A trusted relationship attack is an attack that compromises a third-party company that has a trusted relationship with a target organization in order to gain access to the latter’s systems.
Trusted relationships can exist between service providers and their clients, organizations and their subsidiaries, contractors and customers and/or partners, etc. By their nature, such relationships imply that one party is granted a certain level of access to the other’s network and internal resources to facilitate business operations.
Trusted relationship attacks are often confused with supply chain attacks. Both work by compromising third-party organizations to gain access to the infrastructure or resources of their customers or partners. The key difference is that supply chain attacks affect the hardware and software supplied to the target organization on the vendor side. In contrast, trusted relationship attacks exploit the access that employees of the compromised company have to the target organization’s systems.
Trusted relationships as an attack vector
Threat actors exploit trusted relationships between organizations in both targeted and large-scale attacks. The following scenarios are possible:
- Attackers hack a poorly protected contractor to infiltrate a well-protected large company.
- Attackers gain access to a service provider, and use it to attack all of its customers.
Statistics for 2023/24 show that suppliers and contractors were among the top-three most common vectors for cyberattacks on organizations.
How contractors access customer systems
Contractors, partners, and other trusted counterparties typically access an organization’s systems through a combination of VPN and remote desktop (RDP). Other options include remote management utilities, such as AnyDesk or AmmyyAdmin, and remote access via secure SSH. In many cases, contractor accounts are password-protected, but sometimes lack multi-factor authentication.
Countering trusted relationship attacks
The main challenge in defending against trusted relationship attacks is that the organization providing access to a contractor or partner has no control over the latter’s data and systems’ security posture. For example, contractor employees may store passwords on their systems in cleartext, which the customer may not realize.
Organizations generally mitigate the risk of such attacks by implementing strict security requirements for contractors’ accounts and minimizing their access to the organization’s systems. Core precautions include:
- Multi-factor authentication. An organization may require contractors to use additional authentication factors (such as physical tokens) when accessing its systems.
- Principle of least privilege. Network segmentation and limiting third-party access to the absolute minimum make it harder for attackers to penetrate infrastructure through a trusted channel.
- Monitoring third-party connections and access rights helps to detect malicious activity early and stop attacks.
Related products and services
Kaspersky NEXT
Kaspersky Managed Detection and Response
Kaspersky Incident Response