As organizations rely more on remote work capabilities and larger cloud systems, their vulnerability to cyberattacks increases. Privilege escalation attacks are a prevalent and complex threat, and any network can become a target.

Organizations need multiple defense strategies when any asset can become an entry point for intruders. Understanding the privilege escalation process is an important first step toward prevention and defense against extensive network attacks.

What Is Privilege Escalation?

A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system. Attackers exploit human behaviors, design flaws or oversights in operating systems or web applications. This is closely related to lateral movement — tactics by which a cyberattacker moves deeper into a network in search of high-value assets.

The result is an internal or external user with unauthorized system privileges. Depending on the extent of the breach, bad actors can do minor or major damage. This might be a simple unauthorized email or a ransomware attack on vast amounts of data. Left undetected, attacks can result in advanced persistent threats (APTs) to operating systems.

How Privilege Escalation Works

Adversaries usually perform privilege escalation starting with a social engineering technique that relies on manipulation of human behavior. The most basic is phishing — electronic communications that contain harmful links. Once an attacker compromises an individual’s account, the entire network is exposed.

Attackers search for weak spots in organizational defenses that allow initial entry or basic privileges through credential theft. As explained in more detail below, exploiting such vulnerabilities enables further elevated privilege. Effective strategy must therefore combine techniques for prevention, detection and swift action.

Privilege Escalation Techniques

A privilege escalation technique can be executed locally or remotely. Local privilege escalation begins onsite, often by someone inside the organization. Remote escalation can begin from almost anywhere. For a determined attacker, either approach can be effective.

What are the Main Types of Privilege Escalation

Attacks are grouped into two primary types:

With horizontal privilege escalation (or account takeover), an attacker gains privileged access to a standard user account with lower-level privileges. The intruder might steal an employee’s username and password, gaining access to email, files and any web applications or subnetworks to which they belong. Having obtained this foothold, the attacker can move horizontally through the network, expanding their sphere of privileged access among similarly privileged accounts.

Vertical privilege escalation (or privilege elevation) begins similarly, with an attacker using a foothold to try to escalate vertically, gaining access to accounts with higher privilege. For example, they might target accounts with administrator privileges or root access permissions, such as an IT helpdesk worker or a system administrator. A privileged account can be used to invade other accounts.

Differences Between Vertical and Horizontal Privilege Escalation

In short, horizontal privilege escalation involves gaining access to accounts with privileges similar to the original account’s. By contrast, vertical privilege involves gaining access to accounts with more privileges and permissions. An attacker might begin with a standard user account and use it to compromise higher-level accounts with admin privilege.

The more privileges an account has, the more immediate damage a malicious actor can do. An IT helpdesk account can harm standard user accounts and can itself become a point of vertical escalation. Horizontal attacks are nevertheless also dangerous because the risk to a network escalates with the number of compromised accounts. Every point of vulnerability is an opening for attackers to delve deeper into the system, so both horizontal and vertical attacks must be addressed with speed.

More Types of Privilege Escalation Technique

Cyberattackers are constantly developing new ways to break into accounts and compromise systems, but phishing remains predominant. Attackers design these deceptive messages, whether broad and scattershot or carefully targeted, to trick users into sharing credentials, downloading malware or exposing networks to unauthorized use.

Other kinds of social engineering attacks include the following:

• Cybersquatting or typosquatting: Hijacking a URL or creating a false URL to entice clicks. Attackers might employ a false top-level domain (e.g., Sample.co, .cm or .org instead of .com) or subtly misspell a name (e.g., Sampe.com, Sarnple.com or Samp1e.com).
• Password exposure: Sometimes users expose their passwords voluntarily, sharing them with friends or coworkers. More often they do so unwittingly. They might keep passwords written down somewhere obvious in their workspaces or have passwords that are easy to guess.
• Security question exposure: It’s not unusual for users to forget passwords. When they do, they often must answer security questions to create new passwords. Thanks to social media, the answers to security questions are easier than ever to discover. (Beware the viral quizzes or posts asking for the “Top 5 Things No One Knows about You.”)
• Vishing, or “voice phishing”: Attackers might call an employee and impersonate an authority figure, tricking the employee into providing privileged information or installing malware.

Adversaries may also use techniques that rely on technological help. Brute force attacks and credential dumping are most common, but many others exist:

• Brute force attacks: These involve systematic automated guessing of passwords and can be especially effective in systems with insufficient password requirements.
• Credential dumping: In these attacks, attackers gain illegal access to a network and steal multiple credentials all at once.
• Shoulder surfing: This involves stealing an individual’s credentials through an insecure network or by hacking into an individual’s devices.
• Dictionary attacks: In this type of attack, bad actors combine common words into possible passwords based on a network’s password length and requirements.
• Password spraying: This type of attack utilizes automated attempts to gain access to many accounts at once using a few common passwords (e.g., “password,” “qwerty,” “123456” and the like).
• Credential stuffing: Here, attackers try to use credentials from one system on a different system. This works because so many people reuse passwords across multiple networks.
• Pass the hash or rainbow table attacks: This attack type involves algorithms that “hash” or scramble passwords.
• Password changes and resets: Sophisticated attackers can find ways to exploit the process of setting new passwords. They can even request new passwords themselves if they know answers to security questions.

Both Windows servers and Linux operating systems are vulnerable to attacks. Windows privilege escalation often employs token manipulation, user account control bypass or DLL (dynamic link library) hijacking. Common Linux system privilege escalation attacks include enumeration, kernel exploit and using Sudo access to gain root privileges. The access provided by stolen credentials is so powerful, attackers are highly motivated to find new ways to escalate Linux privileges.

Privilege Escalation Prevention Strategies

Prevention requires constant, proactive vigilance. Any business with a network can fall victim, since every user presents some degree of vulnerability. This means your prevention strategy must be comprehensive and inclusive, enlisting every user in the system to help secure their shared cyberspace. Where prevention fails, detection measures must also be in place, along with ready plans of action that can be executed quickly to prevent the worst consequences.