Trusted Relationship

Information

• Name: Trusted Relationship

• ID: T1199

• Tactics:

Introduction

Trusted Relationship (MITRE ATT&CK ID: T1199) is a technique where adversaries exploit established, legitimate trust relationships between organizations or systems to gain unauthorized access or escalate privileges. Attackers leverage existing trust channels, such as third-party partnerships, service providers, or trusted network connections, to circumvent security measures and detection mechanisms. This method allows attackers to appear legitimate, thus complicating detection and response efforts.

Deep Dive Into Technique

Trusted Relationship attacks exploit the implicit trust between two or more entities, typically organizations, to bypass security controls. Technical execution methods and mechanisms include:

• Third-party Access Abuse:

  • Attackers compromise a third-party vendor or service provider's network or credentials.

  • Leveraging legitimate credentials, attackers then access the primary organization's network through authorized channels such as VPNs, remote desktop services, or cloud infrastructure.

• Federated Identity and Single Sign-On (SSO) Abuse:

  • Exploiting identity federation mechanisms (such as SAML, OAuth) to gain unauthorized access.

  • Attackers compromise identity providers or manipulate federation tokens to impersonate legitimate users or services.

• Supply Chain Compromise:

  • Attackers infect legitimate software or hardware provided by trusted vendors.

  • Malicious payloads are delivered via trusted update channels or software distribution mechanisms, bypassing traditional security controls.

• Trusted Network Connections:

  • Utilizing existing trusted network tunnels, VPN connections, or inter-organization network links.

  • Attackers pivot directly from compromised trusted networks into target environments without triggering alarms.

Real-world procedures involve initial reconnaissance to identify potential trusted partners, followed by targeted phishing, credential theft, or social engineering attacks on these partners. Once initial access is gained, attackers pivot through the trusted relationship to infiltrate the primary target organization.

When this Technique is Usually Used

Trusted Relationship exploitation can appear at multiple attack stages and scenarios, including:

• Initial Access Stage:

  • Attackers utilize compromised third-party credentials or infrastructure to establish initial footholds within the primary target organization.

• Privilege Escalation and Lateral Movement Stages:

  • Attackers leverage existing trust relationships to escalate privileges or move laterally without triggering security alerts or suspicion.

• Persistence and Exfiltration:

  • Attackers may maintain persistent access through trusted relationships, allowing continuous data exfiltration or long-term espionage activities.

Common attack scenarios include:

• Supply chain attacks targeting software providers.

• Compromise of Managed Service Providers (MSPs) to infiltrate multiple customer environments simultaneously.

• Exploitation of federated identity systems to impersonate legitimate users or services.

How this Technique is Usually Detected

Detection of Trusted Relationship abuse involves multiple approaches, including:

• Behavioral Analytics and Anomaly Detection:

  • Monitoring for unusual access patterns, such as access from unusual locations, times, or devices.

  • Detecting abnormal spikes in data transfers or access attempts originating from trusted third-party connections.

• Monitoring and Auditing of Third-party Connections:

  • Regular auditing and logging of third-party remote access sessions, VPN connections, and remote desktop usage.

  • Implementation of strict monitoring policies for third-party vendors and service providers.

• Identity and Access Management (IAM) Controls:

  • Monitoring for abnormal usage of federated identity tokens, SAML assertions, or OAuth tokens.

  • Detecting unusual authentication events or unauthorized access attempts through trusted identity providers.

• Endpoint Detection and Response (EDR) and Network Detection and Response (NDR):

  • Utilizing EDR/NDR tools to detect suspicious activities originating from trusted networks or third-party endpoints.

  • Identifying indicators of compromise (IoCs) such as unusual process executions, unauthorized software deployments, or suspicious network traffic patterns.

Specific Indicators of Compromise (IoCs) include:

• Unusual or unauthorized remote access sessions from third-party vendors.

• Unexpected VPN connections from unfamiliar IP addresses or geographic locations.

• Suspicious federated identity token usage or abnormal SAML assertions.

• Anomalous network traffic or data transfers through trusted network connections.

Why it is Important to Detect This Technique

Early detection of Trusted Relationship exploitation is crucial due to significant potential impacts:

• Severe Data Breaches:

  • Attackers can gain direct, privileged access to sensitive corporate data, intellectual property, or personally identifiable information (PII).

• Operational Disruption:

  • Compromise of critical systems, services, or infrastructure can lead to operational downtime, financial losses, and reputational damage.

• Escalation of Privileges and Lateral Movement:

  • Abuse of trusted relationships allows attackers to move laterally undetected, escalating privileges to gain administrative control over critical systems.

• Supply Chain Attacks:

  • Exploiting trusted relationships in supply chains can result in widespread compromise, affecting multiple organizations simultaneously.

• Regulatory and Compliance Risks:

  • Failure to detect and respond promptly can result in regulatory penalties, legal consequences, and loss of customer trust.

Early detection and response minimize damage, reduce dwell time, and prevent attackers from achieving their objectives.

Examples

Real-world examples of Trusted Relationship exploitation include:

• SolarWinds Supply Chain Attack (2020):

  • Attackers compromised SolarWinds' Orion software update mechanism to distribute malicious updates to numerous organizations, including US government agencies and Fortune 500 companies.

  • Tools used: SUNBURST malware, TEARDROP loader.

  • Impacts: Widespread espionage, data exfiltration, and severe breach of sensitive government and corporate systems.

• Target Data Breach (2013):

  • Attackers compromised an HVAC vendor with trusted access credentials to Target's network.

  • Leveraged legitimate vendor credentials to access Target’s internal network and install malware on point-of-sale (POS) systems.

  • Tools used: BlackPOS malware.

  • Impacts: Theft of credit card information for approximately 40 million customers, significant financial and reputational damage.

• Operation Cloud Hopper (2016-2017):

  • State-sponsored attackers compromised Managed Service Providers (MSPs) to infiltrate multiple customer networks simultaneously.

  • Leveraged legitimate MSP credentials and trusted access to move laterally and exfiltrate data.

  • Tools used: Custom malware, credential theft tools.

  • Impacts: Large-scale data theft, espionage activities, and prolonged undetected access to sensitive corporate networks.

• Mimecast Certificate Compromise (2021):

  • Attackers compromised a Mimecast-issued certificate used for authenticating certain Microsoft 365 Exchange Web Services.

  • Leveraged trusted certificate to intercept and potentially access sensitive email communications.

  • Tools used: Compromised digital certificates.

  • Impacts: Potential exposure of sensitive corporate email data, loss of trust in digital certificate infrastructure.