Why should you even bother with privilege escalation? There are so many other things to worry about when running an enterprise infrastructure, right?
ANY serious attack on your network will take advantage of privilege escalation at some point to meet it’s main objective. Be it deployment of ransomware, data theft or disruption of services and business operations. Therefore, the harder you make it to perform privilege escalation, the harder it will be for attackers to reach their final goal.
Penetrating your first line of defense is only the beginning of the attack. The first system that is compromised rarely provides the credentials needed to launch the real attack. It serves merely as a platform for further escalation of privileges. The attacker needs a high level of access to perform a successful deployment of ransomware, to steal or destroy data for the competition or whatever the agenda might be.
And keep in mind: The potential attacker may already be on the inside of your network in the form of a disgruntled employee or a corrupt external consultant. You always need to pay attention to privilege escalation.
Consider the following scenario:
- The attacker compromises a flawed web server and gains (local) System credentials.
- The web server is running a process with rights on the database server. The attacker performs privilege escalation using the System credentials to gain access to the database server.
- The attacker eventually finds a process running as a database manager (this may be days after step 1 was performed). The attacker once again performs privilege escalation and uses the database manager credentials to connect to a shared management server.
- From here it’s just to wait until an admin starts a process with full access to the domain/Active Directory. This is the final escalation needed.
- Once full access to Active Directory is obtained it’s open season. The attacker can create whatever credentials is needed and access all resources of the company, be it files, email or applications.
The above example illustrates how a simple DMZ web server compromise is used merely as a starting point to launch an enterprise wide attack that may very well end up costing millions of dollars in direct and indirect costs.
Of course you need to secure your systems from the initial attack. But you definitely also need to consider the privilege escalation paths inherent in your infrastructure design and try to minimize your attack surface. No matter where the attack starts, a path of privilege escalation is always needed by the attacker.
It’s not a matter of “if” but “when” your business will come under attack from hackers. Make sure the impact stays minimal and don’t privilege escalate into an APESHIT catastrophe putting you out of a job and your company out of business.