Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)
In Office 365 environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.(Citation: Office 365 Delegated Administration)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-06 | Segmentation and Segregation | mitigates | T1199 | Trusted Relationship |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.
References
|
| I&S-09 | Network Defense | mitigates | T1199 | Trusted Relationship |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to isolate infrastructure components that do not require broad network access, limiting attacks that leverage trusted relationships.
References
|
| IPY-02 | Application Interface Availability | mitigates | T1199 | Trusted Relationship |
Comments
This control requires the CSP to provide secure, standards-based, interoperable APIs with up-to-date documentation and communicate changes, while the CSC must review API documentation, use open standards, test API functionality for data transfer and recovery, monitor for outages and changes, and ensure secure, portable, and interoperable cloud deployments.
References
|
| IAM-05 | Least Privilege | mitigates | T1199 | Trusted Relationship |
Comments
This control describes the enforcement of the principle of least privilege implementing controls such as regular automated reviews of access permissions, enforcing MFA for high-risk accounts, promptly revoking unused privileges, and by limiting access to sensitive data.
For this technique, properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. In Office 365 environments, partner relationships and roles can be viewed under the "Partner Relationships" page
References
|
| IAM-02 | Strong Password Policy and Procedures | mitigates | T1199 | Trusted Relationship |
Comments
This control requires the CSP to enforce strong password management practices, implement protections against brute-force attacks, and support secure password reset processes.
For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
In terms of mitigation, eequire MFA for all delegated administrator accounts. Properly manage accounts and password policies, including MFA requirements, used by parties in trusted relationships to minimize potential abuse by the party if the party is compromised by an adversary.
References
|
| DSP-15 | Limitation of Production Data Use | mitigates | T1199 | Trusted Relationship |
Comments
This control describes how the CSP and CSC must independently implement technical safeguards such as network segmentation, encryption (at rest and in transit), secure key management, and access controls to prevent unauthorized replication or use of production data in non-production environments. For this technique, adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
In terms of mitigation, network segmentation can be used to isolate infrastructure components that do not require broad network access from various trusted partners and properly managing accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary.
References
|