1

I am studying the MITRE ATT&CK framework and I am confused with the following tactics: Reconnaissance, Discovery, and Resource Development.

What are the differences between these 3 tactics? According to the study material:

  • Reconnaissance is the adversary trying to gather information they can use to plan future operations.
  • Discovery consists of techniques an adversary may use to gain knowledge about the system and internal network.
  • Resource Development is the adversary trying to establish resources they can use to support future operations.

Aren't these 3 similar? I mean in reconnaissance you are gathering information to perform future operations, but in discovery you are also gathering information to be used, while on resource development is the adversary trying to establish what resources he/she can use in future operations (isn't this like also gathering information about a target system/network?)

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jask_Skull
  • 11
  • 1
  • Have you read the actual framework to see how these are different? Have you read the ***full*** descriptions for each tactic? https://attack.mitre.org/tactics/TA0007/ – schroeder Apr 30 '22 at 14:04
  • No sorry, I enrolled in their course and started to learn about MITRE from the study material. I've followed your recommendation to read the full description and now I understand the difference between Resource Development and the other two. But I still don't fully understand reconnaissance and discovery. For example: An attacker that wants to infiltrate a system will gather information before performing the infiltration, that would be reconnaissance. And for Discovery is that after the attacker infiltrated a system, he/she gather information about the system he/she arrived? Is it correct? – Jask_Skull May 01 '22 at 14:24
  • If you look at the specific tactics, and see how they fit in the full end-to-end process, you will see that Discovery happens after initial compromise. – schroeder May 01 '22 at 17:04

0 Answers0