T1199 Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)

In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1199 Trusted Relationship
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.02 Privileged system access Mitigates T1199 Trusted Relationship
    Comments
    This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication.
    References
      PR.PS-01.07 Cryptographic keys and certificates Mitigates T1199 Trusted Relationship
      Comments
      This diagnostic statement protects against Trusted Relationship through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes for trusted entities, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to abuse trusted relationships.
      References
        PR.AA-05.04 Third-party access management Mitigates T1199 Trusted Relationship
        Comments
        This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party or if the party is compromised by an adversary.
        References
          PR.IR-01.01 Network segmentation Mitigates T1199 Trusted Relationship
          Comments
          This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to isolate infrastructure and limit access through trusted third party relationships.
          References
            PR.IR-01.06 Production environment segregation Mitigates T1199 Trusted Relationship
            Comments
            This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
            References
              EX.MM-01.01 Third-party monitoring and management resources Mitigates T1199 Trusted Relationship
              Comments
              This diagnostic statement provides for the implementation of procedures for management of third party products. Managing accounts and permissions used by parties in trusted relationships helps minimize potential abuse by the party or if the party is compromised by an adversary.
              References
                PR.AA-01.01 Identity and credential management Mitigates T1199 Trusted Relationship
                Comments
                This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
                References

                  NIST 800-53 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  CM-06 Configuration Settings mitigates T1199 Trusted Relationship
                  SC-46 Cross Domain Policy Enforcement mitigates T1199 Trusted Relationship
                  CM-07 Least Functionality mitigates T1199 Trusted Relationship
                  AC-03 Access Enforcement mitigates T1199 Trusted Relationship
                  AC-04 Information Flow Enforcement mitigates T1199 Trusted Relationship
                  AC-06 Least Privilege mitigates T1199 Trusted Relationship
                  AC-08 System Use Notification mitigates T1199 Trusted Relationship
                  SC-07 Boundary Protection mitigates T1199 Trusted Relationship

                  VERIS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  action.hacking.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
                  action.malware.variety.Adware Adware related-to T1199 Trusted Relationship
                  action.malware.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship
                  action.social.vector.Partner Partner connection or credential. (Indicates supply chain breach.) related-to T1199 Trusted Relationship

                  Azure Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  azure_network_security_groups Azure Network Security Groups technique_scores T1199 Trusted Relationship
                  Comments
                  This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
                  References
                  azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1199 Trusted Relationship
                  Comments
                  This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
                  References

                  GCP Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  mandiant_digital_threatmon Mandiant Digital Threat Monitoring technique_scores T1199 Trusted Relationship
                  Comments
                  Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.
                  References
                  access_transparency Access Transparency technique_scores T1199 Trusted Relationship
                  Comments
                  Access Transparency provides visibility into Google's access to customer data in the form of audit logs which may expose and detect malicious access of customer data and resources by compromised Google personnel accounts. The trusted relationship between Google personnel who administer and allow customers to host their workloads on the cloud may be abused by insider threats or compromise of Google.
                  References

                  AWS Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1199 Trusted Relationship
                  Comments
                  VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
                  References

                  M365 Mappings

                  Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
                  EID-RBAC-E3 Role Based Access Control Technique Scores T1199 Trusted Relationship
                  Comments
                  The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary. License Requirements: ME-ID Built-in Roles (Free)
                  References
                  DEF-ATH-E5 Advanced Threat Hunting Technique Scores T1199 Trusted Relationship
                  Comments
                  Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch. Advanced Threat Hunting Detects Trusted Relationship attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior. License Requirements: Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2
                  References
                  DEF-APGV-E5 App Governance Technique Scores T1199 Trusted Relationship
                  Comments
                  App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization App Governance Detects Trusted Relationship attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's. License Requirements: Microsoft Defender for Cloud Apps
                  References