Hackers get into our systems for data theft and other reasons. The Cyber Kill Chain identifies privilege escalation as a key step, right after exploitation and before lateral movement. So it bring to question, who should be alerted of privilege escalation events?
Motivations for Attacks
One of the prime motivations for hackers is gaining access to information that they can profit from. They can sell the information to the highest bidder for their criminal activities, commit identity theft, or use the personal information for future phishing campaigns. The hackers view personally identifiable information as a valuable commodity to be sold or used for their benefit. But, how is it that they’re able to steal this information in the first place?
What is Privilege Escalation and Who Should be Alerted of Privilege Escalation?
Image #1: Privilege Escalation (or privilege creep) is a problem for enterprises who wish to follow best practices of “Least Privilege” (NIST PR.AC-6). “Who Should be Alerted of Privilege Escalation”
Through privilege escalation, hackers find and exploit vulnerabilities to gain access to user accounts. This is most commonly done in one of three ways: cross-site scripting, improper cookie handling, or weak passwords. For the first two methods, vulnerabilities can be fixed through programming methods, while the latter requires user education of password best practices and requirements such as complexity and expiry dates.
If the hacker can gain access to an account, privilege escalation can happen two ways. With horizontal privilege escalation, the hacker gains access to another account with the same access rights and capabilities. An example of this would be an online banking account gaining access to another. In vertical privilege escalation, subsequent accounts do not have more access privileges than the original. It can, however, be useful in the case of online banking, allowing hackers to access the account details of other users.
Vertical privilege escalation is an even more worrying form of privilege escalation. Once hackers gain access to a less privileged account, they can gain access to more privileged accounts. These accounts may include administrative or system accounts.
This kind of access is incredibly dangerous. Hackers can use it to steal sensitive information, steal other access credentials or spread malware throughout the system, making privilege escalation a common precursor to other cyberattacks.
Unfortunately, it is often difficult to pinpoint when privilege escalation is occurring, as sophisticated hackers may delete activity logs or make activity appear routine.
Who Should be Alerted of Privilege Escalation and Who is Responsible When an Event Occurs?
When a privilege escalation event takes place the senior management executives should be notified and responsible for ensuring that the problem is taken care of. While 20% of businesses believe that IT management should be responsible for cybersecurity, it is ultimately the CEO or CISO that will be held accountable when a breach occurs. These individuals should be actively involved in understanding the cybersecurity weakness so they can be supportive of best practices to mitigate risks.
Mitigating Risks
Who should be alerted of privilege escalation and how to prevent this is a big question mark. To prevent privilege escalation events from occurring, organizations should make sure that their systems are patched and up-to-date to reduce the ways that hackers can slip in through programming errors. Users should be educated on creating strong passwords and urged to use new passwords that are not associated with other accounts. If a user uses the same password for many accounts, hackers can use the passwords to gain access to other accounts.
Additionally, organizations should adhere to the Principle of Least Privilege(PoLP), which means that users are assigned only the minimum amount of access privileges that they need to carry out their duties. They should also apply segregation of duties, which the NIST defines as the “principle that no user should be given enough privileges to misuse the system on their own.” With administrative accounts, having a limited number of privileges can reduce the impact that a hacker may have if they can gain access.
Access Reviews, YouAttest and Detecting Privilege Creep
Lastly, organizations should employ regular access reviews. Access reviews are essential to ensure that users only have access to the data and resources they should. When done regularly, it can help identify over-privileged accounts that need to be fixed before hackers can exploit them. For further details on who should be alerted of privilege escalation and how to mitigate these, please feel free to setup an appointment with YouAttest.
YouAttest does access reviews in both a static and dynamic, real time way. The latter detects and alerts on privilege creep via its event triggering system. These are triggers that detect triggers in key security user/groups – and FORCES an attestation of the change.
Image #2: YouAttest detects privilege creep by alerting on security events, including security group privilege changes – allowing reviewers to certify, delegate or revoke. Youattest helps with identifying privilege creeps and provides an insight into who should be alerted of privilege escalation to mitigate risks.
—
YouAttest is the only cloud-based IGA platform that deploys in minutes via application SSO to platforms like Okta. YouAttest demonstrated how YouAttest can address privilege creep with it’s webinar: YouAttest Cloud Governance w/ Triggers – w/ Okta’s David Barrish. “
