Trusted Relationship

00:00

hello and welcome to another application of the minor attack framework discussion Today. We're looking at trusted relationship, and so this is going to be a little different than supply chain compromise, and we'll get into that shortly. Now let's go ahead and touch on the objectives for today's discussion.

00:20

So we're going to look at trusted Relationship, which is the topic of our discussion today versus

00:26

supply chain compromise. So those are going to be two totally different things, and we're gonna touch on this shortly

00:33

Now. We're also going to review an example of managed service providers. We're going to discuss that and a high level. We're going to talk about mitigation techniques and detection techniques as well. And there's probably starting to see a trend in those last two there but definitely worthwhile. So

00:50

trusted relationship versus supply chain compromise. A trusted relationship

00:57

leverages the access 1/3 party has to the potential victims systems where a supply chain compromise involves the manipulation of trusted tools or code that is then delivered to the victims environment. So the shortened that trusted relationship is direct access to systems or data

01:15

supply chain compromises access after the victim installs a malicious update or uses infected hardware.

01:23

So

01:23

that is the key difference. If

01:26

you get a piece of hardware that is infected and you install that piece of hardware, that is a supply chain compromise. If you have that vendor of the hardware, they have remote access to your systems to provide support and things of that nature. And that account that they use is then used to

01:46

access data

01:47

or to damage your systems. That is a trusted relationship. Okay, so those were the primary differences there. One is kind of direct access, and then one is kind of trusted relationship where you install malicious updates. Poor use, infected hardware.

02:04

So a great example of this that we've heard a lot about. There were even some releases

02:09

from several agencies on managed service providers needing to shore up security practices and things of that nature. So hackers working for China broken two networks of eight major M. S, P's and technology service providers based on a routers report, So these attacks led to damages in the given areas.

02:30

So banking, Taliqan, medical packaging, manufacturing, consulting

02:35

in the way. I like to think of

02:37

trusted attacks

02:39

or trusted relationship as far as the Spectres concern.

02:45

If I have a medical record,

02:47

that medical record has a certain value. Well, I do have a medical record, by the way, but that medical record has a certain value on

02:54

the black market, right? So that record can be sold for us some of X dollars, and that's it.

03:04

But

03:06

if a health care provider

03:08

were compromised instead of myself cause, imagine a threat actor would have to figure out my email address, they'd have to know how I received my medical records. Maybe they compromised my password manager. Whatever the case may be, they go through all that work. They get into a new account, they're able to get my medical information,

03:28

and that's it. That's a one for one transaction that takes a lot of effort and energy.

03:32

But if they're able to compromise my health care provider,

03:38

they now have access not just to my medical records but the medical records of any individual that is serviced by that health care provider.

03:46

Likewise, if it's ah medical equipment and they've got a relationship with a number of hospitals, there's account numbers, payment, court information, whatever the case may be, anything you know, compromise banks than that bank has numerous accounts that they service etcetera.

04:02

Now you want up that game, and it's like

04:05

a pyramid. Essentially. So if I if I'm getting into banks and things of that nature

04:12

and they're here in the middle,

04:14

okay, and that bank represents a set of data that then gives me access. And I'm sorry this pyramid stinks. It gives me access to all the climb information, right? So I could do a one for one transaction here,

04:28

right? Or I could do a one to many here by compromising a bank, right? But

04:33

if there is a managed service provider

04:38

and I'm putting them at the top of the pyramid because their level of access is one too many

04:44

banks, one too many health care providers, one too many manufacturers, one too many, uh, banking, you know, medical packaging, whatever the case may be. And so now, if I focus my effort and attention on this trusted relationship,

05:00

the reward is so much deeper

05:03

then just going after a bank individually or a manufacturing firm or individual persons. So this is definitely something that as we continue into 2021 22 23. We want to remember that

05:19

the individuals that we give access to our systems and that we allow to manager systems need to hold themselves to the same or higher standards than ourselves. Because if they are compromised, it's not just about our businesses data, which is the most important, of course,

05:33

but the business data of any entity

05:36

they serve the client information of any entity, day servants. So that's why I trusted relationships are definitely dangerous as far as the ability of a threat actor to take advantage of that

05:50

and get into those systems. So let's talk about mitigation techniques, and we're going to use the The MSP example is one of those

06:00

so we could look to implement proper network segmentation. And so what we mean by that is that if an entity or person needs remote access

06:11

that Ramon access is limited to a network segment, therefore they won't be able to easily, you know if they're compromised, spread to other systems,

06:19

okay, but most of the times with managed service providers, they have agents on every system

06:26

so they can get to any segment or any networker or any of those things and a lot of times

06:31

server infrastructure and things that nature

06:35

is able to reach any segment of the network like a domain control or something of that nature because it has to service all systems in the infrastructure. But if we've got a software vendor or something of that nature, who Onley needs access to a single system that's on,

06:53

you know, a designated network segment and they don't need administrative privilege to do what they need to do,

06:59

then we would definitely want to look to keep those systems, segment it

07:02

and to ensure that we do what we can to in the event that that relationship

07:09

was compromised in the Threat Actor got into a system we could minimize impact hopefully,

07:14

and then it would definitely be beneficial to keep the time frame and permission sets that third parties use limited. Now that's tough a lot of times with managed service providers because they're updating systems, they're implementing service accounts, things of that nature. But what I've seen is the use of

07:32

domain administrative accounts as service accounts

07:35

when in all reality they should be using service accounts in a fashion that limits permissions. But allows them to achieve the goals

07:46

and then with domain administrative accounts.

07:49

We should definitely be looking to limit when the service provider can access systems, especially if you've got a software vendor. And that software vendor only uses that account. Let's say once 1/4 to do updates

08:03

That account can be disabled or can be turned off

08:07

if they need administrative privilege or any privilege until they need access, and that can be coordinated and planned. Same thing here. It's not convenient per se for managed service provider to, you know, have a limited time frame in which they could do work.

08:22

But

08:24

if you say hey, I only want changes made to my network between the hours of UM 4 p.m. and 7 p.m. Eastern standard time

08:33

because we're busy

08:35

from 6 a.m. to, you know, 3 59 PM Eastern Standard. Tom. So your account, as far as being able to get into our system, should only work. Then, unless we

08:48

enable that account, allow access,

08:52

then that could be understandable. You could limit the time frame in which that account can function, and then it limits the ability of a threat. Actor to act outside of those parameters,

09:01

and it runs nicely into some of our detection techniques.

09:07

Now, as far as detection techniques for these types of activities, you could monitor activity of designated third party accounts, not using third party controls, and this becomes important

09:18

for a number of things. You want to have a system in place

09:22

that longs or pools when the third party account is used and its designated to a separate system that maybe even the third party doesn't have access to. And the reason for this is not a lack of trust of the third party.

09:39

But then, if something happens

09:41

and that account becomes suspect for some reason, the Threat actor would not be able to access

09:48

those longs and that information and therefore would not be able to tamper with that information. And you could then use that to better understand what happened and what's going on.

09:58

If you rely on third party controls

10:01

in the third party becomes compromised,

10:03

how are you then able to actually figure out what happened? Answer is, you know they, like with it, is that you wouldn't

10:11

and then implement network and endpoint monitoring tools that can report on anomalous activity. Again, this is kind of a trend in what we're talking about in detection techniques, but it's going to re occur because

10:24

these tools are becoming more and more prominent in

10:28

how we combat threat actors, how we become aware of anomalous activity.

10:31

And so if we designate ah range of town in which an account should not be used

10:39

and someone attempts to access the account and we get an alert

10:43

that allows us to act much quicker, that makes us aware of the activity much quicker and so weaken jump up, see what's going on. Call the third party, see if there was a new person, maybe that trying to get in the system or no, In fact, no one is

10:56

or should be using that account at this time. And now we need to investigate and figure out what is going on.

11:03

So let's do a quick check on learning. True or false. A trusted relationship and a supply chain attack compromise are two different initial access vectors, according to Minor.

11:18

All right, well, if you need additional time, please Wyoming's pause the video and take a moment.

11:22

So a trusted relationship

11:26

and a supply chain compromise are, in fact, two different initial access vectors, according to Minor. So this statement is a true statement there, not one in the same remember supply chain compromise has to do

11:45

with hardware or software being manipulated and then installed My

11:50

the end user or the client trusted relationship is when 1/3 party has direct access to data or systems that could be compromise. A used to them access their systems as though they were the vendor.

12:03

Therefore, trusted relationship is a separate vector in itself.

12:07

So let's go ahead and look at our summary. So in summary today, we reviewed the differences between trusted relationship versus supply chain, and we just talked about that.

12:16

We reviewed the example of the managed service provider. Remember thinking about that pyramid of access. Managed service providers manage security providers. Global software providers probably have access to numerous

12:31

environments, whereas if a threat actor were to compromise a single entity like a bank or a health care provider, our hospital, they will still have a high payout.

12:41

But they will not have access to all of the different types of systems that those entities could bring, and then targeting individuals is much less rewarding and former cumbersome than attacking these bigger entities. That doesn't mean that you're off the hook.

12:58

It just means that

13:00

more sophisticated threat actors of going after targets that will provide them a higher payout.

13:05

We reviewed the mitigation techniques, such as limiting third party account access times, a swell as network segmentation. And then we reviewed detection techniques such as in point detection in point and intrusion detection, Softwares and services using those two

13:22

alert on third party account activity, as well as potentially keeping