Tactics, Techniques and Procedures: How Legally Purchased Personal Information Fuels Cyber and Physical Threats

What TTP Means in Cybersecurity

In cybersecurity, TTP stands for Tactics, Techniques, and Procedures. The framework describes how attackers operate throughout an attack.

• Tactics are the attacker's objectives, such as reconnaissance or initial access.

• Techniques are the methods used to achieve those objectives.

• Procedures are the specific steps used to carry out a technique.

TTPs form the foundation of the MITRE ATT&CK framework, which documents real-world attacker behavior. One key point is often overlooked: most attacks begin long before malware is deployed. They begin with reconnaissance.

Reconnaissance: Where Personal Data Becomes a Security Risk

Reconnaissance is the first stage of most targeted attacks. During this phase, attackers gather information about individuals and organizations before attempting access.

Several MITRE ATT&CK techniques align directly with the information sold by data brokers and people-search websites:

Gather Victim Identity Information (T1589)

Attackers collect employee names, email addresses, phone numbers, credentials, and other personal details. This information supports phishing, account compromise, and impersonation attacks.

Gather Victim Organization Information (T1591)

Threat actors identify company locations, organizational structures, and key personnel. Executive names, job titles, and physical office locations help attackers select high-value targets.

Search Open Websites and Domains (T1593)

Attackers search publicly available sources to collect intelligence that can support phishing and other forms of initial access.

Search Closed Sources (T1597)

This technique is especially relevant to the data broker industry. MITRE specifically notes that attackers may purchase information from private commercial databases. In many cases, a threat actor does not need to breach a system to obtain personal information. They can simply buy it.

This makes commercially available personal data part of the attack chain itself rather than a separate privacy concern.

How Threat Actors Use Broker Data

Spear Phishing and Business Email Compromise

Generic phishing relies on volume. Data broker records make attacks more targeted.

When attackers know a person's employer, role, location, reporting structure, and communication patterns, they can create messages that appear legitimate. This dramatically increases the likelihood of success.

Business Email Compromise attacks often rely on this type of intelligence. Attackers impersonate executives and instruct employees in finance, HR, or accounts payable to transfer funds or disclose sensitive information.

Data Enrichment After Breaches

Broker data also increases the value of stolen information.

A leaked email address or username becomes much more useful when combined with:

• Home addresses

• Phone numbers

• Family relationships

• Employment history

• Property records

Attackers routinely combine data from multiple sources to create complete identity profiles that can be used for fraud, extortion, and account takeover.

AI-Powered Reconnaissance

Large language models are making reconnaissance faster and cheaper.

Attackers can now aggregate, analyze, and summarize large amounts of publicly available information in minutes. When personal information is widely available through data brokers, AI can turn that information into highly convincing social engineering campaigns at scale.

What Incident Responders Are Seeing

Some of the strongest evidence comes from organizations that investigate breaches every day.

Security leaders at Mandiant and Unit 42 consistently report that identity-based attacks are becoming more common than malware-driven attacks.

Mandiant: Identity Is the New Attack Surface

Mandiant has documented groups such as Scattered Spider and related threat actors that focus heavily on social engineering.

These groups often:

• Impersonate employees

• Contact help desks

• Request password resets

• Manipulate MFA enrollment

• Conduct SIM-swapping attacks

The success of these attacks depends on having accurate personal information about the employee being impersonated.

Help desk staff are more likely to trust a caller who already knows employee IDs, phone numbers, department names, managers, and other details.

Unit 42: Identity Appears in Nearly Every Major Incident

Unit 42 reports a similar pattern.

Attackers increasingly build profiles of employees using publicly available information before attempting access. Social engineering campaigns often rely on information gathered from LinkedIn, company websites, public records, and commercial databases.

Recent incident response data shows:

• More than one-third of incidents begin with social engineering.

• Phishing remains one of the most common attack methods.

• Impersonation is frequently used to build trust.

• Attackers can escalate privileges rapidly without deploying malware.

The common factor is identity information.

Case Study: BlackFile

The threat actor known as BlackFile demonstrates how modern attacks often depend more on reconnaissance than technical exploits.

According to public reporting, the group uses large-scale voice phishing campaigns to impersonate IT staff and trick employees into providing credentials and MFA codes.

The campaign highlights several realities:

• Attackers often contact employees directly on personal devices.

• Credibility depends on knowing who to call and what information to reference.

• Social engineering can succeed without exploiting software vulnerabilities.

The group reportedly escalated access by targeting executives and using detailed identity information gathered from multiple sources.

More concerning, the campaign extended beyond digital attacks.

Researchers documented cases where threat actors used swatting tactics against company personnel. Swatting requires accurate residential information, demonstrating how the same personal data used for phishing can also enable physical threats.

The Executive Threat Surface

Executives are especially attractive targets because their personal information is often widely exposed.

Research has found that many executives have publicly accessible:

• Home addresses

• Phone numbers

• Family information

• Property records

• Professional histories

This exposure creates risks that extend beyond cybersecurity.

Examples include:

• Targeted harassment

• Doxxing

• Extortion

• Stalking

• Physical security threats

The same information that helps attackers craft a convincing phishing email can also help them locate a target's residence.

Why This Is More Than a Privacy Issue

Data broker exposure is often viewed as a consumer privacy concern.

In reality, it is also a security issue.

Every employee profile sold by a data broker creates another potential reconnaissance point for attackers.

The risk affects:

• Individuals

• Executives

• Organizations

• Government agencies

• Military personnel

As more data becomes commercially available, attackers gain easier access to information that previously required significant effort to obtain.

Why the "Legally Purchased" Part Matters

One of the most important aspects of this issue is that much of the data is acquired legally.

Data brokers collect information from:

• Public records

• Commercial sources

• Mobile applications

• Advertising networks

• Online tracking technologies

• Previously exposed datasets

As a result, attackers may not need to steal information at all.

They can purchase it.

The legality of the transaction does not reduce the security risk. In many cases, it increases accessibility by making personal information available through legitimate commercial channels.

Conclusion

The MITRE ATT&CK framework makes one thing clear: reconnaissance is the starting point for many targeted attacks.

Data brokers and people-search sites provide exactly the kind of information attackers seek during that phase:

• Names

• Addresses

• Phone numbers

• Employment details

• Family relationships

• Location data

This information supports phishing, business email compromise, identity theft, social engineering, extortion, and even physical threats.

Reducing publicly available personal information is not simply a privacy preference. It is a security control.

Removing data from broker and people-search databases reduces the amount of intelligence available to attackers before they ever launch an attack.

Organizations spend heavily on detecting threats after an intrusion begins. Data removal works earlier in the attack chain by limiting the reconnaissance information that makes targeted attacks possible in the first place.