Trusted Relationship (T1199) is a MITRE ATT&CK technique in the Initial Access tactic. SOC analysts detect it by monitoring for SIEM, Firewall events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard employee accounts. Organizations frequently grant elevated network access to managed service providers, IT contractors, auditors, vendors, and business partners to perform legitimate business functions. These trusted relationships create an indirect attack surface because each third-party organization with network access represents a potential compromise path into the victim environment. Attackers who compromise a managed service provider can simultaneously access all of that provider's clients, as demonstrated by multiple high-profile supply chain attacks against MSPs. The challenge for defenders is that connections from trusted partners often use legitimate credentials, arrive from known IP ranges, and perform activities consistent with their business purpose, making it difficult to distinguish malicious access from authorized support activity.
“Trusted Relationship is documented as technique T1199 in the MITRE ATT&CK knowledge base under the Initial Access tactic. Detection requires visibility into SIEM, Firewall telemetry.”
The following detection strategies help SOC analysts identify Trusted Relationship activity. These methods apply across SIEM, Firewall environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Maintain an inventory of all third-party accounts and connections with their associated business justifications, and periodically audit these accounts to confirm they are still required and have not been over-provisioned with unnecessary permissions.
Monitor authentication events from third-party accounts and alert on logins occurring outside scheduled maintenance windows, logins from IP addresses not associated with the partner organization, and access to systems beyond the partner scope of support.
Implement just-in-time access for vendor and partner accounts so that credentials are only activated for the duration of authorized work sessions, reducing the window of opportunity if a partner account is compromised.
Alert on lateral movement originating from systems or accounts associated with managed service providers or other trusted partners, as legitimate support activities rarely require moving between systems in patterns consistent with reconnaissance.
Review network segmentation controls that apply to trusted third-party connections to ensure partners only have network-level access to the specific systems they support, limiting the blast radius if a partner account is used maliciously.
These realistic alert examples show what Trusted Relationship looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Managed service provider account msp_operations_user accessed the finance application server and HR directory systems over the past 3 hours. This account is authorized only for IT infrastructure management across server and networking equipment. The access to business application systems falls outside the contracted support scope and the MSP has not submitted any change requests for these systems.
Third-party auditing firm account audit_connector authenticated to the vendor VPN at 02:38 AM on a Saturday and subsequently accessed 14 internal servers including two domain controllers. The vendor normally connects during business hours on weekdays for scheduled audit activities. No audit work was scheduled this weekend, and the access pattern to domain controllers is inconsistent with legitimate auditing workflows.
Contractor account contractor_dev_team authenticated from an IP address geolocating to Eastern Europe. The contracting firm is based in Canada and has never previously authenticated from this region. The account immediately began accessing source code repositories and development infrastructure. This access pattern suggests the contractor account has been compromised and is being used by a threat actor.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Trusted Relationship. Build detection skills with zero consequences — free forever.
Phishing is a social engineering attack delivered via email, SMS, voice calls, or other channels that deceives recipient…
Read more GlossaryAn organization's attack surface is the total set of points where an adversary could attempt unauthorized access: networ…
Read more GlossarySocial engineering is the psychological manipulation of individuals into performing actions or revealing information tha…
Read more GlossaryAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
Read more Career PathTier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathTier 2 SOC Analysts handle the investigations that Tier 1 escalates. You dig into multi-stage attacks, coordinate contai…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read more FeaturePractice alert triage under realistic time pressure with SLA timers and noise injection.
Read moreWe use cookies to improve your experience and measure usage. Learn more