Tuesday, September 29, 2015

Security+ and Privilege Escalation

Can you define privilege escalation?

More, can you correctly answer this sample CompTIA Security+ question?

Privilege Escalation Sample Question

Your organization was recently attacked and forensic analysts are investigating the attack. They have created the following forensic diagram of the network.

  Network diagram 
Analysts are focused on several specific entries in the database server security log.

Entry # Keywords Source Event ID Task Category
1 Audit Success Microsoft Windows security auditing 4624 Logon
2 Audit Success Microsoft Windows security auditing 4672 Special Logon
3 Audit Success Microsoft Windows security auditing 4624 Logon
4 Audit Success Microsoft Windows security auditing 4624 Logon
5 Audit Success Microsoft Windows security auditing 4648 Logon
6 Audit Failure Microsoft Windows security auditing 4673 Sensitive Privilege Use
7 Audit Success Microsoft Windows security auditing 4673 Sensitive Privilege Use

Assuming the analysts are correct, what is the MOST likely description of this attack?

A. Password attack
B. Pharming attack
C. Privilege escalation attack
D. Phishing attack

Based on the title of the post, I'm betting you know the correct answer is privilege escalation.

However, the actual questions on the Security+ exam aren't labeled so obviously. In order to answer them, you need to know why the correct answer is correct, and why the incorrect answers are incorrect.

More, if you know how to eliminate incorrect answers, you can discover the correct answer even if it's not very familiar to you.

Full answer and explanation available here.

Understanding Privilege Escalation

Privilege escalation occurs when a user or process accesses elevated rights and permissions. When attackers first compromise a system, they often have minimal privileges. However, privilege escalation tactics allow them to get more and more privileges.

For example, imagine hacker Harry is attacking a web server over the Internet. He might only have guest or anonymous access to the system initially, and he can’t do much with this access. He uses different techniques during the attack to gain more and more privileges. If he can escalate his privileges high enough, he will have full administrative or root access to the system.

Malware frequently tries to gain access to elevated privileges through the logged-on user. For example, if a user logs on with administrative privileges, the malware can elevate its privileges through the user account.

Many organizations require administrators to have two accounts. They use one account for regular use and one for administrative use. The only time they would log on with the administrator account is when they are performing administrative work. This reduces the time the administrative account is in use, and reduces the potential for privilege escalation if the user’s system is infected with malware.

Privilege Escalation and APTs

An advanced persistent threat (APT) is a group that has both the capability and intent to launch sophisticated and targeted attacks. There is a lot of evidence that they exist and are active, and privilege escalation is a core method of establishing a foothold within a network.

A lot of documentation indicates that many APTs start with a phishing attack. They try to lure unsuspecting users into opening an attachment or clicking a malicious link. The attachment installs malware onto the users system. Similarly, the malicious link attempts a drive-by download to install malware.

If the phishing attack is successful, the malware establishes a backdoor on the user's system. The attacker than uses this backdoor to perform reconnaissance on the user's system and network by embedding commands in what looks like harmless web pages.

Attackers systematically look for and exploit vulnerabilities gaining more and more privileges on the network. Of course, if a user is logged on as an administrator, this makes it much easier gain elevated privileges.

Full answer and explanation available here