What is Privilege Escalation?
Privilege escalation is the exploitation of a programming error, vulnerability, design flaw, configuration oversight or access control in an operating system or application to gain unauthorized access to resources that are usually restricted from the application or user.
This results in the application or user having more privileges than intended by the developer or system administrator, allowing attackers to gain access to sensitive data, install malware and launch other cyber attacks.
Table of contents
- How does privilege escalation work?
- Why is it important to prevent privilege escalation?
- What are the two types of privilege escalation?
- What are examples of privilege escalation?
- How to prevent privilege escalation attacks
- How UpGuard can help prevent privilege escalation attacks
1. How does privilege escalation work?
Most computer systems are designed for use with multiple user accounts, each of which has abilities known as privileges. Common privileges include the ability to view, edit or modify files.
Privilege escalation means an attacker gains access to privileges they are not entitled to by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account.
Privilege escalation is a common way for malicious users to gain initial access to a system. Attackers start by finding a weak point in an organization’s cybersecurity to gain initial penetration to a system.
In many cases, the first point of penetration will not give attackers the level of access or access to the file system they need. They will then attempt privilege escalation to gain more permissions or to obtain access to additional, more sensitive systems.
In some situations, attackers attempting privilege escalation find the doors are wide open. Inadequate information security, failure to follow the principle of least privilege and a lack of defense in depth leaves regular users with more privileges than they need.
In other cases, attackers exploit poor patching cadence, zero-day vulnerabilities or use specific techniques to overcome an operating system’s permissions mechanism.
2. Why is it important to prevent privilege escalation?
While privilege escalation is generally not the end goal of an attacker, it is frequently used in preparation for a more specific cyber attack, allowing intruders to deploy a malicious payload, adjust security settings and open up additional attack vectors in the targeted system.
Whenever you detect or suspect privilege escalation, use digital forensics to find signs of other malicious activities like computer worms, malware, corporate espionage, data breaches, data leaks, man-in-the-middle attacks and stolen personally identifiable information (PII), protected health information (PHI), psychographic data or biometrics.
Even without evidence of further attacks, privilege escalation incidents represent significant cybersecurity risk because it means someone has gained unauthorized access to a privileged account and confidential or sensitive information.
In many industries, these incidents need to be reported internally and to relevant authorities to ensure regulatory compliance.
3. What are the two types of privilege escalation?
There are two main privilege escalation techniques:
- Vertical privilege escalation (privilege elevation):An attacker attempts to gain higher privileges or access with an existing account they have compromised. For example, an attacker takes over a regular user account on a network and attempts to gain administrative privileges. Typically the administrator or system user on Microsoft Windows, or root on Unix and Linux systems. Once they gain elevated privileges, attackers can steal sensitive data about a specific user, install ransomware, spyware or other types of malware, execute malicious code and damage the security posture of your organization.
- Horizontal privilege escalation:An attacker expands their privileges by taking over a privileged account and misusing the legitimate privileges granted to the user. For local privilege escalation attacks this might mean hijacking an account with administrator privileges or root privileges, for web applications might mean gaining access to a user’s bank account or the admin account of a SaaS app.
4. What are examples of privilege escalation?
Three common privilege escalation techniques are:
- Access token manipulation: Takes advantage of the way Microsoft Windows manages administrator privileges. Normally, Windows uses access tokens to determine the owners of running processes. With token manipulation, the attacker fools the system into believing the running processes belong to a different user than the one that actually started the process. When this happens, the process takes on the security context associated with the attacker’s access token. This is a form of privilege elevation or vertical privilege escalation.
- Bypassing user account control: Windows has a structured mechanism for controlling user privileges called user account control (UAC) that serves as a barrier between normal users and administrators, limiting standard user permissions until an administrator authorizes increased privileges. However, if the UAC protection level on a computer is not properly configured, some Windows programs will be allowed to elevate privileges or execute Component Object Model (COM) objects without asking for administrator permission first. For example, the rundll32.exe can load a Dynamic Link Library (DLL) which loads a COM object that has elevated privileges, allowing attackers to bypass UAC and gain access to protected directories.
- Using valid accounts: Attackers gain unauthorized access to an administrator or user with elevated privileges and use it to log in to a sensitive system or create their own logon credentials.
5. How to prevent privilege escalation attacks
Attackers use many privilege escalation techniques to achieve their goals. The good news is if you can quickly detect successful or attempted privilege escalations attacks, you have a good chance of stopping intruders before they can launch their main attack.
To attempt privilege escalation in the first place, attackers usually need to gain access to a less privileged account. This means that regular user accounts are your first line of defense, make sure to invest in strong access control:
For application security, it’s vital to:
Not all privilege escalation relies on user accounts, administrator privileges can be obtained be exploiting vulnerabilities in applications operating systems and configuration management, minimize your attack surface by:
- Keeping systems and applications updated:Many attacks exploit known vulnerabilities listed on CVE. By keeping a consistent patching cadence you are minimizing this cybersecurity risk.
- Ensuring correct permissions for files, directories and web servers:Follow the principle of least privilege, check S3 security settings and ensure that only those who need access have access.
- Closing unnecessary ports and removing unused accounts: Default system configurations often include unnecessary services and arbitrary code running on open ports, each one is a potential attack vector. Remove default and unused accounts to avoid attackers and former employees gaining access to sensitive systems.
- Avoiding default login credentials: This might seem obvious but many organizations fail to change the default login credentials on their devices such as printers, routers and IoT devices. No matter how secure your network security is, one router is using the default admin/password login credentials could be enough for an attacker to intrude.
- Removing or restricting file transfer functionality:FTP, TFPT, wget, curl and other file transfer functions are a common way to download and execute malicious code or malicious writable. Consider removing these tools or restricting their use to specific directories, users and applications.
If you want to get an idea of your organization’s external security posture, use our free security scanner to see your external attack surface.
6. How UpGuard can help prevent privilege escalation attacks
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We’ll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer’s trust through cyber security ratings and continuous exposure detection.
If you’d like to see how your organization stacks up, get your free Cyber Security Rating.
Originally published at https://www.upguard.com.