Privileged Account Attacks

Privileged account attack is a specific kind of cyberattack used to gain unauthorized access to a secured perimeter, which can also be used to obtain crucial information from a critical system. Deploying a privilege escalation in a protected network structure, though difficult to pull off, can pose quite a bigger threat to an organization’s future.

Integrating PAM (Privileged Access Management) can go a long way towards protecting an organization’s systems from such cyberattacks. However, PAM, by itself, might not be enough to protect a large organization. Here’s some information that can help you understand this issue and protect against it effectively.

Privileged Account Attacks – An Overview

An attacker begins the process of privileged escalation by searching for loopholes in your network system. In most cases, they will not find the level of intrusion they are looking for on the first attempt, leading them to try other alternatives to gain access to the system.

There are usually two ways in which a privilege escalation procedure can be done:

• Horizontal Privilege Escalation: The attacker may expand their privilege by obtaining control of another account. Then, they may misuse the concessions, originally granted to the legitimate account users and enter the network system. This type of escalation is usually prompted through lateral movement.
• Vertical Privilege Escalation:Unlike the horizontal method, the vertical modus operandi is all about gaining access to more permissions through an existing account. For instance, let’s assume that an attacker has taken over your privileged account. The next step in vertical privilege escalation would be to gain administrative permissions.

In order to foil these attempts, you need to be extremely attentive to the condition of your network environment.

Privilege Account Attacks – Techniques and Mitigation Procedures

There are many privilege escalation techniques which work perfectly with Windows OS. Let’s learn more about them and countermeasures that can be used against them.

1. Access Token Manipulation

The Windows Operating System usually employs access tokens to verify the owner of the system. When someone tries to deploy a specific procedure that requires privileges, the system will check with the person who owns it. Furthermore, it will also verify if the person actually has all the permissions it needs to attempt the process.

Access token manipulation usually involves tricking the system into trusting a user who is not the legitimate user. This can be done by duplicating the access token, or by creating a new process through the appropriated token to gain access. A token can also be created by leveraging the password and username of the owner.

What to do?  

Currently, there is no way to disable the form of access in Windows OS. Hence, you will need to assign some administrative lines to mitigate the threat. You may also perform regular evaluations on administrative accounts and annul them when required.

2. Bypass User Access Control

The User Access Control (UAC) of the Windows OS usually distinguishes between administrators and the regular users. It limits all applications to standardized user permissions unless the administrator authorizes something specifically. However, if the protective system of your UAC is not good enough, then programs can escalate privileges independently.

What to do?

To mitigate such an alarming issue, you will need to review your IT system regularly, set the UAC protective system to the highest level, and remove users who have left your organization and do not have administrative rights any more.

Why Should You Use PAM?

If used properly, PAM could be the ideal solution for privileged account attacks. Here’s why.

• With PAM, you can create a secure vault for all of your passwords and protect them with encryption. PAM provides a randomly generated password every day to help you to access your protected data. Hence, it will be much more difficult for hackers to predict or decrypt your passwords and enter the system.
• PAM helps you to choose how passwords will randomize on a daily basis. You can set them manually or let the system do it automatically. This means that you will have to provide a new password whenever you are entering your network. A new passcode will be generated when you leave the network as well.

• A PAM system will record all of the password requests and send you a report at the end of the day, informing you about daily transactions, reports on compliance, assets, and privileges to maintain your IT system.
• If you use third-party systems to update your network’s infrastructure, PAM can help you to keep an eye on them. If you use PAM, you will not need to share any domain credentials with outsiders while adding some additional security.
• PAM has the ability to detect multiple targets who are trying to access your system and report to you. In the meantime, it will also separate the whole “access” system if it finds that more than one user is currently in the area. This way, it will be easier for you to find out more about the user before they can log off.

Conclusion

The issue of privileged account attacks has been gaining prominence in the past year. It is imperative for an organization to invest in a PAM system and integrate it right away. For organizations that cannot carve out a budget for PAM, the mitigation tips (detailed above) can help to protect data assets until a more comprehensive solution has been adopted.