Privileged security starts with your attackers

In the world of cyber security, we’re often distracted by new innovations and great products that promise to keep our systems and data safe. But the reality is that there’s no catch-all answer to staying secure.

Instead, we all need to take some time to really understand the challenges that we’re facing – both the broad spectrum of attacks and the specific techniques that hackers employ.

The idea of an attacker accessing an account and then increasing that account’s level of privilege is well known. But how exactly do attackers circumvent your security and existing control mechanisms?

Getting around your privileged security controls

Attackers are always looking for ways to abuse your privileged security by escalating the level of privilege that their stolen or breached credentials allow.

But as more businesses adopt least privilege in various ways, this often means circumventing the mechanisms you have in place to keep privileged access low.

Attackers get around these mechanisms in four key ways:

  1. Running code in a new context (using setsuid or setgid)
    After performing a shell escape or exploiting application vulnerabilities, attackers run malicious code with a different user’s level of privilege.
  2. Bypassing UAC
    User Access Control (UAC) mechanisms let users elevate their privileges to perform specific tasks, like installing software. Attackers can bypass these controls without prompting the user.
  3. Sudo and sudo caching
    On Linux and MacOS, attackers can take advantage of sudo caching (which allows repeated commands with no request to re-enter a password) or add users to the permitted list in the sudeors file.
  4. API abuse on MacOS
    The AuthorizationExcecuteWithPrivileges API on MacOS is designed to help developers execute commands with root privileges. While this prompts the user to enter the relevant credentials, attackers may combine this vector with social engineering to make users comply.

Protecting against the techniques your attackers use

Each of these four techniques can be mitigated with the right approach to your privileged security and the right technology.

But it only takes a single oversight to leave your data and your business exposed.

In our next blog, we’ll look at what you can do to reduce your risk – and what’s wrong with your existing approach.

Next: What’s wrong with elevating users when we need to?

Written by