Time
8 hours 28 minutes
Difficulty
Beginner
CEU/CPE
10

Video Transcription

00:00
hello and welcome to another application of the minor attack framework discussion Today. We're looking at trusted relationship, and so this is going to be a little different than supply chain compromise, and we'll get into that shortly. Now let's go ahead and touch on the objectives for today's discussion.
00:20
So we're going to look at trusted Relationship, which is the topic of our discussion today versus
00:26
supply chain compromise. So those are going to be two totally different things, and we're gonna touch on this shortly
00:33
Now. We're also going to review an example of managed service providers. We're going to discuss that and a high level. We're going to talk about mitigation techniques and detection techniques as well. And there's probably starting to see a trend in those last two there but definitely worthwhile. So
00:50
trusted relationship versus supply chain compromise. A trusted relationship
00:57
leverages the access 1/3 party has to the potential victims systems where a supply chain compromise involves the manipulation of trusted tools or code that is then delivered to the victims environment. So the shortened that trusted relationship is direct access to systems or data
01:15
supply chain compromises access after the victim installs a malicious update or uses infected hardware.
01:23
So
01:23
that is the key difference. If
01:26
you get a piece of hardware that is infected and you install that piece of hardware, that is a supply chain compromise. If you have that vendor of the hardware, they have remote access to your systems to provide support and things of that nature. And that account that they use is then used to
01:46
access data
01:47
or to damage your systems. That is a trusted relationship. Okay, so those were the primary differences there. One is kind of direct access, and then one is kind of trusted relationship where you install malicious updates. Poor use, infected hardware.
02:04
So a great example of this that we've heard a lot about. There were even some releases
02:09
from several agencies on managed service providers needing to shore up security practices and things of that nature. So hackers working for China broken two networks of eight major M. S, P's and technology service providers based on a routers report, So these attacks led to damages in the given areas.
02:30
So banking, Taliqan, medical packaging, manufacturing, consulting
02:35
in the way. I like to think of
02:37
trusted attacks
02:39
or trusted relationship as far as the Spectres concern.
02:45
If I have a medical record,
02:47
that medical record has a certain value. Well, I do have a medical record, by the way, but that medical record has a certain value on
02:54
the black market, right? So that record can be sold for us some of X dollars, and that's it.
03:04
But
03:06
if a health care provider
03:08
were compromised instead of myself cause, imagine a threat actor would have to figure out my email address, they'd have to know how I received my medical records. Maybe they compromised my password manager. Whatever the case may be, they go through all that work. They get into a new account, they're able to get my medical information,
03:28
and that's it. That's a one for one transaction that takes a lot of effort and energy.
03:32
But if they're able to compromise my health care provider,
03:38
they now have access not just to my medical records but the medical records of any individual that is serviced by that health care provider.
03:46
Likewise, if it's ah medical equipment and they've got a relationship with a number of hospitals, there's account numbers, payment, court information, whatever the case may be, anything you know, compromise banks than that bank has numerous accounts that they service etcetera.
04:02
Now you want up that game, and it's like
04:05
a pyramid. Essentially. So if I if I'm getting into banks and things of that nature
04:12
and they're here in the middle,
04:14
okay, and that bank represents a set of data that then gives me access. And I'm sorry this pyramid stinks. It gives me access to all the climb information, right? So I could do a one for one transaction here,
04:28
right? Or I could do a one to many here by compromising a bank, right? But
04:33
if there is a managed service provider
04:38
and I'm putting them at the top of the pyramid because their level of access is one too many
04:44
banks, one too many health care providers, one too many manufacturers, one too many, uh, banking, you know, medical packaging, whatever the case may be. And so now, if I focus my effort and attention on this trusted relationship,
05:00
the reward is so much deeper
05:03
then just going after a bank individually or a manufacturing firm or individual persons. So this is definitely something that as we continue into 2021 22 23. We want to remember that
05:19
the individuals that we give access to our systems and that we allow to manager systems need to hold themselves to the same or higher standards than ourselves. Because if they are compromised, it's not just about our businesses data, which is the most important, of course,
05:33
but the business data of any entity
05:36
they serve the client information of any entity, day servants. So that's why I trusted relationships are definitely dangerous as far as the ability of a threat actor to take advantage of that
05:50
and get into those systems. So let's talk about mitigation techniques, and we're going to use the The MSP example is one of those
06:00
so we could look to implement proper network segmentation. And so what we mean by that is that if an entity or person needs remote access
06:11
that Ramon access is limited to a network segment, therefore they won't be able to easily, you know if they're compromised, spread to other systems,
06:19
okay, but most of the times with managed service providers, they have agents on every system
06:26
so they can get to any segment or any networker or any of those things and a lot of times
06:31
server infrastructure and things that nature
06:35
is able to reach any segment of the network like a domain control or something of that nature because it has to service all systems in the infrastructure. But if we've got a software vendor or something of that nature, who Onley needs access to a single system that's on,
06:53
you know, a designated network segment and they don't need administrative privilege to do what they need to do,
06:59
then we would definitely want to look to keep those systems, segment it
07:02
and to ensure that we do what we can to in the event that that relationship
07:09
was compromised in the Threat Actor got into a system we could minimize impact hopefully,
07:14
and then it would definitely be beneficial to keep the time frame and permission sets that third parties use limited. Now that's tough a lot of times with managed service providers because they're updating systems, they're implementing service accounts, things of that nature. But what I've seen is the use of
07:32
domain administrative accounts as service accounts
07:35
when in all reality they should be using service accounts in a fashion that limits permissions. But allows them to achieve the goals
07:46
and then with domain administrative accounts.
07:49
We should definitely be looking to limit when the service provider can access systems, especially if you've got a software vendor. And that software vendor only uses that account. Let's say once 1/4 to do updates
08:03
That account can be disabled or can be turned off
08:07
if they need administrative privilege or any privilege until they need access, and that can be coordinated and planned. Same thing here. It's not convenient per se for managed service provider to, you know, have a limited time frame in which they could do work.
08:22
But
08:24
if you say hey, I only want changes made to my network between the hours of UM 4 p.m. and 7 p.m. Eastern standard time
08:33
because we're busy
08:35
from 6 a.m. to, you know, 3 59 PM Eastern Standard. Tom. So your account, as far as being able to get into our system, should only work. Then, unless we
08:48
enable that account, allow access,
08:52
then that could be understandable. You could limit the time frame in which that account can function, and then it limits the ability of a threat. Actor to act outside of those parameters,
09:01
and it runs nicely into some of our detection techniques.
09:07
Now, as far as detection techniques for these types of activities, you could monitor activity of designated third party accounts, not using third party controls, and this becomes important
09:18
for a number of things. You want to have a system in place
09:22
that longs or pools when the third party account is used and its designated to a separate system that maybe even the third party doesn't have access to. And the reason for this is not a lack of trust of the third party.
09:39
But then, if something happens
09:41
and that account becomes suspect for some reason, the Threat actor would not be able to access
09:48
those longs and that information and therefore would not be able to tamper with that information. And you could then use that to better understand what happened and what's going on.
09:58
If you rely on third party controls
10:01
in the third party becomes compromised,
10:03
how are you then able to actually figure out what happened? Answer is, you know they, like with it, is that you wouldn't
10:11
and then implement network and endpoint monitoring tools that can report on anomalous activity. Again, this is kind of a trend in what we're talking about in detection techniques, but it's going to re occur because
10:24
these tools are becoming more and more prominent in
10:28
how we combat threat actors, how we become aware of anomalous activity.
10:31
And so if we designate ah range of town in which an account should not be used
10:39
and someone attempts to access the account and we get an alert
10:43
that allows us to act much quicker, that makes us aware of the activity much quicker and so weaken jump up, see what's going on. Call the third party, see if there was a new person, maybe that trying to get in the system or no, In fact, no one is
10:56
or should be using that account at this time. And now we need to investigate and figure out what is going on.
11:03
So let's do a quick check on learning. True or false. A trusted relationship and a supply chain attack compromise are two different initial access vectors, according to Minor.
11:18
All right, well, if you need additional time, please Wyoming's pause the video and take a moment.
11:22
So a trusted relationship
11:26
and a supply chain compromise are, in fact, two different initial access vectors, according to Minor. So this statement is a true statement there, not one in the same remember supply chain compromise has to do
11:45
with hardware or software being manipulated and then installed My
11:50
the end user or the client trusted relationship is when 1/3 party has direct access to data or systems that could be compromise. A used to them access their systems as though they were the vendor.
12:03
Therefore, trusted relationship is a separate vector in itself.
12:07
So let's go ahead and look at our summary. So in summary today, we reviewed the differences between trusted relationship versus supply chain, and we just talked about that.
12:16
We reviewed the example of the managed service provider. Remember thinking about that pyramid of access. Managed service providers manage security providers. Global software providers probably have access to numerous
12:31
environments, whereas if a threat actor were to compromise a single entity like a bank or a health care provider, our hospital, they will still have a high payout.
12:41
But they will not have access to all of the different types of systems that those entities could bring, and then targeting individuals is much less rewarding and former cumbersome than attacking these bigger entities. That doesn't mean that you're off the hook.
12:58
It just means that
13:00
more sophisticated threat actors of going after targets that will provide them a higher payout.
13:05
We reviewed the mitigation techniques, such as limiting third party account access times, a swell as network segmentation. And then we reviewed detection techniques such as in point detection in point and intrusion detection, Softwares and services using those two
13:22
alert on third party account activity, as well as potentially keeping
13:28
separate log files and a location that is not accessible by the third party to ensure that if something happens, were able to trace back steps and see what actually occurred. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Application of the MITRE ATT&CK Framework

This MITRE ATT&CK training is designed to teach students how to apply the matrix to help mitigate current threats. Students will move through the 12 core areas of the framework to develop a thorough understanding of various access ATT&CK vectors.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor