Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1591.004: Identify Roles

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing).

EnterpriseT1591.004Sub-techniqueObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Identify Roles is pre-compromise reconnaissance focused on learning who matters inside an organization and what access or influence those people may have. Its business significance is that role information can turn public org charts, websites, social media, leaked data, or elicited details into more believable targeting for phishing, account compromise, business email compromise, or follow-on reconnaissance.

Executive priority

Treat this as an exposure-management and readiness issue, not just a SOC alerting problem. Leaders should ask what role, responsibility, executive, administrator, finance, vendor-management, and operational-contact information is publicly available or easily elicited, and whether high-risk roles have stronger identity controls, social-engineering procedures, and incident playbooks. This technique is especially relevant to prioritizing pre-compromise controls, compliance evidence around sensitive personnel data, and resilience planning for targeted identity abuse.

Technical view

ATT&CK lists this as a PRE-platform reconnaissance sub-technique under Gather Victim Org Information, with no official detection text provided. SOC, threat intelligence, IAM, and IR teams should therefore validate coverage through exposure review and pre-compromise monitoring rather than relying on endpoint telemetry. Use the relationship context to test assumptions: DET0807 is identified as a detection strategy for this object, and M1056 Pre-compromise mitigation applies. Relationships to Operation Dream Job, FIN7, HEXANE, LAPSUS$, and Volt Typhoon show this behavior is relevant across espionage, financially motivated, social-engineering, and critical-infrastructure contexts, but they do not by themselves prove local targeting.

Likely telemetry

  • Public-facing website and directory content that names roles, departments, key personnel, or responsibilities
  • Social media and professional networking exposure for executives, administrators, finance, IT, security, operational, and vendor-facing staff
  • External data exposure findings, including leaked records or searchable datasets containing names, roles, contact details, or voicemail/message content
  • Phishing-for-information reports, suspicious inquiries, recruiter-style approaches, or elicitation attempts reported by employees
  • Identity and access management records mapping high-value roles to privileged access, sensitive data, or approval authority

Detection direction

  • Because MITRE provides no official detection guidance for this technique, validate DET0807 or any local detection strategy against observable pre-compromise signals rather than assuming standard endpoint alerts will apply.
  • Tune monitoring around unusual interest in role pages, leadership biographies, helpdesk contacts, finance contacts, vendor portals, and other personnel-heavy public content, while accounting for benign recruiting, sales, media, and customer activity.
  • Correlate suspicious inquiries or phishing-for-information reports with the targeted role’s access, approval authority, and business process influence to prioritize response.
  • Review external exposure continuously: public websites, social media, search results, and accessible datasets may disclose enough role context for adversary targeting without touching the enterprise network.
  • Use campaign and group relationships as threat-intelligence context for defensive planning, not as attribution for any observed event unless local evidence supports it.

Mitigation priorities

  • Apply M1056 Pre-compromise principles by reducing unnecessary public disclosure of sensitive role, responsibility, contact, and access-related information.
  • Prioritize high-risk roles for stronger identity protections, approval safeguards, and social-engineering awareness, especially personnel with privileged access, financial authority, incident response responsibilities, executive influence, or operational technology relevance.
  • Establish a process to review public web content, social media guidance, job postings, directory information, and third-party/vendor pages for avoidable role intelligence.
  • Prepare intake and escalation paths for employees who receive unusual role-focused questions, recruiter approaches, or information requests.
  • Use exposure findings to inform IAM, phishing resilience, incident response playbooks, and compliance evidence around protection of personnel and organizational information.
Analyst notes and limits

The supplied ATT&CK object frames this behavior as reconnaissance before compromise. The most useful defensive decision is determining whether exposed role information materially improves an adversary’s ability to target identity, finance, privileged administration, executive decision-making, or sensitive operations. The cited Broadvoice leak reference supports the risk that accessible datasets can expose personal and role-relevant information.

Official detection is not provided, and the ATT&CK platform is PRE, so conventional host, network, or cloud control telemetry may not directly observe the behavior. Local exposure data, brand monitoring, employee reports, IAM context, and threat-intelligence requirements are needed to assess actual risk and coverage. Related groups and campaigns indicate known ATT&CK associations only; they should not be treated as evidence of active exploitation or attribution in a specific environment.

Official MITRE ATT&CK definition

Identify Roles

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: Social Media or Search Victim-Owned Websites).[1] Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Establish Accounts or Compromise Accounts), and/or initial access (ex: Phishing).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1591 Gather Victim Org Information This object subtechnique of Gather Victim Org Information.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1017: Volt Typhoon

Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].

Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]

Group Enterprise

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

Group Enterprise

G0046: FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]

Group Enterprise

G1001: HEXANE

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]

Campaign Enterprise

C0022: Operation Dream Job

Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G1017: Volt Typhoon Enterprise uses · Group G1004: LAPSUS$ Enterprise uses · Campaign C0022: Operation Dream Job Enterprise subtechnique of · Technique T1591: Gather Victim Org Information Enterprise uses · Group G0046: FIN7 Enterprise detects · Detection Strategy DET0807: Detection of Identify Roles Enterprise uses · Group G1001: HEXANE Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
45b2fbc0a68e84df...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 45b2fbc0a68e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatPost Broadvoice Leak

    Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1591.004
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use