Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider's access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, Valid Accounts used by the other party for access to internal network systems may be compromised and used.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1199 | Trusted Relationship | |
| AC-4 | Information Flow Enforcement | Protects | T1199 | Trusted Relationship | |
| AC-6 | Least Privilege | Protects | T1199 | Trusted Relationship | |
| AC-8 | System Use Notification | Protects | T1199 | Trusted Relationship | |
| CM-6 | Configuration Settings | Protects | T1199 | Trusted Relationship | |
| CM-7 | Least Functionality | Protects | T1199 | Trusted Relationship | |
| SC-46 | Cross Domain Policy Enforcement | Protects | T1199 | Trusted Relationship | |
| SC-7 | Boundary Protection | Protects | T1199 | Trusted Relationship | |
| network_security_groups | Network Security Groups | technique_scores | T1199 | Trusted Relationship |
Comments
This control can isolate portions of network that do not require network-wide access, limiting some attackers that leverage trusted relationships such as remote access for vendor maintenance. Coverage partial, Temporal Immediate.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1199 | Trusted Relationship |
Comments
This control can be used to gain insight into normal traffic from trusted third parties which can then be used to detect anomalous traffic that may be indicative of a threat.
References
|