Trending keywords: security, cloud, container,
Privilege escalation is the process of gaining higher levels of permissions within a system, network, or application. This can be achieved by exploiting vulnerabilities to bypass security measures that prevent the user from accessing certain types of information.
Privilege escalation does not always need to be unauthorized, and in some cases, it can be used to help carry out official tasks within the company. An example of authorized privilege escalation would be when an administrator grants temporary elevated access to a user account so that they can perform a specific task outside of their normal role.
Learn the importance of privilege escalation, the vulnerabilities that come with it, and how to detect and prevent privilege escalation with the known least privilege principle.
Why do Attackers choose Privilege Escalation?
Privilege escalation is an effective method for gaining higher control of access within systems. Without privilege escalation, attackers would likely be considered common users who have limited access and a limited range of capabilities to carry out their attacks. To be successful, attackers would likely need to elevate their role to gain more control over the system.
Horizontal vs. Vertical Privilege Escalation
Escalating privileges is not necessarily a linear path, as the attacker may have to take on multiple personas before they can gain enough access to sensitive data and continue their attack. This non-linear path signifies different types of escalations which we’ll cover below.
Horizontal privilege escalation is where the attacker is moving laterally from one user to another with the same (or a similar) role, meaning there is no “net gain” in their escalation.
You may be wondering why anyone would even bother with horizontal escalations if there is no net gain. Well, this is useful for several reasons:
- You can think of it as the attacker probing the system to see what’s available (which in essence widens their options for exploitation).
- Lateral movements may be required to eventually find the right user with the right role to execute the planned attack.
On the other hand, vertical privilege escalation is where the attacker gains access to an elevated role (such as root). If an attacker gains root access to your systems, this is called being “pwned,” which is slang for someone taking ownership of your systems. Once this occurs, it’s assumed that your data has been compromised and you no longer have exclusive control of what can be secured.
How Privilege Escalation works
Privilege escalation is one of many techniques which can be used to launch an attack against computer systems to escalate access and carry out malicious activities. This method of attack can be carried out in several ways, such as exploiting vulnerabilities in software or tricking users with authorized access. Once a low-level user gains elevated access, they can access sensitive data or install software to help advance their overall attack.
Tools and techniques used in Privilege Escalation
To gain visibility, your company needs a good logging platform to ingest data from your systems and log user actions. Once user actions are visible, it’s then possible to create rules to help understand normal user activity and alert on anomalous behavior that may be deemed a threat.
However, tools can’t do it all on their own. That’s why it’s important to have an experienced security team who can define the rules used by those tools and separate the noise from the real threats. Other techniques include analyzing network traffic, using an intrusion detection system, conducting vulnerability scans, and continuously reviewing access control policies.
Vulnerabilities that can lead to Privilege Escalation
What Is a Privilege Escalation vulnerability?
A privilege escalation vulnerability is a security flaw that allows an attacker to exploit and gain unauthorized access to a system. These vulnerabilities come in many forms, but the most common lie within the operating system or the application.
Operating System vulnerabilities
Running an old operating system can lead to many problems since exploits are advertised in new release notes as known/fixed issues. This practice makes the vulnerabilities publicly known, which means that attackers can leverage this information to access your systems if they’re not updated in time.
Application vulnerabilities are slightly different. In this case, the attacker must first have knowledge of the types of applications that your company is running to see if there are any vulnerabilities they can exploit. In addition, an application vulnerability should only affect the specific application that contains the flaw, whereas an OS vulnerability can affect the entire operating system (and therefore comprise all of the applications and data running on it).
Misconfigurations in policies are commonly used in privilege escalation. This includes inadvertently granting too much access to a particular role, which allows users with that role to do more than what was intended.
Detecting and Preventing Privilege Escalation
While it’s not possible to completely eliminate cyber attackers who try to use privilege escalation to exploit your systems, it’s possible to slow them down or limit the blast radius of their damage.
Identifying the Signs of an Attempted Escalation
Logging and monitoring access would be the best way to detect escalation attacks. It may be difficult to do this at scale, however, as more users may have legitimate reasons to escalate their role. Still, having a good logging system to monitor user activity and creating rules to identify anomalies that could point to threats will help catch this quickly. In addition, identifying unusual network traffic or an unusually high number of access attempts to or from certain accounts are more red flags.
Implementing Least Privilege
The principle of least privilege is a security best practice that gives users the minimum amount of privileges necessary for them to perform their work. This is effective because there’s a limited amount of damage they can do if they decided to go rogue against the company.
Implementing least privilege is not easy, and it takes a lot of continuous effort. To implement it properly, it’s important to understand what types of work users are doing in the environment and to craft roles based on their needs, then assign roles to a subset of users. Once those roles are assigned, you’ll also need to provide a level of support or governance, as certain users may need more access to do their jobs. Continuously evolving those policies, regularly reviewing and updating user permissions, and limiting admin access are also required for this to be successful.
Best Practices for Preventing Privilege Escalation
Preventing privilege escalation can be done in several ways, including:
- Educating users about how attacks are carried out (which can reduce the frequency of attacks).
- Requiring strong password policies to prevent easy access to elevated accounts.
- Updating software regularly to limit the vulnerabilities that attackers can exploit.
- Implementing access control processes that limit user privileges to the lowest levels needed to perform their work.
Real-World Examples of Privilege Escalation
IAM security misconfigurations are a great example of how one bad decision can allow attackers to escalate their privilege and wreak havoc in your systems. As the Exploiting IAM Security Misconfigurations blog points out, the fine granularity of permissions helps implement least privilege in the exact way a user needs to perform their work, but a single misconfigured permission combined with their existing permissions can allow a user to perform an unwanted action. This is why even a little misconfiguration might be a big deal for the entire account.
For example, you might have an employee who used to work in the cyber security department and consequently had wide open permissions to all user activity within the company in order to conduct investigations. That employee decided to take on a new position working with cloud infrastructure but retained the user role they had a as member of the cyber security team. Even though the employee was once authorized to have that role, they no longer need the role (or its permissions) to perform their current job duties. This is a classic example of failing to follow the principle of least privilege.
Privilege escalation is a major security risk that can lead to significant consequences for companies. This isn’t just an attack method used by bad actors; it’s also something that can be done without bad intentions. Either way, it can have a big impact on the company. To mitigate this risk, it’s important to follow best practices such as regularly updating systems, monitoring user activity, following the principle of least privilege, and continuously assessing the capabilities of user roles and reducing the level of access needed within those roles.