Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)
In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of privileged account management and the use of multi-factor authentication.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes for trusted entities, limitations to specific accounts along with access control mechanisms provides protection against adversaries attempting to abuse trusted relationships.
References
|
| PR.AA-05.04 | Third-party access management | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement includes implementation of controls for third-party access to an organization’s systems. Manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party or if the party is compromised by an adversary.
References
|
| PR.IR-01.01 | Network segmentation | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement is for the implementation of network segmentation which helps prevent access to critical systems and sensitive information. Employing network segmentation to isolate infrastructure and limit access through trusted third party relationships.
References
|
| PR.IR-01.06 | Production environment segregation | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement provides protections for production environments. Measures such as network segmentation and access control reduce the attack surface, restrict movement by adversaries, and protect critical assets and data from compromise.
References
|
| EX.MM-01.01 | Third-party monitoring and management resources | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement provides for the implementation of procedures for management of third party products. Managing accounts and permissions used by parties in trusted relationships helps minimize potential abuse by the party or if the party is compromised by an adversary.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1199 | Trusted Relationship |
Comments
This diagnostic statement protects against Trusted Relationship through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1199 | Trusted Relationship | |
| SC-46 | Cross Domain Policy Enforcement | mitigates | T1199 | Trusted Relationship | |
| CM-07 | Least Functionality | mitigates | T1199 | Trusted Relationship | |
| AC-03 | Access Enforcement | mitigates | T1199 | Trusted Relationship | |
| AC-04 | Information Flow Enforcement | mitigates | T1199 | Trusted Relationship | |
| AC-06 | Least Privilege | mitigates | T1199 | Trusted Relationship | |
| AC-08 | System Use Notification | mitigates | T1199 | Trusted Relationship | |
| SC-07 | Boundary Protection | mitigates | T1199 | Trusted Relationship |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.vector.Partner | Partner connection or credential. (Indicates supply chain breach.) | related-to | T1199 | Trusted Relationship | |
| action.malware.variety.Adware | Adware | related-to | T1199 | Trusted Relationship | |
| action.malware.vector.Partner | Partner connection or credential. (Indicates supply chain breach.) | related-to | T1199 | Trusted Relationship | |
| action.social.vector.Partner | Partner connection or credential. (Indicates supply chain breach.) | related-to | T1199 | Trusted Relationship |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1199 | Trusted Relationship |
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1199 | Trusted Relationship |
Comments
This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| mandiant_digital_threatmon | Mandiant Digital Threat Monitoring | technique_scores | T1199 | Trusted Relationship |
Comments
Mandiant Digital Threat Monitoring continually monitors for compromised credentials and data leaks on both the open and dark web. This control may protect against credential abuse by alerting on leaked credentials. Since this control must depend on accessible sources for dumps, it does not protect against credentials that have been collected for a campaign but never posted, so the score is partial.
References
|
| access_transparency | Access Transparency | technique_scores | T1199 | Trusted Relationship |
Comments
Access Transparency provides visibility into Google's access to customer data in the form of audit logs which may expose and detect malicious access of customer data and resources by compromised Google personnel accounts. The trusted relationship between Google personnel who administer and allow customers to host their workloads on the cloud may be abused by insider threats or compromise of Google.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1199 | Trusted Relationship |
Comments
VPC network access control lists (NACLs) can isolate portions of the network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
|