Many organizations have yet to invest in a PAM solution because they can be expensive and complex. While this is true for some legacy PAM solutions,
Organizations need to prevent privilege escalation attacks to protect their sensitive data from unauthorized access. To prevent privilege escalation attacks, organizations should implement least privilege access, follow password security best practices, enforce Multi-Factor Authentication (MFA), keep software up to date, monitor network traffic and regularly run penetration tests.
Continue reading to learn more about privilege escalation, how it works, the types of privilege escalation attacks and how organizations can prevent them.
What is privilege escalation and how does it work?
Privilege escalation is a type of cyber attack in which threat actors try to expand their levels of privileges within an organization’s systems, applications and network. With privilege escalation, cybercriminals can access an organization’s sensitive data and systems, allowing them to manipulate data, steal confidential information, disrupt operations, commit fraud, extort the organization and leak the data to the public or dark web.
Privilege escalation occurs due to poor Privileged Access Management (PAM). After gaining initial access, cybercriminals will identify and exploit mismanaged privileges, security vulnerabilities, misconfigurations, human error and flaws within an organization’s systems to expand their privileges and gain further unauthorized access. They will either try to broaden their sphere of access to accounts with similar privileges or elevate their privileges by obtaining higher-level access to administrator accounts.
How to prevent privilege escalation attacks
Privilege escalation can be difficult to detect and can allow cybercriminals to steal sensitive data and disrupt an organization’s operations. To prevent privilege escalation attacks, organizations should practice the following.
1. Implement least privilege access
The Principle of Least Privilege (PoLP) is a cybersecurity concept that gives users just enough network access to the information and systems needed to do their jobs and no more. It prevents users from accessing resources they do not need and limits what they can do with the resources they can access. Least privilege access helps mitigate the effects of data breaches by reducing an organization’s attack surface, minimizing insider threats and preventing lateral movement by threat actors.
The best way to implement least privilege access is by using a privileged access manager. A privileged access manager is a centralized platform that enables organizations to secure and manage privileged accounts. With a privileged access manager, organizations have full visibility into their entire data infrastructure. They can see who is accessing sensitive resources and how the resources are being used. A privileged access manager allows organizations to monitor privileged sessions, determine the privileges for accounts, enforce just-in-time access and regularly audit privileges.
2. Follow password security best practices
To protect privileged accounts from unauthorized access by cybercriminals, organizations need to follow password security best practices. Cybercriminals will try to escalate their privileges by executing password attacks to guess weak and reused passwords. Organizations need to use strong and unique passwords to secure privileged accounts. Strong and unique passwords are both long and complex, making it difficult for cybercriminals to crack them and compromise privileged accounts.
To ensure privileged accounts are protected with strong and unique passwords, organizations should invest in a password manager. An enterprise password manager is a tool that securely stores and manages employee passwords in a digitally encrypted vault. The digital vault is protected by multiple layers of encryption and can only be accessed with a strong master password. A password manager allows administrators to view employee password practices and enforce the use of strong passwords. Some privileged access managers often come with password management capabilities that allow organizations to easily manage the security of privileged accounts.
3. Enforce the use of MFA
Multi-Factor Authentication (MFA) is a security protocol that requires users to provide additional layers of authentication to gain access to an organization’s network. When MFA is enabled, users must provide at least two different forms of authentication.
Organizations need to enforce MFA to add an extra layer of security for privileged accounts by ensuring access is authorized. Even if the login credentials for a privileged account were compromised, cybercriminals still could not access the account because they could not provide the additional authentication required.
4. Keep your organization’s software up to date
Cybercriminals will often exploit the security vulnerabilities of outdated software. Organizations need to regularly keep their software up to date to patch any bugs and flaws, and add security features that provide better protection. Regularly updating your software will help prevent cybercriminals from exploiting security vulnerabilities, gaining initial access to an organization’s network and then elevating their privileges.
5. Monitor network traffic
To help identify privilege escalation attacks, organizations need to monitor their network traffic for any unusual traffic and suspicious user behavior. By monitoring network traffic, organizations can immediately identify privilege escalation and take quick action to remedy it. Privileged access managers allow organizations to view who is accessing their network and monitor privileged sessions. To help improve the security of an organization’s network, organizations should create segments to easily monitor and manage network traffic.
6. Regularly run penetration tests
A penetration test, or pen test, is a security exercise that simulates a cyber attack on an organization’s systems. It helps evaluate the strength of an organization’s security and identify any security vulnerabilities that cybercriminals could exploit. Organizations should regularly run penetration tests to help improve their security by identifying vulnerabilities and developing solutions to remedy them. This will help find and remove potential pathways for privilege escalation.
Techniques used in privilege escalation attacks
Privilege escalation is separated into two categories: horizontal and vertical privilege escalation. Both techniques try to gain unauthorized access to an organization’s resources but differ in the level of privileges they try to obtain and how they go about doing so.
Horizontal privilege escalation
Horizontal privilege escalation occurs when a cybercriminal tries to obtain access to resources and capabilities with similar privileges to the account they initially compromised. The goal of horizontal privilege escalation is to access another user’s data, resources and functionalities without elevating their privilege levels. Cybercriminals can use horizontal privilege escalation to steal data from a targeted user or access other areas of the network.
Common attack vectors used in horizontal privilege escalation include:
- Password attack: A category of cyber attack that tries to gain access to an account by guessing its password. Cybercriminals often use different types of password attacks such as brute force, keyloggers, password spraying and dictionary attacks.
- Session hijacking: A type of Man-in-the-Middle (MITM) attack in which cybercriminals steal browser cookies to take over your internet session. When a session is hijacked, cybercriminals can use the session to access the victim’s resources.
- Pass-the-hash: A type of cyber attack in which cybercriminals steal a hashed password and use it to bypass the network or system’s authentication protocol. This allows cybercriminals to move laterally across a network to gain access to other privileged accounts.
Vertical privilege escalation
Vertical privilege escalation tries to increase their privileges beyond what a user, application or system already has, and elevate from low-level access to high-level access, such as moving a standard user account to a privileged administrator account. The goal of vertical privilege escalation is to gain high-level control over the network. Once cybercriminals have control over the network, they can access restricted resources and perform administrative actions such as modifying configurations, installing malicious software and creating new user accounts.
Common attack vectors used in vertical privilege escalation include:
- Social engineering: A type of psychological manipulation used by threat actors to get people to reveal private information. A common form of social engineering includes phishing. Phishing happens when cybercriminals trick people into revealing information by impersonating someone the victim knows.
- Misconfigurations: Errors and gaps found in misconfigured networks. Systems that require manual configuration often have vulnerable settings and disparate security controls if they are not properly configured. Cybercriminals look for network misconfigurations to exploit and elevate their privileges.
- Outdated software: Vulnerabilities found within outdated software that cybercriminals exploit to gain unauthorized access. Most software will regularly have updates that patch bugs and flaws cybercriminals exploit. However, running outdated software allows cybercriminals to gain unauthorized access and elevate their privileges.
Use Keeper® to prevent privilege escalation attacks
The best way to prevent privilege escalation attacks is with a privileged access manager. A privileged access manager helps organizations implement least privilege access, enable full visibility into their entire data infrastructure and control access to their network.
KeeperPAM™ is a zero-trust and zero-knowledge privileged access management solution that combines Keeper Enterprise Password Manager (EPM), Keeper Secrets Manager® (KSM) and Keeper Connection Manager® (KCM). With KeeperPAM, organizations can secure passwords, credentials, secrets, privileges and remote access – all in one platform. KeeperPAM enables organizations to have complete visibility, security and control over every privileged user and device on their network.