The scope of permissions associated to a user depends on how privileged the user role is. Some of the privileged roles in an organization include the system administrators, payroll administrators, IT help desk technicians, and network and database administrators. These employees use privileged accounts to gain access to their respective target endpoints. Since privileged accounts enable elevated access to critical systems, enabling fine-grained permissions right at the user level or group level ensures secure access to privileged endpoints. However, if these privileged accounts are exposed to malicious insiders or external attackers, it can spell doom to the overall security of the enterprise.
Privilege escalation can be carried out for a role of any level of permission. There are two methods to escalate privileges:
Horizontal privilege escalation allows a user to gain permissions of a fellow user with the same privileges to gain access to personal information. However, the challenge is that this might be a standard user account with basic privileges and the hacker will need to elevate their privileges to perform higher level actions.
For example, an employee using a fellow user's credentials to access critical information aims to impersonate the users with the same privileges. Despite having similar access permissions, impersonating a fellow employee gives the attacker access to that employee's PII. This type of escalation is usually carried out using social engineering techniques.
Vertical privilege escalation is when a user with non-administrative permissions gains access to administrative permissions, which are otherwise unavailable. Vertical privilege escalation provides direct access to critical enterprise resources without having to request for elevated account privileges.
For example, a user with standard privileges gaining access to a user account with relatively higher privileges can view and modify confidential data about every employee. This is a privileged action that is usually not under the purview of the standard user.
Privileged accounts are the gateways to critical information and inadequate security over them will take a toll on both revenue and reputation of the enterprise. During a privilege escalation attack, hackers initially target standard user accounts to acquire bare minimum privileges. However, these accounts don't suffice when it comes to carrying out activities that require higher privileges. So, how does a bad actor navigate further into the sensitive areas of the organization?
Let's consider the following example: When a non-admin user is granted temporary privileges to perform high-level actions like adding or deleting users, executing privileged commands, or running customers reports, it is important that the access permissions are revoked once the intended task is completed. These permissions are susceptible to phishing or social engineering attacks and, if one of these attacks is successful, an unauthorized user can gain access. Additionally, a higher number of privileged accounts raises the chances that one of these will be targetted to perform nefarious activities over the enterprise network.
The domain accounts of Windows resources host all critical information and are considered "super admin accounts." When an attacker has access to one of these accounts, there is direct control over the highest access levels. This allows leeway to deploy malware on the Active Directory and establish control over all critical assets of the enterprise.
For example, active sessions in Windows machines use access tokens that provide information on the owner's role and privileges. The majority of the Windows privilege escalation attacks involve exploiting these access tokens to impersonate a logged-in user and carry out high-level actions.
An attacker aiming to implement Linux privilege escalation will first try to decode the credentials of the root user since it has the highest privilege to access data. Alternatively, hackers prefer to target accounts with SUDO privileges (the highest privilege to access resources) to laterally navigate the enterprise network. Accomplishing this task makes taking control over confidential information child's play.
For example, threat vectors initially target the Linux shell to perform a privilege escalation. Once done, they employ enumeration techniques to initiate basic operations on systems to discover paths to SUDO privileges and to impersonate a root user to carry out nefarious activities.
Privileged accounts are the keys to the kingdom; when privileged accounts are shared between multiple users and there's no monitoring of their use, they're more at risk of being used by a malicious actor. These threat actors attempting privilege escalation will try to:
These backdoors, when successfully deployed, allow hackers to bypass default authorization channels and elevate permissions without any hassle.
Mitigating privilege escalation attacks calls for deploying efficient access management tools. Here are some access management best practices to prevent privilege escalation
Exhibiting a strong security posture requires continuous effort. Ensuring a reduced attack surface helps enterprises further reduce the risk of a data breach.
ManageEngine PAM360 helps organizations combat privilege escalation attacks with granular least privilege access controls, such as role-based access, policy-based access, dynamic trust scoring, just-in-time privilege elevation, and application and command control. PAM360's comprehensive Zero Trust controls helps enterprises ensure zero standing privileges and secure their privileged access routines against emerging threats.