TechTarget.com/searchsecurity

https://www.techtarget.com/searchsecurity/tip/6-ways-to-prevent-privilege-escalation-attacks

6 ways to prevent privilege escalation attacks

By Michael Cobb

Software and OSes rely on privileges to limit user and device access to configuration settings, functions and data. Access privileges are, therefore, a vitally important security feature. They control the extent to which a user can interact with a system or application and its associated resources. They can range from simple privileges that allow only basic actions -- such as access to office applications -- to more wide-ranging administrator or root privileges that have potentially complete system control.

It should be no surprise, then, that privileges are a target for attackers. The goal of a privilege escalation attack is to obtain additional privileges for systems and applications within a network or online service.

Types of privilege escalation attacks

Privilege escalation attacks fall into two broad categories:

1. Horizontal privilege escalation. The attacker, after successfully gaining access to an existing user or device account, uses that passage to hack into another account. While this tactic doesn't necessarily result in the hacker obtaining additional privileges, it can cause harm to the new victim if the hacker harvests the target's personal data and other resources. Vulnerabilities in websites can enable cross-site scripting, cross-site request forgery and other types of attacks to capture another user's login credentials or authentication data and gain access to the account.
2. Vertical privilege escalation. This is usually the second phase of a multistage cyber attack. Attackers look to exploit system misconfigurations, vulnerabilities, weak passwords and inadequate access controls to gain administrative permissions through which they can continue to access other resources on the network. Once armed with more powerful privileges, attackers can install malware and ransomware, change system settings and steal data. They can even delete logs so their presence on the network goes unnoticed. This is the more dangerous category of escalation attack as the attacker may be able to take control of the entire network.

How privilege escalation attacks work

The following are common methods malicious hackers use to carry out privilege escalation attacks -- the first two methods are used in horizontal privilege escalation attacks, but depending on the ultimate goal of the attacker, the compromised accounts may be used to try and elevate privileges vertically.

• Social engineering. Social engineering attacks -- including phishing, watering hole and pharming -- are commonly used to trick users into divulging their account credentials. With these types of attacks, there is no need to mount a complex campaign to bypass a system's security defenses.
• Weak credentials. Weak, reused or shared passwords represent an easy way for an attacker to gain unauthorized access to an account. If the account has administrative privileges, the network is in immediate danger of being seriously compromised.
• System misconfigurations. Network resources where security settings have not been locked down can provide opportunities for attackers to obtain greater privileges than intended; for example, consider cloud storage buckets with public access. Incorrectly configured network defenses, such as firewalls and open and unprotected ports, as well as default passwords on important accounts and insecure defaults on newly installed applications -- both particularly common occurrences on IoT devices -- all open a path for an attacker to obtain additional privileges.
• Malware. Malware, such as keyloggers, memory scrapers and network sniffers, can steal passwords. Once introduced into the network and depending upon the privileges of the compromised account, the malware can trigger far more dangerous attacks.
• System vulnerabilities. Any publicly accessible vulnerability in the design, implementation or configuration of a system may give attackers the ability to obtain account privileges by executing malicious code to gain shell access.

6 ways to prevent a privilege escalation attack

Like any cyber attack, privilege escalation exploits vulnerabilities in services and applications running on a network, particularly those with weak access controls. Privilege escalation is a key phase in a comprehensive cyber attack. Security controls aimed at preventing these types of attacks have to be strong and maintained on a regular basis.

Here are six best practices to help ensure your network is protected.

1. Keep accounts up to date with comprehensive privilege account management

Enforcing the principle of least privilege to limit users' and services' access rights to the bare minimum reduces an attacker's chances of obtaining administrative-level privileges.

The security team and HR must work together to guard against unnecessary privilege creep and ensure the user account inventory accurately records who, what, where and why an account exists and the privileges it has been granted. Minimizing the number and scope of privileged accounts, while monitoring and logging their activities, also helps flag any potential misuse.

2. Patch and update software

Reducing the chances an attacker can find an exploitable vulnerability is the single best way to stop any type of cyber attack. A comprehensive patch management policy makes it harder for any attacker to take advantage of system and application vulnerabilities; in particular, keep browsers and antivirus software updated.

3. Perform vulnerability scans

Regularly scanning all the components in the IT infrastructure for vulnerabilities makes it tougher for an attacker to gain a foothold in the network. Vulnerability scans find misconfigurations, undocumented system changes, unpatched or insecure OSes and applications, and other flaws before potential attackers can exploit them.

4. Monitor network traffic and behavior

If an attacker does succeed in obtaining a network user's credentials, the intruder's presence can go undetected unless the network is constantly monitored for unusual traffic or user behavior. User and entity behavior analytics software can create a baseline of legitimate behavior and flag activities that deviate from the norm and indicate a potential compromise.

5. Institute a strong password policy

A password policy is the most effective way to prevent a horizontal privilege escalation attack, particularly if it's combined with multifactor authentication (MFA). Password management tools can help users generate and safely store unique and complex passwords that meet security policy rules. All accounts with administrative privileges should require MFA. Digital credentials used in machine authentication should be rotated on a regular basis.

6. Conduct security awareness training

People are usually the weakest link in any organization's security. They can unwittingly aid an escalation attack by using weak passwords, clicking malicious links or attachments, and ignoring warnings regarding dangerous websites. Regular security awareness trainings ensure new threats can be explained, as well as keep security policies fresh in employees' minds. Emphasize the dangers and risks of sharing accounts and credentials.

Privilege escalation attacks are among the most serious. A well-rehearsed incident plan is critical. If a privilege escalation incident is discovered, the compromised account must be quickly isolated, have its password changed and then disabled. The security team must then conduct an in-depth investigation to discover the extent of the intrusion and identify the resources compromised.