Business Relationships

Information

• Name: Business Relationships

• ID: T1591.002

• Tactics: TA0043

• Technique: T1591

Introduction

The MITRE ATT&CK sub-technique "Business Relationships" (T1591.002) falls under the broader category of "Gather Victim Org Information" (T1591). This technique involves adversaries collecting information about an organization's business relationships, partnerships, vendors, contractors, or clients. By gathering this information, attackers can identify potential entry points, vulnerabilities, or trusted third-party connections that could facilitate subsequent attacks, social engineering campaigns, or supply-chain compromises.

Deep Dive Into Technique

Adversaries employing the "Business Relationships" sub-technique typically focus on gathering detailed information about the target organization's external interactions and dependencies. This can include:

• Identifying key suppliers, vendors, contractors, or strategic partners through publicly available resources such as company websites, press releases, social media accounts, online business directories, or industry reports.

• Leveraging professional networking platforms (e.g., LinkedIn) to map relationships between employees and external entities.

• Analyzing financial disclosures, annual reports, or regulatory filings for details about significant business partnerships or outsourced services.

• Utilizing open-source intelligence (OSINT) tools and techniques to aggregate and correlate information from multiple sources, building a comprehensive picture of organizational dependencies and external trust relationships.

Attackers may use this information as a foundation for:

• Spear-phishing attacks targeting employees involved in external relationships.

• Business Email Compromise (BEC) attacks impersonating trusted partners or suppliers.

• Supply-chain attacks leveraging compromised third-party vendors or service providers.

• Social engineering campaigns exploiting established trust between organizations.

When this Technique is Usually Used

This sub-technique can appear at various stages of the cyber kill chain, particularly during initial reconnaissance and attack preparation phases. Common scenarios and stages include:

• Reconnaissance Stage: Adversaries gather intelligence to identify potential entry points or vulnerabilities stemming from third-party relationships.

• Initial Access Stage: Using gathered intelligence, attackers may craft targeted phishing emails or social engineering tactics impersonating trusted business partners.

• Persistence and Lateral Movement Stages: Attackers exploit existing trust relationships between organizations to move laterally or maintain persistent access through compromised third-party accounts or services.

• Supply Chain Attacks: Adversaries leverage compromised suppliers or vendors to distribute malware or gain initial access to downstream target organizations.

• Financial Fraud and Extortion: Attackers utilize knowledge of financial relationships and business processes to execute fraudulent transactions, invoice scams, or extortion attempts.

How this Technique is Usually Detected

Detection of adversary reconnaissance activities related to business relationships can be challenging, as it often relies on publicly available information. However, organizations can employ several detection methods and tools:

• Monitoring and Alerting:

  • Monitor unusual access patterns or queries on public-facing websites or databases that list suppliers, partners, or contractors.

  • Implement web analytics and log analysis tools to detect abnormal traffic patterns indicative of automated OSINT scraping or reconnaissance activity.

• Social Media and Professional Network Monitoring:

  • Deploy monitoring solutions to detect impersonation attempts or suspicious interactions via social media or professional networking platforms.

  • Track mentions of the organization's name, products, or key personnel in external forums or platforms.

• Email Security Solutions:

  • Utilize email security gateways with advanced phishing detection capabilities to identify and block emails impersonating known suppliers or business partners.

  • Monitor email traffic patterns for unusual communications involving external partners or vendors.

• Threat Intelligence and OSINT Tools:

  • Leverage threat intelligence platforms to identify known adversarial groups targeting specific industries or supply chains.

  • Regularly perform OSINT assessments and penetration testing exercises to proactively identify exposure of sensitive business relationship information.

• Indicators of Compromise (IoCs):

  • Suspicious email domains closely resembling legitimate business partners or vendors (typosquatted domains).

  • Abnormal login attempts or account activity from external vendors or third-party service providers.

  • Unusual data access or downloads related to supplier or partner information repositories.

Why it is Important to Detect This Technique

Early detection of adversaries gathering intelligence on business relationships is critical due to the significant impacts such reconnaissance can lead to:

• Supply Chain Compromise: Attackers can exploit third-party relationships to introduce malware or malicious components into products or services, affecting multiple downstream organizations.

• Financial Losses: Business Email Compromise (BEC) attacks and invoice fraud schemes can result in substantial financial losses and reputational damage.

• Data Breaches: Exploiting trusted third-party relationships can facilitate unauthorized access to sensitive data, intellectual property, or confidential information.

• Operational Disruption: Compromise of critical suppliers or service providers can disrupt business operations, affecting productivity, revenue, and customer trust.

• Reputational Damage: Successful attacks leveraging third-party relationships can severely damage an organization's reputation, eroding customer trust and market position.

Detecting early reconnaissance activities allows organizations to proactively strengthen security controls, educate employees about potential threats, and implement effective mitigation strategies, significantly reducing the risk of successful exploitation.

Examples

Real-world examples of attacks leveraging the "Business Relationships" sub-technique include:

• Target Data Breach (2013):

  • Attack Scenario: Attackers compromised HVAC vendor credentials to gain initial access into Target's network.

  • Tools and Methods: Phishing attacks against the HVAC vendor, credential theft, lateral movement, malware deployment.

  • Impact: Exposure of approximately 40 million customer credit and debit card records, severe financial and reputational damages.

• SolarWinds Supply Chain Attack (2020):

  • Attack Scenario: Sophisticated attackers compromised SolarWinds Orion software, widely used across enterprises and government agencies.

  • Tools and Methods: Compromise of trusted software supplier, insertion of backdoor (SUNBURST malware), lateral movement, data exfiltration.

  • Impact: Extensive compromise affecting multiple high-profile organizations and U.S. government agencies, significant operational and reputational consequences.

• Business Email Compromise (BEC) Attacks:

  • Attack Scenario: Attackers impersonate trusted vendors or suppliers via email, requesting fraudulent financial transactions or sensitive data.

  • Tools and Methods: Social engineering, domain spoofing, email phishing, fake invoices.

  • Impact: Financial losses reaching billions of dollars globally, significant disruption, and reputational harm.

These examples highlight the critical importance of identifying and securing information regarding business relationships to prevent adversaries from exploiting trusted third-party connections.