badges, and event materials provide verified organizational affiliations and roles that data brokers cross-reference to build comprehensive employee databases.

LOW Job posting intelligence. Public job advertisements reveal technology stacks, team structures, project initiatives, and hiring priorities that help attackers understand an organization's current capabilities and future direction.

HIGH Supply chain data leakage. Your vendors' and suppliers' databases often contain detailed information about your organization, purchase orders, contract terms, technical specifications, and integration details, that become accessible when those vendors are compromised.

Hunting Queries for Detection

While T1597 itself cannot be directly detected through network monitoring (the transactions happen outside your infrastructure), threat hunters can use the following queries to identify indicators that closed-source intelligence is being used against their organization:

HIGH dark_web_monitor:"yourdomain.com" AND (passwords OR credentials OR dump) AND date:[now-30d TO now]

HIGH SIEM: authentication_failure_count > 10 FROM single_ip WHERE username IN (recent_breach_dump)

MED email_gateway: body_matches_executive_details AND sender_not_in_contact_list AND attachment_detected

MED DNS: resolution_of_newly_registered_domains_matching_brand_typosquatting_patterns

LOW HR_database: new_hire_data_appearing_in_external_data_broker_results_within_7_days

LOW social_media_monitor: executive_travel_patterns_correlated_with_phishing_campaign_timing

Cross-Reference Techniques: T1589.001, Credentials T1589.002, Emails T1589.003, Employee Names T1595, Active Scanning

Explore Sub-techniques & Related Topics

Search Closed Sources (T1597) is part of a broader reconnaissance ecosystem. Dive deeper into the specific ways adversaries exploit paid and private intelligence channels through the sub-techniques below. Each page contains detailed simulations, real-world scenarios, and actionable defense guidance.

📊 T1597.001, Threat Intel Vendors 💰 T1597.002, Purchase Technical Data

Related MITRE ATT&CK Reconnaissance Techniques

T1589, Gather Victim Identity Information T1592, Gather Victim Host Information T1598, Phishing for Information T1595, Active Scanning T1591, Gather Victim Org Information T1590, Gather Victim Network Information

Have Questions or Insights?

This page is part of an open cybersecurity education project. If you have questions about T1597, want to share real-world experiences with closed-source intelligence threats, or have suggestions for improving this resource, we'd love to hear from you.

MITRE ATT&CK Reference: attack.mitre.org/techniques/T1597 | Tactic: TA0043 (Reconnaissance) | Sub-techniques: T1597.001, T1597.002

Gather Victim Host Information

SUB-TECHNIQUES

MITIGATIONS

Pre-compromise M1056

DETECTION STRATEGY

Detection of Search Closed Sources DET0822

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.

100% of your support goes to the platform. No corporate sponsors, just the community.

ROOT::DONATE

Cyber Pulse Academy
April 7, 2026
No Comments