Privilege escalation is a method that threat actors use to increase their access to systems and data that they aren’t authorized to see. Often, they start their journey by stealing an initial set of credentials or somehow spoofing the application or network so they don’t have to use a password at all. Then they move forward or upward, elevating their privileges so they can access more sensitive information.
At times, a threat actor can be a malicious individual within the organization, which makes it easier for them to escalate their already existing privileges. This guide to privilege escalation attacks covers the two main types, the avenues attackers use, and detection and prevention methods.
Table of Contents
Featured Partners: Cybersecurity Software
How the Two Types of Privilege Escalation Work
The main two forms of privilege escalation are vertical and horizontal. Both require threat actors to steal credentials or perform some other kind of attack to gain access to the privileged account.
Vertical Privilege Escalation
Vertical privilege escalation involves a threat actor traveling from a lower-level account to a higher-level account. For example, the threat actor might escalate from a junior sales account with view permissions to the administrator account for the customer relationship management (CRM) platform.
Horizontal Privilege Escalation
Horizontal privilege escalation involves traveling between similar permission levels to log into a different or unauthorized account. While the threat actor may have gained access to an account with the same permission level, they may move to another account for which they aren’t authorized.
For example, an employee at a company may be a malicious insider, with plans to steal company information. If they have access to a project management admin account but not the IT admin account, they may steal their colleague’s credentials to log into the IT account and steal the data.
7 Ways Threat Actors Gain Access
The following attack vectors vary in their ease of exploitation, but all of them reveal weaknesses in enterprise IT systems and the talent of advanced threat actors.
Stealing Credentials
Whether they’re openly available, such as exposed through plaintext, or not, threat actors often rely on stealing credentials to escalate their privileges. This can be done through a variety of attacks, such as spear phishing, and may require the attacker to steal multiple sets of credentials before they reach the information they need.
Vulnerabilities in Software
Unpatched vulnerabilities, especially zero-days that threat actors know about, are a way they can access your company’s networks, computer systems, and potentially privileged accounts. Known backdoors are a threat; some allow attackers to enter the system without an obviously intrusive threat signature.
Process Injection
When threat actors inject malicious code into a standard computing process while it runs, they disguise the malware. It’s harder to detect malicious code from legitimate code when it’s obscured by a legitimate process. This makes it easier for malware to go undetected for longer.
Sticky Key Attacks
Windows programs have accessibility features that don’t require a complete login, but rather a set of keystrokes. If an attacker uses the keystrokes to bypass the login, they may be able to access the computer system without knowing the actual login credentials. This is often called a sticky key attack.
Credential Stuffing
In a credential stuffing attack, a threat actor will attempt multiple commonly-used and known passwords, usernames, or both to see if they work. Computer systems and networks that use default or factory credentials for servers and applications are more susceptible to this kind of attack.
Phishing
Phishing attacks often involve sending emails, disguised as legitimate messages, to company employees in the hope that the employee will click a malicious link or file in the email. These files can download malware onto a device or take the employee to a spoofed login page, where they may enter their credentials and have them stolen. The attackers can then use these credentials to begin the privilege escalation process, depending on the credentials’ permissions levels.
Lateral Movement
Threat actors can use lateral movement to accomplish many attacks. Lateral movement is the progression of a threat actor through a network or computer system, as they try to steal permissions and navigate to sensitive information.
Real Privilege Escalation Examples
Aside from lone attackers, multiple known threat actor groups have been identified using the following privilege escalation attacks: Turla, Whitefly, LAPSUS$, and Carberp.
Turla
According to MITRE, Russian threat actor group Turla used vulnerabilities in the VBoxDrv.sys driver to gain privileges in the kernel mode.
Whitefly
Cyberattack group Whitefly used open-source software to exploit an already-known privilege escalation weakness within Windows machines. The machines’ systems hadn’t been patched when Whitefly attacked them.
LAPSUS$
LAPSUS$ used unpatched vulnerabilities on servers to escalate privileges. The affected servers included JIRA, GitLab, and Confluence, which were all internally acceptable.
Carberp
Carberp, a Trojan designed for stealing credentials, has exploited multiple Windows vulnerabilities, including CVE-2010-3338 and CVE-2008-1084, to escalate privileges. It also used a .NET Runtime Optimization vulnerability to escalate privileges.
4 Best Practices to Prevent Privilege Escalation Attacks
Segmenting your business’s network, granting team members dynamic access to applications, updating passwords, and consistently training employees will reduce the impact of tactics like privilege escalation.
Implement Network Segmentation and Microsegmentation
Instead of granting full access to everyone who makes it through the network perimeter, segment your networks and computer systems to halt lateral movement and make it more challenging to hack accounts.
- Network segmentation requires authorization to enter each subnetwork.
- Microsegmentation requires authorization to enter each application on the network or within the computer system.
Both are helpful tools to mitigate the effects of lateral movement. There’s only so far an attacker can move unless they steal credentials, but even if they do obtain some credentials, their ability to move between all applications will be reduced.
Implement Dynamic Application Access
Also known as just-in-time access, dynamic access only allows users to enter their accounts during certain timeframes. IT or security admins give or remove access to the account on a need-to-access basis. This automatically reduces the window of time in which a threat actor could access a privileged account even if they’ve already stolen the credentials.
Update Passwords Regularly
While changing passwords takes time, it’s a long-term investment that will reduce your business’s overall attack surface. Some passwords, especially on hardware like servers, have default or factory passwords that never get changed when they’re installed; these are some of the easiest for threat actors to guess. But stronger passwords should be cycled out, too. Some applications, like Google Workspace, can be configured to require a new password after a certain period of time.
Train Your Employees
This might be the most important protective method at all. All the security strategies in the world are still weakened by employees who click vulnerable links in emails or don’t catch spoofed websites. These weaknesses aren’t automatically their fault — but they must be trained to be experts at catching malicious attempts. Creating a company culture that prioritizes open discussion about cybersecurity is important here.
What to Do During an Attack
If you’re actively being affected by a privilege escalation attack, or suspect that you might be, take the following steps, including notifying your team, changing key credentials, disabling accounts, and checking for malware. Even if it’s a false alarm, practicing this process is still a good procedure to ensure your team is prepared for a real attack.
Notify All Relevant Team Members
All IT and security administrators should immediately be alerted about the attack, even if it’s just a suspected breach or a notification from your company networking monitoring or endpoint detection platform. Even a suspicion should be reported — privilege escalation can result in major damage to the company.
Change Any Compromised Credentials
If you’re able to identify which account has been compromised, immediately change the credentials to that account. This might just be the password, or it could be both the password and username.
Shut Down Accounts
You may need to go farther than changing credentials and actually disable the affected application instance. While this may not mean shutting down the entire application, it could require shutting down an administrator account for a period of time. The threat actor is then unable to perform administrative actions.
Scan for Malware
A threat actor may have downloaded malware in multiple locations within the computer system. It may still be running in certain programs, giving them continued access to the system even if the account they’ve compromised is now shut down. You’ll want to look for any further traces of the attacker in your network.
Bottom Line: Privilege Escalation Attacks
Fending off privilege escalation attempts requires IT teams to be very clever and very aware of their networks, systems, and applications. All backdoors should be accounted for and patched; all passwords should be strengthened and regularly updated.
While these measures aren’t always enough to prevent attacks, they’ll go a long way in reducing the easy inroads that threat actors currently have. Making attackers’ jobs more difficult doesn’t eliminate privilege escalation attacks, but it sets a baseline for IT and security teams and prepares them to take more advanced strides to preventing breaches. Don’t forget to communicate heavily with not only your direct teams, but also the entire company — they should know the risks they face, and should assist IT and security departments by recognizing and avoiding phishing attempts.
Is your business working to protect privileged accounts and sensitive data? Read about privileged access management software next.
