Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1597: Search Closed Sources

Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.[1]

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).

EnterpriseT1597TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Search Closed Sources matters because adversaries can prepare targeting using information the organization may not see them collect: paid intelligence portals, private databases, scan-data services, or cybercrime marketplaces. For leaders, the key risk is that attackers may already know which exposed services, leaked records, industries, or accounts are useful before any activity touches corporate telemetry.

Executive priority

Treat this as a pre-compromise reconnaissance risk. It should influence decisions around external attack-surface management, breach-data monitoring, identity exposure reduction, and incident response readiness. Because MITRE provides no native detection text for this technique, executives should ask whether the organization has evidence of what sensitive technical or identity data is available in closed sources and whether that evidence is used to prioritize remediation before initial access occurs.

Technical view

This is an enterprise ATT&CK reconnaissance technique on the PRE platform. SOC and detection teams should not expect normal endpoint or network controls to directly observe the search itself. Instead, validate coverage through exposure intelligence: paid threat-intelligence reporting, scan-database exposure findings, dark web or cybercrime-marketplace monitoring, and breach-data alerts. The related sub-techniques point to threat intelligence vendors and purchased technical data, so defenders should connect external exposure findings to downstream risks such as phishing for information, external remote services, valid accounts, developing capabilities, or obtaining capabilities.

Likely telemetry

  • Threat intelligence vendor portal/feed results that mention the organization, sector, infrastructure, or exposed technologies
  • Dark web or cybercrime marketplace monitoring reports for leaked user records or technical data
  • External attack-surface and scan-database findings for internet-facing assets and services
  • Credential or account exposure alerts derived from closed or paid breach-data sources
  • Incident response intake records showing whether externally sourced reconnaissance indicators were available before initial access

Detection direction

  • Validate whether DET0822 or equivalent detection strategy is operationalized as exposure detection rather than endpoint detection, since ATT&CK provides no official detection text for T1597.
  • Tune monitoring to distinguish general sector reporting from organization-specific exposure that can enable targeting.
  • Correlate closed-source exposure findings with known internet-facing services, identity systems, and accounts to identify actionable risk.
  • Review false positives from data brokers, stale breach records, duplicated leaks, and generic threat intelligence reporting before escalating as incident evidence.
  • Use relationship context from T1597.001 and T1597.002 to ensure coverage includes both paid threat-intelligence sources and purchased technical-data sources.

Mitigation priorities

  • Prioritize pre-compromise controls under M1056: reduce the amount and usefulness of information adversaries can obtain before an attack.
  • Continuously identify and remediate exposed external services, weak identity exposure, and sensitive technical details that appear in private or paid sources.
  • Use exposure findings to drive vulnerability management and external remote service hardening before they become initial-access paths.
  • Incorporate closed-source exposure checks into incident response scoping and executive reporting so leadership understands whether an event was preceded by known external exposure.
  • Maintain conservative expectations: these measures reduce attacker advantage but cannot prevent all third-party resale or discovery of information.
Analyst notes and limits

MITRE links this technique to EXOTIC LILY usage and to sub-techniques for threat intelligence vendors and purchased technical data. That context supports prioritizing external exposure intelligence and identity/remote-access risk review, but it does not by itself indicate current targeting of any specific organization.

Official ATT&CK detection guidance is not provided for this object, and the behavior occurs before compromise on sources outside the victim environment. Local conclusions require organization-specific exposure data, subscribed intelligence coverage, and validation of whether reported records or technical details are current and relevant.

Official MITRE ATT&CK definition

Search Closed Sources

Adversaries may search and gather information about victims from closed (e.g., paid, private, or otherwise not freely available) sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.[1]

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services or Valid Accounts).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1597.001 Threat Intel Vendors Sub-technique Threat Intel Vendors subtechnique of this object.
Enterprise T1597.002 Purchase Technical Data Sub-technique Purchase Technical Data subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1011: EXOTIC LILY

EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the deployment of ransomware including Conti and Diavol. EXOTIC LILY may be acting as an initial access broker for other malicious actors, and has targeted a wide range of industries including IT, cybersecurity, and healthcare since at least September 2021.[1]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1597.001: Threat Intel Vendors Enterprise subtechnique of · Technique T1597.002: Purchase Technical Data Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G1011: EXOTIC LILY Enterprise detects · Detection Strategy DET0822: Detection of Search Closed Sources Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
433e5443ddf3c7a5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 433e5443ddf3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ZDNET Selling Data

    Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020.

    Open source URL
  2. [2]
    mitre-attack T1597
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use