Cyber Security Incident Response: What is privilege escalation and why is it important?

Microsoft recently disclosed a privilege escalation vulnerability in Windows due to overly permissive Access Control Lists (ACLs) on multiple system files. Users were advised to check their own system and take the necessary precautions. In addition, Hewlett Packard Enterprise warned their customers of a vulnerability in Sudo – an open-source program used in Aruba AirWave – which could allow an unprivileged and unauthenticated local user to gain root privileges on a vulnerable host.

1. What is privilege escalation?
2. How does privilege escalation work?
3. The importance of privilege escalation
4. How to protect your systems from privilege escalation

Privilege escalation is a popular way for cyber attackers to gain unauthorized access to organizational systems within a security perimeter. Privilege escalation, if executed successfully, can severely hamper business continuity. And because privilege escalation attacks can occur in many ways, multiple defence strategies and tactics are required to protect against these attacks. In this article, we take a look at the characteristics inherent to privilege escalation attacks and how to guard against these attacks.

1. What is privilege escalation?

Privilege escalation entails an attack that involves gaining illegal or unintended access to elevated rights, or privileges, beyond what is intended or permitted for a user. This allows malicious actors – who can be external or insider – to gain access to sensitive data, install malware or launch other cyber-attacks on the network enterprise. Privilege escalation is a prime stage of the cyber-attack chain and usually involves the exploitation of a privilege escalation vulnerability, such as misconfiguration, inadequate access controls or a system bug.

2. How does privilege escalation work?

It is important to understand the two types of privilege escalation: horizontal and vertical. In the event of a horizontal privilege escalation, attackers stay on the same horizontal line/privilege level as the user who has fallen victim to the attack. In other words, the attackers will have the access and privilege levels as the victim/user. However, they use this to gain access to privileged information and other workstations at that same horizontal level by impersonating the victim/user. One example of this is when the attackers, hiding behind the victim/user’s credentials attempt to access the bank account or e-commerce platform of another user by sending the very common “your account will be deactivated due to inactivity, please click this link to keep your account activated” type email.

3. The importance of privilege escalation

The malicious actor’s motive may go beyond simply accessing the organization’s system or entering the organization’s user system. What is of importance to consider is whether the privilege escalation that took place used a platform that can ultimately weaken an organization’s defences by, for example, running malicious codes in the organization’s system. So, whenever a privilege escalation is detected or suspected, it is crucial to establish the nature of the event and if it is a once-off event.

4. How to protect your systems from privilege escalation

The good news is there are precautions you can take to guard against privilege escalations. Some of these precautions include setting strong password policies, regularly scanning and updating systems and applications, removing unused user accounts and with it, potential points of entry for attackers, and periodically changing user credentials on all devices. The great news is that the Plan4Continuity software platform is pre-loaded with all your organization’s cybersecurity incident response plans including one for each type of incident such as a privilege escalation. When activated by simply pushing a button, the system automates and streamlines the flow from selecting the type of incident (in this case, privilege escalation) to activating the correct sub-plans and workflows, while select staff and stakeholders are informed via text or email which actions to take.