Getting in via The Chain

Large organizations spend a lot of money creating a secure perimeter, both digital and physical. They spend a lot of money on the latest security products, detection software, monitoring and a number of other things. They are tight, secure.

However, what they sometimes forget to check is what we call The Chain.

The Chain refers to the small companies that supply the organization with services such as office supplies, resellers, small partners in places where there is no official company precense, transportation of goods, etc, etc. The Chain is what keeps the big company moving so they can develop and sell their products. It's the logisitics.
One of the things we do during the recon phase is try to get as much information as we can about this. These, sometimes small, companies might be invest as much in security as the main organization contracting them. And a lot of times they are the weak link to an otherwise secure organization.

Checking The Chain is vital to a proper Red Team assessment. Bad guys will use these smaller organizations to find the initial way in. It is not difficult to get this information.

Imagine a contractor hired to help develop a crucial application for your customer. He brings his company-issued laptop and plugs in into the network. Has that laptop been checked for any malicious code? What would happen if the network of the consultat's company, a small 20 people services company, was compromised a few months prior because the bad guys knew that consultants work for their main target? Now the attackers have a possible way in, and they didn't even have to deal with the better security of their main target.
Or, the main organization outsources their CRM needs to a small company that provides cheap, cloud services that not only are can be accessed from within the company, but sale's representatives on the road can also login from anywhre in the world. What would happen if this small CRM company was hacked by an adversary? They will have access to confidential data and possibly a way to piggyback into the main organization's servers, either directly or inderictly (by compromizing a sales representative's computer).

Don't forget to ask the right questions about The Chain. Bad things happen this way.

Red Teaming Guide | The Ministry of Defense (UK) (PDF)

Introducing Chaos Engineering | Netflix