Privilege Escalation: Why is it so dangerous?
As organizations rely more on remote work capabilities and larger cloud systems, their vulnerability to cyberattacks increases. Privilege escalation attacks are a prevalent and complex threat, and any network can become a target. Organizations need multiple defense strategies when any asset can become an entry point for intruders. Understanding the privilege escalation process is an important first step toward prevention and defense against extensive network attacks.
What is Privilege Escalation?
Privilege escalation is a type of network attack used to gain unauthorized access to systems within a security perimeter.
Attackers start by finding weak points in an organization’s defenses and gaining access to a system. In many cases that first point of penetration will not grant attackers the level of access or data they need. They will then attempt privilege escalation to gain more permissions or obtain access to additional, more sensitive systems.
In some cases, attackers attempting privilege escalation find the “doors are wide open” – inadequate security controls, or failure to follow the principle of least privilege, with users having more privileges than they actually need. In other cases, attackers exploit software vulnerabilities or use specific techniques to overcome an operating system’s permissions mechanism.
How does it work?
To perform a privilege escalation attack, a threat actor should first infiltrate the targeted network. This is usually done through abusing vulnerabilities in the system or through social engineering techniques for instance. This can also go both ways: either hackers find a privileged account from the beginning and perform a privilege escalation attack, or they gain access to a standard account in the initial phase. In the second scenario, they can perform surveillance on the network until it’s time for the next move – gaining access to a privileged account – an account with special rights beyond those of a standard user, with access to critical data and infrastructure within an organization.
Why Privilege Escalation is so dangerous
Privilege escalation is often one part of a multi-stage attack, allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever you detect or suspect privilege escalation, you also need to look for signs of other malicious activity. But even without evidence of further attacks, any privilege escalation incident is an information security issue in itself because someone could have gained unauthorized access to personal, confidential, or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.
Worse still, it can be hard to distinguish between routine and malicious activity to detect privilege escalation incidents. This is especially true for rogue users who might have legitimate access yet perform malicious actions that compromise system or application security. However, if you can quickly detect successful or attempted privilege escalation, you have a good chance of stopping the intruders before they can establish a foothold to launch their main attack.
Types of Privilege Escalation Attacks
An initial attack on a computer system rarely obtains full access to that system. In most cases, a series of actions are needed to achieve the access required to accomplish the attack’s intended goal. Horizontal and vertical attacks conduct this process in distinctly different ways.
Horizontal Privilege Escalation
Horizontal privilege escalation involves the attacker gaining access to a user account and increasing the permissions on that account. This type of privilege escalation is typically more challenging, as it generally requires a greater understanding of the system’s vulnerabilities and the greater use of hacking tools like Metasploit. Attackers often use phishing campaigns to perform the first step of gaining access to an account.
Several options are available for elevating permissions in horizontal privilege escalation. Exploiting operating system (OS) vulnerabilities is one of the most popular for gain root-level access for this type of privilege escalation.
Vertical Privilege Escalation
Vertical privilege escalation occurs when attackers gain direct access to an account that already has the privileges needed to accomplish its goal. This type of privilege escalation is easier to perform since it doesn’t require any steps beyond this. In this case, the attack focuses on identifying an account with the necessary privileges and obtaining access to that account.
Attackers routinely use phishing emails to obtain direct access to a user’s financial account, including accounts from banks and e-commerce sites like Amazon. The email usually claims that the user’s account will be deleted for inactivity unless the user clicks on a link in the email and logs in to that account. This link leads to a webpage owned by the hacker that resembles the authentic website as much as possible. If the user logs in to this fake website, the attacker can then harvest the user’s login information and take money from the real account.
What are examples of Privilege Escalation?
Three common privilege escalation techniques are:
- Access token manipulation: Takes advantage of the way Microsoft Windows manages administrator privileges. Normally, Windows uses access tokens to determine the owners of running processes. With token manipulation, the attacker fools the system into believing the running processes belong to a different user than the one that actually started the process. When this happens, the process takes on the security context associated with the attacker’s access token. This is a form of privilege elevation or vertical privilege escalation.
- Bypassing user account control: Windows has a structured mechanism for controlling user privileges called user account control (UAC) that serves as a barrier between normal users and administrators, limiting standard user permissions until an administrator authorizes increased privileges. However, if the UAC protection level on a computer is not properly configured, some Windows programs will be allowed to elevate privileges or execute Component Object Model (COM) objects without asking for administrator permission first. For example, the rundll32.exe can load a Dynamic Link Library (DLL) which loads a COM object that has elevated privileges, allowing attackers to bypass UAC and gain access to protected directories.
- Using valid accounts: Attackers gain unauthorized access to an administrator or user with elevated privileges and use it to log in to a sensitive system or create their own login credentials.
Detecting and Preventing Privilege Escalation
While it’s not possible to completely eliminate cyber attackers who try to use privilege escalation to exploit your systems, it’s possible to slow them down or limit the blast radius of their damage.
Identifying the Signs of an Attempted Escalation
Logging and monitoring access would be the best way to detect escalation attacks. It may be difficult to do this at scale, however, as more users may have legitimate reasons to escalate their role. Still, having a good logging system to monitor user activity and creating rules to identify anomalies that could point to threats will help catch this quickly. In addition, identifying unusual network traffic or an unusually high number of access attempts to or from certain accounts are more red flags.
Implementing Least Privilege
The principle of least privilege is a security best practice that gives users the minimum amount of privileges necessary for them to perform their work. This is effective because there’s a limited amount of damage they can do if they decide to go rogue against the company. Implementing the least privilege is not easy, and it takes a lot of continuous effort. To implement it properly, it’s important to understand what types of work users are doing in the environment and to craft roles based on their needs, then assign roles to a subset of users. Once those roles are assigned, you’ll also need to provide a level of support or governance, as certain users may need more access to do their jobs. Continuously evolving those policies, regularly reviewing and updating user permissions, and limiting admin access are also required for this to be successful.
Conclusion
Privilege escalation is a major security risk that can lead to significant consequences for companies. This isn’t just an attack method used by bad actors; it’s also something that can be done without bad intentions. Either way, it can have a big impact on the company. To mitigate this risk, it’s important to follow best practices such as regularly updating systems, monitoring user activity, following the principle of least privilege, and continuously assessing the capabilities of user roles and reducing the level of access needed within those roles.