Privilege Escalation and the Cyber Kill Chain

Date

29.03.21

Garret Grajek
Access Review, Attack, Audit, Governance, HIPAA, HITRUST, Identity Governance, IGA, Privilage Creep, Privilege Escalation, Privilege Escalation and the Cyber Kill Chain

Many of todays attacks can be explained from understanding privilege escalation and the cyber kill chain.

Derived from a military model, the Cyber Kill Chain was first developed by Lockheed Martin to respond to various cyber threats. Made of eight phases, the cyber kill chain is triggered by any common attack vector, such as phishing or malware. Since it was first introduced to the cybersecurity community, the cyber kill chain has evolved to better anticipate and recognize threats.

Image #1: In order to stop cyber attacks its important to understand the steps an attacker undertakes – this is call the Cyber Kill Chain.

With each step in the cyber kill chain, the goal is to understand the steps a hacker may take to execute a cyber attack.

As a threat passes down the cyber kill chain, each phase poses an opportunity to stop the threat in its tracks. The cyber kill chain begins with reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, anti-forensics, denial of service, and lastly, exfiltration. The goal is to identify and eliminate threats as early as possible in the chain, preventing disastrous effects.

Reconnaissance

In this initial phase of a cyber attack, hackers are in search of information they can use to execute their plans. To prevent this, reconnaissance tools scan for vulnerabilities that hackers may use as a point of entry. However, hackers may also search for information in places such as LinkedIn or even be bold enough to call their target asking for more information. Employees should be aware and be cautious when sharing information.

Intrusion

Once the hacker has identified their route of entry, they can begin to launch their attack. Commonly, malware is used and distributed to targets via phishing campaigns, compromised websites, or unsecured wireless networks. In this step, employees can be trained to avoid downloading attachments from unknown sources, following questionable links, and using only secured internet sources.

Exploitation

If the threat can successfully breach the network, hackers can launch the next phase of an attack. Once in, hackers can install additional tools or modify certificates needed to continue with their attack.

Privilege Escalation

Typically through either brute force attacks or using password vulnerabilities, hackers can work their way into accounts with greater access privileges than when they initially got into the system. Through privilege escalation, hackers may be able to access secure data or administrative rights and inflict maximum damage. Image #2: YouAttest detects privilege creep by alerting on security events, including security group privilege changes – allowing reviewers to certify, delegate or revoke. Youattest helps with identifying privilege creeps and provides an insight into who should be alerted of privilege escalation to mitigate risks.

Lateral Movement

Hackers will also move laterally between systems, another form of privilege escalation. This gives the hacker greater access and range to move throughout the organization, again to access sensitive data and greater access rights.

Anti-Forensics

To hide their actions and avoid detection, hackers employ anti-forensic practices. This may include wiping files modifying information so it appears to have never been touched.

Denial of Service

To prevent authorized users from accessing the resources they need, hackers will launch a denial of service attack. This type of attack may crash systems and suspend access.

Exfiltration

Once the hacker is in, their goal will be to get the sensitive information back out. They may ransom it or sell it to the highest bidder. No matter what they do, once they can get it out the data will be out of the control of the organization. Preventing this is one of the prime goals of cybersecurity.

Through understanding the Cyber Kill Chain, organizations can understand how hackers carry out a cyber attack. Vulnerabilities at these points should be eliminated to stop hackers in their tracks before they can cause serious damage.

—

YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can address privilege escalation via escalation triggers and workflow request and approvals as detail in the YouAttest next webinar: “YouAttest and Access Approval”. Or register at Oktane21 and see us there.

jrtf stopransomware guide

The JRTF #StopRansomware Guide and
The Principle of Least Privilege

Ransomware attacks have risen by 13% in the last five years, with an average cost of $1.85 million per incident. There are 1.7 million ransomware

August 20, 2023 No Comments

AWS

Why Enterprises Need YouAttest for AWS
for Identity Security and Compliance

Announcing: YouAttest for AWS. YouAttest automates the process of access discovery and access review for AWS IAM – all the roles and privileges of your

July 25, 2023 No Comments

Access Discovery

Access Discovery and User Access Reviews

A first step to secure identities is an access discovery. This is an inventory of who has access to what. For outsiders –

July 9, 2023 No Comments