As organizations rely more on remote work capabilities and larger cloud systems, their vulnerability to cyberattacks increases. Privilege escalation attacks are a prevalent and complex threat, and any network can become a target. Show
What Is Privilege Escalation?A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications. This is closely related to lateral movement — tactics by which a cyberattacker moves deeper into a network in search of high-value assets. The result is an internal or external user with unauthorized system privileges. Depending on the extent of the breach, bad actors can do minor or major damage. This might be a simple unauthorized email or a ransomware attack on vast amounts of data. Left undetected, attacks can result in advanced persistent threats (APTs) to operating systems. Expert TipYou might wonder who should know about privilege escalation. The answer is: everyone! Any user with a login, no matter how basic, may become the initial victim. Catastrophic attacks can start with gaining valid credentials of any kind, so any compromised account is a problem for the whole network. How Privilege Escalation WorksAdversaries usually perform privilege escalation starting with a social engineering technique that relies on manipulation of human behavior. The most basic is phishing — electronic communications that contain harmful links. Once an attacker compromises an individual’s account, the entire network is exposed. Attackers search for weak spots in organizational defenses that allow initial entry or basic privileges through credential theft. As explained in more detail below, exploiting such vulnerabilities enables further elevated privilege. Effective strategy must therefore combine techniques for prevention, detection and swift action. Privilege Escalation TechniquesA privilege escalation technique can be executed locally or remotely. Local privilege escalation begins onsite, often by someone inside the organization. Remote escalation can begin from almost anywhere. For a determined attacker, either approach can be effective. What are the Main Types of Privilege EscalationAttacks are grouped into two primary types: With horizontal privilege escalation (or account takeover), an attacker gains privileged access to a standard user account with lower-level privileges. The intruder might steal an employee’s username and password, gaining access to email, files and any web applications or subnetworks to which they belong. Having obtained this foothold, the attacker can move horizontally through the network, expanding their sphere of privileged access among similarly privileged accounts. Vertical privilege escalation (or privilege elevation) begins similarly, with an attacker using a foothold to try to escalate vertically, gaining access to accounts with higher privilege. For example, they might target accounts with administrator privileges or root access permissions, such as an IT helpdesk worker or a system administrator. A privileged account can be used to invade other accounts. Differences Between Vertical and Horizontal Privilege EscalationIn short, horizontal privilege escalation involves gaining access to accounts with privileges similar to the original account’s. By contrast, vertical privilege involves gaining access to accounts with more privileges and permissions. An attacker might begin with a standard user account and use it to compromise higher-level accounts with admin privilege. The more privileges an account has, the more immediate damage a malicious actor can do. An IT helpdesk account can harm standard user accounts and can itself become a point of vertical escalation. Horizontal attacks are nevertheless also dangerous because the risk to a network escalates with the number of compromised accounts. Every point of vulnerability is an opening for attackers to delve deeper into the system, so both horizontal and vertical attacks must be addressed with speed. More Types of Privilege Escalation TechniqueCyberattackers are constantly developing new ways to break into accounts and compromise systems, but phishing remains predominant. Attackers design these deceptive messages, whether broad and scattershot or carefully targeted, to trick users into sharing credentials, downloading malware or exposing networks to unauthorized use. Other kinds of social engineering attacks include the following:
Adversaries may also use techniques that rely on technological help. Brute force attacks and credential dumping are most common, but many others exist:
Both Windows servers and Linux operating systems are vulnerable to attacks. Windows privilege escalation often employs token manipulation, user account control bypass or DLL (dynamic link library) hijacking. Common Linux system privilege escalation attacks include enumeration, kernel exploit and using Sudo access to gain root privileges. The access provided by stolen credentials is so powerful, attackers are highly motivated to find new ways to escalate Linux privileges. Privilege Escalation Prevention StrategiesPrevention requires constant, proactive vigilance. Any business with a network can fall victim, since every user presents some degree of vulnerability. This means your prevention strategy must be comprehensive and inclusive, enlisting every user in the system to help secure their shared cyberspace. Where prevention fails, detection measures must also be in place, along with ready plans of action that can be executed quickly to prevent the worst consequences. 2022 CrowdStrike Global Threat ReportDownload the 2022 Global Threat Report to find out how security teams can better protect the people, processes, and technologies of a modern enterprise in an increasingly ominous threat landscape. Download Now How to Detect a Privilege Escalation AttackDetection of privilege elevation generally relies on pattern recognition, searching for outliers and identifying abnormal events. Unfortunately, detecting privilege escalation can be extremely difficult because it is so unpredictable. If a threat actor successfully enters the network at any point, they can maintain ongoing access. Once they have gained credentials of any kind, the system sees them as legitimate users. The average time to detect an attack is difficult to estimate because privilege escalation attacks may take weeks or even months. The time between when an intruder initially steals a credential and when they achieve their goal is called “dwell time.” With a long dwell time, intruders can gather information, obtain credentials and further escalate privileges. By the time attackers are ready to achieve their goal, they have usually covered their tracks (e.g., deleting logs, masking IP addresses and so on). Luckily for their targets, cybercriminals do sometimes make mistakes, rendering themselves traceable or even falling into traps. But very few — not even half of one percent, according to a report from Third Way — are ever arrested. Organizations must be prepared not only to detect but to neutralize threats, and acting with all possible speed is paramount. Examples of Privilege Escalation AttacksPrivilege escalation attacks commonly involve infecting a network or application with malware, a broad category that includes the following:
Learn MoreIn November 2021, the privilege escalation vulnerability Polkit was discovered in a Linux module. CrowdStrike’s Falcon Platform hunted Polkit to detect and prevent future attacks. Learn More Importance of Preventing Privilege EscalationPrivilege escalation can be a step in virtually any cyberattack. Preventing it where it begins must be a top priority. How Preventing Privilege Escalation Affects Application SecurityEmployees routinely need permission to access hundreds of applications, so organizations need secure identity management tools that reduce the need for multiple authentications. Single sign-on (SSO) services, such as Active Directory Federation Service (ADFS), allow people to use a single set of credentials across multiple internal and external systems. This saves time and stress, improving both efficiency and user experience by allowing seamless movement between applications. The downside is that attackers with a single set of credentials can also move seamlessly around a network. And the consequences of privilege escalation can be grave for users, customers and businesses — and even cloud security. First and foremost, attacks can be expensive, but beyond that, losing control of confidential information or critical systems can also affect a firm’s integrity and reputation. According to a 2021 study by IBM, the average cyberattack in the U.S. cost companies $9.05 million USD (roughly double the global average of $4.24 million USD). In 2017 Target agreed to pay $18.5 million USD following a high-profile cybersecurity breach. Attackers had exploited weaknesses in Target’s system by using credentials stolen from a third-party vendor. After gaining access to a customer service database, they installed malware to capture contact information, credit card numbers and other private data. Privilege escalation can also affect small organizations with insufficient budgets and cybersecurity measures. Educational institutions are frequent targets. Illinois’s Lincoln College was forced to close in 2022 after a ransomware attack that halted critical operations when the college was already struggling. No one is immune to victimization by cyberattacks, not even national governments, so everyone must be on guard. How to Protect Your Systems from Privilege EscalationCyberattacks are a global phenomenon. According to the World Economic Forum, “These risks cannot be addressed by organizations acting alone. Policy interventions are required that encourage collaboration and accountability on the part of both businesses and governments.” Nevertheless, everyone has a role to play in the cybersecurity ecosystem. A successful prevention strategy requires understanding common escalation techniques and having appropriate controls in place to thwart them. Controls to Put in Place to Prevent Privilege Escalation AttacksMitigating the risks of credential theft requires layers of safeguards. Technical controls, such as encryption, firewalls, monitoring, antivirus and antimalware programs, address vulnerabilities in hardware and software. They also include security information and event management solutions to collect and analyze security events, plus intrusion detection and prevention systems that monitor and respond to suspicious events. Administrative controls, such as policies, procedures, training and best practices, focus on people and address social engineering techniques. Physical controls deter or prevent unauthorized physical access to sensitive material. These range from surveillance cameras and security guards to biometric IDs. Even a locked door can help guard against credential theft. Techniques to Use to Protect against Privilege Escalation Because so many breaches begin with phishing, social and cultural prevention techniques are essential. Network members are often the first point of attack and therefore also the first line of defense. Fear, however, is ineffective motivation. Organizations must instead empower employees with training, reminders and a sense of shared responsibility. Good individual IT hygiene includes the following elements:
Systemwide hygiene is also crucial. Many institutions continue to rely on traditional security measures that today’s sophisticated attackers easily bypass. Solutions include the following:
Organizational vigilance must go further to minimize exposure — predicting, investigating, proactively hunting and quickly responding to threats:
Tools and Software to Protect Your Systems from Privilege Escalation Protecting systems from privilege escalation requires tools and software with capabilities such as these:
Key features of these tools should include easy setup and configuration, scalability and inexpensive cloud storage. Because so many privilege escalation attacks are cloud-based, organizations need a cloud-native and cloud-scale system to stay ahead of cybercriminals. In addition to artificial intelligence and high-speed, smart-filtering technology, expert human analysts can proactively monitor environments and alert users to unusual activity. Internal security teams may need this supplementary assistance to fully protect their organizations from threats posed by privilege escalation attacks. Stop Breaches and Drive BusinessNo organization wants to fall victim to privilege escalation, but most need help to stay ahead of today’s — and tomorrow’s — sophisticated adversaries. CrowdStrike has the experience, expertise and tools you need to strengthen organizational defenses and help keep your networks safe from would-be exploiters. Learn more about how CrowdStrike can help you win the race against cyberattacks so you can focus on what you do best. Which type of security attack occurs when the hacker finds a vulnerability within a particular software application and takes advantage of it?An exploit is any attack that takes advantage of vulnerabilities in applications, networks, operating systems, or hardware. Exploits usually take the form of software or code that aims to take control of computers or steal network data.
Which type of attack can be used to intercept and alter data that is sent between hosts?A man-in-the-middle (MiTM) attack is a type of cyber attack in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. The attack is a type of eavesdropping in which the attacker intercepts and then controls the entire conversation.
What type of attack occurs when the threat actor snoops and intercepts digital data transmitted by the computer?Network eavesdropping attacks, also known as network sniffing or network snooping attacks, occur when malicious actors take advantage of insecure network connections to exfiltrate data as it is being communicated.
What are the compromised systems used to launch a DDoS attack called Choose all that apply?DDoS attacks use an army of zombie devices called a botnet. These botnets generally consist of compromised IoT devices, websites, and computers.
|