In the realm of cybersecurity, understanding how unauthorized access can compromise sensitive systems is critical—this is where the concept of privilege escalation comes into play.
In this article, we will look at what privilege escalation is, how it exploits vulnerabilities and best practices for protecting your organization against privilege escalation.
Privilege escalation refers to the exploit designed to elevate the access privileges of a user account. These accounts operate at different hierarchical levels and are authorized to access business resources, data and systems in accordance with their job requirements. Privileged access is granted to a user or system to perform critical job functions such as:
This practice follows the Principle of Least Privilege, which states that a user should only be granted access for the bare minimum resources they need to fulfill their job tasks. This is important because a user with elevated access rights can potentially access sensitive data or modify the behavior of a system against the policy of their organization. For example, a rogue employee with elevated access rights can leak sensitive business information to a competitor.
Privilege escalation exploits vulnerabilities within a system or takes advantage of the human element to elevate access rights. Organizations often use simple login credentials for low-level accounts that are easy to guess or crack. In fact, the most common passwords are ‘123456’, ‘qwerty’, ‘password’. These accounts are also not adequately monitored and managed.
In other cases, malicious actors may rely on social engineering and spear phishing to compromise the accounts of unsuspecting users. Threat actors rely on these practices to trick users into installing malware into their systems. According to research, over 50 percent of insider attacks rely on privilege escalation. The malware executes on the network and exploits a network or system level vulnerability to elevate the access rights of a compromised user. A compromised user account may gain elevated access rights to the admin level, root level or even the OS kernel level.
(Related reading: vulnerability types)
A privilege escalation attack may elevate the access rights of a user account vertically, to gain higher access privileges, or horizontally, to gain access rights like other accounts at the same hierarchical level.
Assigns higher access privileges to a user account. In other words, the compromised account moves up in the permissions ladder.
Common techniques used for vertical privilege escalation include:
Acquires access rights across other user accounts in the same hierarchical level. These accounts have similar access rights and allow threat actors to move laterally within the organization with more compromised accounts to execute on their malicious intent.
Common techniques used for horizontal privilege escalation include:
So how can you protect your organization against privilege escalation? The following best practices can help reduce the risk of privilege escalation attacks:
Avoid using simple passwords. Use multi-factor authentication for all user accounts. Review configuration updates and how they change access rights and interactions for user accounts.
(Related reading: configuration management)
Provide the bare minimum access rights for every user necessary to complete their job tasks. Establish measures that identify and track how user privileges change over time.
A parameterless security model that assumes risk for all computing processes and design choices. The concept is simple: never trust, always verify. The notion of a security perimeter with a VPN connection does not apply and all user accounts are continuously monitored for unauthorized or malicious activities. Extend the Zero Trust model to your IT architecture, network and applications deployed within your IT environment.
Understand how your systems and applications behave. How does this behavior deviate from a known reference? Discover how IT assets communicate with sensitive data workloads. Take a comprehensive view of your IT network and use the available contextual knowledge to identify anomalous behavior. Use network log analysis for anomaly detection in real-time.
(Related reading: monitoring vs observability)
Considering the scale and complexity of enterprise IT networks, rely on data-driven strategies for intrusion and anomaly detection. Identify user and access patterns and identify changes in these patterns for proactive intrusion detection.
Encourage users to act vigilant against social engineering and spear phishing attempts. Control how users can download software to their systems.
From the developer perspective, technology vendors can adopt security-oriented paradigms for their development practices that are designed specifically to reduce the risk of privilege escalation. Privilege Separation is a programming paradigm used to implement the Principle of Least Privilege access from the ground up.
The design philosophy encourages developers to write limited sections of the code sections with high access privileges, without affecting the overall functionality of the program itself. The result of this programming practice is that a compromised user account can only control a path of code with limited access privileges.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.