Privilege escalation is a fundamental step in all cyber-attacks. It is required to gain access and to move laterally within the organisation to exploit information assets. Attempts to escalate privilege often generates “noise” and becomes the ideal place to spend efforts on controls and associated monitoring to both detect and prevent an attack from escalating. Here are a couple of easy steps to reduce the risk of privilege escalation and to make the detection of attempts to escalate privilege, more difficult.
Workstation local admin rights:
The reality is that most end users do not need local administrative rights to perform their day-to-day duties, although they will claim otherwise. Removal of local administrative rights to end users is probably one of the best defences on endpoints. It ensures that it is difficult to install malware, prevents installation of unauthorised software and risks associated with shadow IT, preventing the malicious stopping of services and security software.
All access should be reviewed regularly, and the principal of least privilege should be applied. Access is often accumulated by staff as their roles change within the organisation and access accumulation leads to staff having access to an excessive number of systems and data. The access accumulation makes staff who typically not seen as a major risk to a business, good candidates for a threat actor whose motives are data theft.
Administrator accounts and access should be limited as much as possible too. It makes sense to provide administrators and other staff who require privileged access with separate user accounts to perform their normal functions. For example, reading email and only using the administrative accounts when required to perform functions specifically requiring the access. This provides the ability to monitor and manage administrative accounts on a far more granular level and allow for the early detection of any malicious activity.
Although multi-factor authentication (MFA) is not infallible to bypass, it does create an additional complexity for a threat actor to navigate without being detected. Credentials are often sold on the dark web markets, however, when these are protected by MFA it slows down or completely mitigates when lower skilled threat actors purchase these credentials. Consideration should also be given to how often staff are 2FA’ed. Staff can become conditioned to just approving 2FA prompts.
Security awareness training:
Legendary cryptographer and security expert Bruce Schneier once stated: “Amateurs hack systems, professionals hack people”. People remain the weakest link in the security chain and the increase of phishing and other social engineering attacks are proof that social engineering is a very effective attack vector. Technology used to block malicious content from entering the organisation does not block all malicious content and attackers. They are evolving attacks to bypass these technologies. A robust security awareness training program will assist in developing the skills to identify malicious content, web sites and prepare users for other social engineering attacks, making them less likely to authenticate random 2FA prompts.
There are numerous other capabilities and technologies that can be deployed against privilege theft and escalation, the above provides a solid start for inclusion in a security program.