What is Privilege Escalation

A privilege escalation attack is a technique in which a threat actor gains unauthorized access through a susceptible point and then elevates access permissions to carry out a full-blown attack. Such threat actors can be external hackers or insiders who exploit vulnerabilities such as inadequate or broken access controls or system bugs to compromise a user account. Privilege escalation attacks typically aim to gain a powerful level of permission and control the entire system.

How Does Privilege Escalation Work

Privilege escalation represents the layer of the cyberattack chain where the attacker takes advantage of a compromised system to access data that the user account isn’t permitted for. While there can be numerous susceptible points within a system, some common entry points for privilege escalation attack vendors include Web Application Servers and Application Programming Interfaces.

To gain initial access, attackers authenticate themselves to the system by bypassing user account control or obtaining credentials. Beyond this, attackers try to find various loopholes in account authorization to gain a level of access to more sensitive data.

What are the Main Privilege Escalation Attack Types

Horizontal privilege escalation

Attacks in which a threat actor tries to expand its sphere of control over a whole system by gaining access to additional users with equivalent administrative credentials. Horizontal privilege escalation occurs when an attacker exploits lower-level or unprivileged user accounts without security policies.

Vertical privilege escalation

An attack in which the attacker elevates access rights above stated account permissions is known as Privilege Elevation. Such attacks usually aim to acquire access to accounts with limitless administrator capabilities, such as System Administrator.

What are the Best Practices to Avoid Privilege Escalation Attacks

Use these five simple steps:

1. Regular Vulnerability Scans: It is important to secure an application by finding system vulnerabilities before attackers take advantage of them. Vulnerability scanning tools, such as Veracode Dynamic Analysis, automate the identification and confirmation of system vulnerabilities. Effective vulnerability scans can help identify misconfigurations, weak passwords, and unpatched software that makes the system insecure. Vulnerability scans also reveal weaknesses in Web Server Security, such as known exploits, injection attack entry points (possible malicious code), and exposed administrator interfaces. With effective vulnerability scanning, organizations can update, patch or deploy additional security layers to keep threat vectors at bay.
    
2. Minimum Privileges: Developers and security teams must ensure that users and user account groups have clearly defined roles. Teams should only allow minimum privileges for each role, and file transfer and access to resources should be restricted for each role. This limits the potential of organization-wide escalation even if an account is compromised. Additionally, access for each account should only be limited to the resources they should manage/access.

   Not only users, but this policy should also apply to administrators and root account users, as no superuser should have permission to access and modify an entire system. The rule of least privilege principle also applies to the deletion of user accounts and should be enforced when a user stops accessing the system.

3. Rotate Default Credentials: Strong, unique passwords must be enforced for every account. Most accounts come with default passwords that are used before a user-defined password is set. Attackers exploit initial passwords to gain access to user accounts and then escalate attacks. Such default accounts should be removed completely, or their passwords rotated as they are a choice of common entry points for hackers to gain administrative access to web servers. Besides this, default login credentials for any hardware system should be changed as soon as the user starts accessing it.
    
4. Constantly Monitor User Behaviour: Threat actors typically target user accounts to gain entry into the system. Once they have obtained a user’s credentials, they can log in to the system and go undetected. To check for any compromised identities, it is imperative to monitor the system’s users’ behavior constantly. To help with this, deploying User and Entity Behavior Analytics (UEBA)solutions help automatically monitor user activity over time. These tools model legitimate user behavior by creating user profiles based on various parameters and help to identify suspicious account activity efficiently. In addition, with UEBA tools, security teams can gain visibility into aggregate traffic rates, enabling the detection and prevention of DDoS attacks through the API.
    
5. Limit File Access and Block Unused Ports: All network ports should stay closed and should only be opened when needed for applications and services. Certain services come with configurations that require some ports open for communication through the API. It is important only to keep them open when in use and only accessible to applications with the required permissions. As a best practice, such services should be identified and blocked. In addition to this, all files within a shared system should be read-only by default. However, write access can be enabled at any given time a user or group needs to edit a file.

Why Should You Scan for Privilege Escalation Vulnerabilities 

Privilege escalation is frequently used as part of a multi-stage attack, allowing hackers to deliver a malicious payload or run malicious code on the target machine. This implies you should check for indicators of additional malicious activities anytime you notice or suspect privilege escalation.
Even if there is no proof of future assaults, every privilege escalation occurrence is a security concern in and of itself since unauthorized access to personal, private, or otherwise sensitive data might have occurred. This will almost always have to be disclosed internally or to the appropriate authorities to guarantee compliance.

Worse yet, detecting privilege escalation incidents can be challenging due to the difficulty in distinguishing between normal and malicious behavior.
When you test for privilege escalation, you are closer to preventing these dangerous attacks that permit hackers to acquire customers’ data such as passwords, credit cards, and email information.

Detecting a Privilege Escalation Incident

One common trait of successful attackers is to keep their activities undetected. Such sophisticated stealth privilege escalation methods are particularly complex to detect as these malicious activities omit traces by deleting event logs, masking IP addresses, and masquerading as normal users. To deal with this, it is important to consider all entry data points susceptible to attacks. When tracking a privilege escalation incident, here are a few factors to consider:

• The initial point of compromise
• The vector used to implement the initial threat
• Permissions and elevated privileges the threat actor managed to obtain
• Accounts the attacker aimed to obtain and the purpose
• Damage caused by the compromise and escalation
   

How Do You Run a Privilege Escalation Scanner 

With Veracode, you can set up and start a privilege escalation scan in less than 10 minutes.
You’re only a few clicks away from discovering privilege escalation vulnerabilities in your web assets. In only 3 clicks, you can scan your web application or API and produce a report detailing any vulnerabilities found.

Not just privilege escalation vulnerability scanner - with Veracode DAST Essentials you can test all top 10 OWASP vulnerabilities. You’ll understand precisely the types of attacks you are exposed to and the risk levels. 

See how Veracode can help you detect and fix privilege escalation vulnerabilities earlier in the software development life cycle to prevent attacks. Start your 14-day free trial today.