Insider Threats are Increasingly Using Privilege Escalation Exploits

Published on
Product Minting

A report published in late 2023 described how insiders were increasingly using privilege escalation exploits in order to carry out unauthorized actions on their organizations’ networks.

According to the report from Crowdstrike, 55% of identified insider threats used or attempted to use privilege escalation exploits. In cases where the insider was malicious, they were observed using their elevated privileges to use additional kits like Metasploit, Cobalt Strike, and other tools meant for exploiting systems.

It is worth noting that the research was focused on on-prem systems and probably did not include data collected from abuse of cloud applications.

Perusing through their report, the vast majority of the hits are on Windows and Linux systems. That said, within the given parameters, these are still some pretty significant findings that are worth paying attention to for security teams as we navigate 2024. It may indicate that insider threats are finding new innovative ways to attack core systems while circumventing important controls.

Why Does Privilege Escalation Matter?

If we do our jobs right, then we put controls in place defining what our people are able to do in terms of which systems or assets they can access. Diving a step deeper, we can control not only what can be accessed, but what someone can do with that asset.

Can they read, write, edit, or delete an asset? Can they change privileges for themselves or others? The rabbit hole of privileges can spiral pretty far, but it can be really important for your data security.

In the ideal world, every user has exactly the minimal level of access and privilege that they need to do their job. This is known as the Principle of Least Privilege. It is almost impossible to be perfect at getting this exactly right, but it is the goal to aim for.

Where it gets tricky is when a user finds ways to escalate their privileges from what they have been provisioned.

If they are successful, then they have broken out of the defined borders of what they are supposed to be able to do with our systems. We lose a level of control, and in the case of the insider threat actor, we face a difficult opponent who has deep knowledge of our assets and how to find them.

Challenges Posed By Insider Threats

Insider incidents have been steadily increasing over the past several years, and this trend is not expected to change in 2024. This is exceedingly concerning because insider threats in many ways pose many more difficulties than an external attacker.

Beyond their negative impacts on an organization, undermining trust from customers, partners, and internal stakeholders, they can be downright difficult to detect.

One of the challenges with an insider threat is that this user starts the game off with a set of privileges that allow them a foothold within the organization. On the face of it, this makes sense. If the person is an employee, then you need to give them the ability to do their job. This means accessing the appropriate systems and data to be an effective employee.

The second challenge is that the employee’s movement within the organization’s systems will be viewed as normal and is unlikely to set off any warning bells unless they stray too far off the reservation. In practical terms, the chances are pretty low that the insider will touch one of your honeypots because they already know exactly what they want to access and where it is located.

So given some of these challenges, we have here below a couple of tips for countering the privilege escalation threat from your insiders.

3 Strategies for Reducing Your Risk from Insider Threats Escalating Privileges

  1. Patch, Patch, and Be Sure to Patch Early and Often

One of the longest standing pieces of advice when it comes to cyber security, even predating implementing multi-factor authentication (MFA), is the criticality of patching your software systems.

While zero day vulnerabilities like those used to damage Iranian nuclear facilities or hack iPhones may get all of the press, most hackers use known vulnerabilities that are released to the public for carrying out their attacks successfully.

Hackers come across these vulnerabilities usually in one of two ways. First is that they are able to look at the publicly available vulnerabilities (CVEs) that are published by the MITRE Corporation for the benefit of the public. Second, and more annoyingly, they can look at software updates and try to figure out what has been fixed, and then see how to exploit it. For these reasons and more, be sure to patch soon after the new versions become available.

As part of the vulnerability reporting and publishing process, companies who own the software, or in the case of open source software the project managers, are usually given a period of 90 days to fix the problems in their products before the information becomes public. This balances between the need to push these software owners to action with the space they need to develop a fix for the bug.

However, all of their hard work goes to naught if we do not use the patches that they issue. This means implementing the patches for CVEs, going through the necessities of Patch Tuesday, and generally making sure that our systems are up to date with the latest versions.

Patching can be a huge pain, and no organization is really where they should be on it. Always a few legs behind, hoping that they have patched their most critical systems.

The hope is that the move to the cloud will remove the responsibility for patching from the end users and push more of it over to the vendors providing the SaaS solutions. Note however that this is not the case when it comes to cloud infrastructure (IaaS) like AWS, Azure, and GCP, so your IT and Security teams will still need to be up and running to stay current on these systems for some time to come.

  1. Monitor for Anomalous Behavior

If an insider, or someone pretending to be, manages to escalate their privileges to access different systems than they normally would, this should set off major flags. If you have the monitoring in place to catch it of course.

Capturing a baseline of normal activity with User Behavior Analytics tools is a must for figuring out when suspicious behavior is afoot.

The advantage here is that your monitoring of behavior runs in the background and is not going to be impacted by illicit changes to their privileges. The systems they touch or other actions that they take are going to be picked up, logged, and alerted upon if they stray from the confines of what you have defined as normal for them.

Beyond the alerting feature, the other benefit of monitoring your environments is for use in investigations after an incident. One of the biggest challenges in incident response is understanding which systems were impacted and might need remediation. Having session recording of activity in sensitive systems tied to a specific user can cut the time spent on investigations significantly.

  1. Educate Your Workforce About Following the Rules

Facebook’s Mark Zuckerberg popularized the idea of “Move fast and break things” as part of the startup ethos that drove companies to success. While breaking out of a stodgy corporate mindset can do a lot of good when it comes to innovation, there are some benefits to staying within at least some of the guidelines.

Company policies about what kinds of software can be downloaded to the business’ machines and the processes for approval are there for a reason. Even a given policy seems like more of a hindrance than something that makes a whole lot of sense.

The best way to get your people to follow your rules is less about sticks and more about getting them on board by explaining to them what the potential impact of rule breaking can lead to.

Ideally avoid death by Powerpoint and make the sessions a little more interactive. One method that has proven to be more effective is to assign different cases of policies being broken and present to their group how it played out.

This is the also same methodology used in the military for teaching life and death safety material and it really sticks in your memory.

Unintentionally Reckless But Not Malicious

Reading through the report, the news here is and is not as bad as it may seem.

The authors note that 45% of the incidents do not appear to be caused by malicious insiders who intend to be threats. Some of the incidents involve insiders breaking the rules so that they can download software onto the organization’s machines that they are not supposed to, but for reasons other than harming their employer.

Think about employees skirting around controls so that they can download torrents or other illicit software onto their work machines.

Perhaps one of the greatest stories like this is the oldie and always goodie about the workers at a Ukrainian nuclear power plant who connected their intentionally offline systems to the internet  for the purpose of mining cryptocurrency. This was before the outbreak of the war, but well into the campaign by Russian hackers targeting Ukrainian critical infrastructure, so it was still an exceptionally bad idea.

On the other hand, just because someone does not intend to cause harm does not mean that there is no foul. According to the Verizon Data Breach Investigations Report for 2023, Miscellaneous Errors continue to comprise a significant chunk of the annual data breach statistics. And when it comes to regulators investigating companies for exposing controlled data like customer PII, they do not much care if the action was malicious or not. Just that it happened.

Hopefully by following best practices and educating your team, you can avoid having to explain a bad incident off as a moment of bad judgment versus an act of bad faith altogether.

Discussion (20)

Not yet any reply