3 Ways to Stop Privilege Escalation Attacks
In September, Federal Agencies scrambled to patch the notorious Zerologon vulnerability that allowed users to escalate their permissions to a Windows Domain Administrator. This exploit earned a rare 10 out of 10 CVSS score. While it isn’t a new attack, Zerologon gained recent notoriety after Microsoft released a patch because vulnerability patching falls by the wayside in the hustle and bustle of daily work.
The most significant risk of Zerologon vulnerability comes from previously compromised systems. Once a bad actor hijacks the system, they are often constrained to the current account’s access level. Unfortunately, executing Zerologon enables the bad actor to break out of their existing permission box and reach the top administrative access level. This access grants them the proverbial “keys to the kingdom” to all other Windows-based devices.
So what does that mean to you? You’ve patched, but what more can your organization do to stop privilege escalation attacks? What preventative measures will prepare you for the future? In this post, we explore proven methods that can reduce risk vulnerability. We’ll also look at why organizations may want to consider a move to a Zero Trust environment in light of recent breaches.
Defending Privileged Access
The key to defending against — and preventing — privilege escalation attacks is to avoid permanent superuser roles and access. If you’re wondering how all of the administrative tasks that keep the ecosystem running day-to-day will get done, two words: time limits.
Just because you grant privileged access doesn’t mean you can’t take it back. You should, and as quickly as possible. The best way to accomplish this involves having a risk-based Privileged Access Management (PAM) solution that natively integrates with your cloud platforms and SaaS applications. By combining this with reliable user behavior analytics and AI or machine learning for log analysis, organizations get in-depth information on how privileged access is used, which allows the system to flag access misuse well before it takes root leading to a breach.
1. Remove Standing Access
Implementation of Zero Standing Privilege eliminates the risk posed by having standing administrator accounts with vast amounts of power and access. When needed, users can request these rights, and a review of that request automatically evaluates appropriateness. If the user meets the criteria, time-bound access gets granted to the resource on a just-in-time basis. The PAM solution monitors and evaluates access requests. Requests exceeding typical roles and job responsibilities trigger an alert that escalates the request to humans for review. Ensuring oversight, reducing excess access through automatic de-provisioning, and limiting elevated access periods narrow the potential for a privilege escalation attack.
2. Increase Depth of Visibility
Knowledge of what assets an organization has on the network — and across the cloud — is of paramount importance when implementing Zero Standing Privilege. These assets must be discovered and inventoried to determine whether access is privileged and, if so, to what degree. Rather than granting access in bulk to resources, fine-grained entitlements and just-in-time provisioning help maintain least privilege. This also allows the system to track explicitly what different entities are using assets.
The PAM software needs the in-depth visibility provided by automated discovery to make intelligent decisions when access is requested. The PAM solution utilizes governance and compliance rules set by the organization in its decision making. These rules get reviewed every time someone requests access to ensure access is appropriate and consistent. Without this visibility, it would be impossible to identify toxic combinations of permissions where compliance issues such as Segregation of Duties (SoD) violations might occur when granting access.
3. Put Intelligent Analytics to Work
Zero Trust systems generate a substantial amount of user logs and behavioral information over time. This data can help organizations identify risk in advance of an attack.
To identify risky behaviors and locate potential breaches, organizations need an identity platform that leverages machine learning — as it can derive intelligent analytics from the data far faster than human users. All of the analytics tie behavior back to given users, no matter what identity they are using. This helps identify situations that might indicate a breach, such as spikes in access requests, requesting access to data that would typically not be allowed for the user’s roles, or systematically accessing data. All of which are indicators of possible bad actors at work.
Zero Trust is the Future
The days of taking a set and forget approach to privileged access are gone. To meet the challenges of an increasingly remote workforce and more advanced threats, organizations need to make the move to Zero Trust. With Zero Trust, organizations can finally understand where data resides and how people use it at any point in time. This approach ensures a persistent state of compliance with regulations and governance while adopting a secure state of existence where data access gets measured and monitored every time.