Privilege Escalation Attack and Ways to Prevent It

cover image

What Is Privilege Escalation?

An organization’s IT systems are accessed by countless accounts. Yet, not all accounts are created equal. Customers are allowed to access the userspace. Employees are given access to internal files and user data. System administrators are granted permission to modify system configurations. The higher the account privilege, the greater the risk, meaning, very few people are given administrative privilege.

Since high-privilege administrative accounts are usually managed by one or very few managers, these accounts are very difficult to hack into. This is why hackers usually start by targeting low-privilege accounts that can be relatively easily compromised using brute force or social engineering techniques.

After the attackers gain initial access to these low-privilege accounts, they commonly try to upscale their privilege to gain permission into more crucial systems and files. This process is called privilege escalation, an intrusion technique where the attackers start off by exploiting easily breakable low-privilege accounts and slowly work their way up to gain more privilege and permissions within the network.

There are two types of privilege escalation. Horizontal privilege escalation is when the attacker gains unauthorized access to other accounts with the same level of permission as their own account. Horizontal privilege escalation is usually deployed to target specific end-users. For instance, an attacker may use one email account to gain access to another user’s email account because they want to access specific information in that user’s account.

Vertical privilege escalation is when the attacker attempts to add additional privilege to their initial account to gain permission into critical systems. This is more difficult than horizontal privilege escalation because it takes highly sophisticated skills to tamper with the access management system. However, a successful vertical privilege escalation attack can cause catastrophic impacts to an entire IT network.


Why Is Privilege Escalation Dangerous?

Privilege escalation can be done for a variety of purposes. The attacker may be interested in the account owner’s files. They may be looking to gain access to the files of other users. In more concerning cases, advanced hackers may hijack admin accounts to secretly configure system settings to expose them to greater danger, or even install malware that can spread to other parts of the network. These cases are common in vertical privilege escalation because the attacker can use their admin privilege to delete the activity logs and hide within systems for months without being detected.


How to Protect Against Privilege Escalation Attacks

Use Multi-Factor Authentication (MFA)

Ranked second on the list of OWASP Top 10, broken authentication is one of the most common vulnerabilities that lead to user account compromise. Attackers usually break authentication by gaining access to web session information or by gaining login credentials using brute force or social engineering attacks.

This makes it crucial to set up strong passwords and secure all accounts with multi-factor authentication. Though it may seem intuitive to assign different levels of security according to the levels of privileges, the key to preventing privilege escalation actually lies in the security of lower-privilege user accounts. If the hacker cannot access lower-level accounts, there is no entry point to begin privilege escalation in the first place.


Minimize Account Privileges

It is common for organizations to give their IT department permissions to all system resources. This can be potentially dangerous because if one of these accounts ends up in the wrong hands, the entire IT network could be compromised in no time. To prevent this from happening, access to crucial system resources should be minimized to one or very few accounts and individuals. It is also a good idea to separate privileges among multiple users, so that no one user can have access to all critical systems.

Account privileges should be minimized based on needs, not on the account holder’s authority within an organization. Even the CEO should not be granted access to crucial servers if they do not need such access on a regular basis. Granting access to one additional account means one more potential entry point.


Manage System Credentials of Network and IoT Devices

Network infrastructure such as routers, servers, load balancers, and firewalls, are crucial systems that enable communications within a network. Once a hacker gains access to one of these systems and tampers with their configurations, malware could be installed to quickly infect large areas of the network. This is why account administrators must ensure that their credentials are kept safe and watch out for misconfigurations.

Additionally, organizations must take care of the security of their IoT equipment. All default credentials must be reset prior to usage and access must be strictly controlled.


Train Staff on Mitigating Social Engineering Attacks

Social engineering is a popular attack method used to trick people into giving out their login credentials. With the increased usage of social media and online services, it has become easier than ever to obtain the personal information of targeted individuals. It is always advised to scrutinize cold emails and never input any login credentials directly into a given URL.


Keep Applications Updated and Patched

This may sound like a simple task. Yet a lot of organizations fail to keep up with the latest security updates and fall victim to zero-day attacks. It is crucial to have a dedicated member on the IT team in charge of managing system and software updates.


iSIGN+, the All-in-One IAM Solution to Prevent Privilege Escalation

iSIGN+ is an identity and access management (IAM) solution that enables single sign-on (SSO), enhancing account security without compromising convenience. FIDO2 compliant, iSIGN+ allows for multi-factor authentication (MFA) using mobile OTP and biometrics. Most importantly, IT administrators can use its management tools to monitor per-user service time and screen logs and audit records to detect suspicious activities before they cause any harm. Download iSIGN+’s brochure to learn more.


Check out Penta Security’s product lines:

Web Application Firewall: WAPPLES

Database Encryption: D’Amo

Identity and Access Management: iSIGN+ 

Car, Energy, Factory, City Solutions: Penta IoT Security