Contents:
Since the earliest days of technology, hackers and cybersecurity professionals have been locked in a cat-and-mouse game, each inventing more innovative ways of outsmarting the other. In 2024, that resulted in an increasingly complex landscape of privileged threat vectors for organizations to defend against.
This creates a key challenge for security teams. How do you stay safe against these ever-growing threats? To answer that question, we need to first understand exactly what malicious actors are trying to achieve – and what techniques they’re using to do so.
What Are Hackers Trying to Achieve?
On the surface, this might seem like a fairly obvious question. Hackers, one way or another, are trying to gain access to your system. But what’s the big plan? What does success look like?
It’s helpful to take a moment to understand these end goals – because they’re not always the same. Generally, the tactics a hacker uses to enter and pass through your environment will be influenced by the ultimate goal they’re trying to achieve.
Let’s take a look at the main culprits:
-
Financial theft or extortion
The majority of hackers are independent actors or groups looking to make financial gain. Some theft in this category also come from groups linked to hostile nation states, many of whom have a track record of cybersecurity-linked financial theft from western organizations.
One of the most popular techniques here is extortion, generally through ransomware or denial of service (DOS) attacks. In these situations, the business is compelled to voluntarily transfer funds to the hacker in the hope of resuming business or regaining access to critical systems.
Hackers can also access funds directly by stealing payment information through tactics like Banking Trojan attacks.
Key tactics: Ransomware, denial of service (DoS), Banking Trojans, credential mining
-
Steal sensitive information, data, or intellectual property
This is another common target for hackers. One way or another, they’re trying to get hold of sensitive information. Usually, that involves financial details or personal information of employees and customers. These can then be used to aid a fraud attack or be sold to other hackers on the dark web.
Here, the danger is twofold: If these hackers are successful, you will likely incur a significant fine – since organizations have a legal obligation to keep this information secure.
Other less common types of information theft attacks could include hackers trying to get access to trade secrets or other intellectual property. These might be competitors, political activists, or other hackers looking to sell the information.
Key tactics: Phishing, malware, social engineering, SQL injection
-
Reconnaissance
This one is slightly different as it’s not an ‘end goal’ in itself. Instead, the objective is to gain the information or access needed to successfully pull off an attack.
Common examples here could include testing defenses, identifying privileged accounts, lateral movement, and much more. Hackers might also use memory scraping tactics here to identify passwords, hashes, and other credentials being stored in active memory.
Hackers often rely on a combination of tactics to elevate their own privileges or evade detection. They might also test the boundaries of your IT environment to find weaknesses before commencing an attack. In this case, tactics like denial of service (DoS) might also be used as a distraction for more sophisticated and lucrative attacks.
Key tactics: Phishing, malware, elevation of privilege, memory scanning, supply chain attacks, denial of service
-
Denial of service and other malicious tactics
You can consider this the ‘other’ category. Generally, this is any attack with the goal of disrupting normal business operations. This could include competitors, political activists, hostile nation states, or anyone who just has a grudge.
Generally, they’ll achieve this goal by disrupting normal service and reducing your ability to make money by selling products or delivering services.
Perhaps the most important example here is a denial of service attack, since this generally results in an outage of websites or other critical systems. Malware and ransomware can also be popular strategies here.
Key tactics: Denial of service, malware, ransomware
Elevation of Privilege: What You Need to Know
Before we dive into the most common privileged escalation attack vectors, there’s one other concept it’s helpful to get our heads around: Elevation of privilege and its related term, lateral movement. These refer to actions a hacker might take after infiltrating an environment, rather than at the point of access.
- Elevation of privilege – when hackers attempt to gain extra privileges in order to more successfully pull off an attack.
- Lateral movement – Any attempt a hacker makes to explore and move deeper within an IT environment.
Elevation of privilege, therefore, is a type of lateral movement. Within this category, there are two main tactics used:
- Vertical escalation – The most dangerous type of privilege elevation. Here, hackers will attempt to move from one account with limited privileges to another with higher ones. In extreme cases, hackers will attempt to get root or administrator permissions, giving them unlimited access and authority over your IT environment.
- Horizontal escalation – When an attacker moves between multiple accounts with similar privileges. Since organizations often split permissions between different accounts, this can still be a useful way for hackers to accumulate greater access.
These tactics are popular because privileged accounts often have increased protections and monitoring, making them more difficult to target outright. That means it’s often more effective for hackers to access the IT environment through low-security, non-privileged accounts – and then work to elevate their own permissions once that has been achieved.
Privileged Threat Vectors
In order to keep your organization safe from malicious privileged attacks, it’s important to understand what tactics hackers are using to access your IT environment in the first place. This can be more difficult than it might seem on the surface – since hackers often combine different techniques to evade detection and move laterally through the environment. It’s important, therefore, to understand the techniques as well as how they can be combined.
Here are the ten most important privileged threat vectors, and how you can keep your organization safe.
-
Malware
If I have malicious intent, one of my biggest goals will be to install malware and make malicious changes to the operating system. That means, from a security perspective, you need to be really careful about who you want to have the right to make these changes. If you can’t make changes, you can’t install malware.
Mikkel Pederson, Head of Global Sales Enablement, Heimdal®
Malware is an umbrella term for a range of infections and viruses that an attacker might try and install onto your system. This includes spyware, adware, viruses, ransomware, and more. In almost all situations, elevated privileges are required to install these – which is why privileged accounts are such a risk.
By far the most dangerous example of this is ransomware. If deployed successfully, it can lock down access to critical systems and servers until a ransom payment is made. Even if the organization pays up, there’s no guarantee they’ll regain access.
If ransomware is used, it’s generally the ultimate goal of an attack. But attackers might use any number of other tactics and methods on this list to lay the groundwork and gain the privileges they require to successfully install the ransomware.
Other examples of malware might include surveillance or reconnaissance software. This helps hackers identify weaknesses like unpatched vulnerabilities or passwords stored in active memory.
How to stay safe against malware:
- Install regular antivirus and software updates.
- Implement least privilege to reduce your attack surface.
- Use continuous monitoring tools to detect suspicious activity.
-
Software Vulnerabilities
Vulnerabilities are some of the most widely-used tactics for attackers. These are coding mistakes that they can exploit to gain access, elevate privileges, or perform an attack. Often, this is the foothold they use to gain entry in the first place.
Vulnerabilities are variously also referred to as patched or unpatched vulnerabilities, zero day, or known. This simply refers to whether or not the vulnerability has been identified by the software vendor, or patched by the organization. Zero day vulnerabilities are not known by the software manufacturer and therefore cannot be patched, though known vulnerabilities can be.
A full list of known vulnerabilities is published by the Forum of Incident Response and Security Teams. Each also has an associated ‘risk score’ via the Common Vulnerability Scoring System (CVSS).
Vulnerabilities can take numerous forms, including misconfigurations, insecure code, poor APIs, or a range of other issues. To take advantage of them, hackers must use an exploit. If successful, this can allow them to achieve SQL injection, elevation of privilege, remote code execution, denial of service, information disclosure, and more.
How to stay safe against vulnerabilities:
- Use a vulnerability scanner to identify unpatched vulnerabilities
- Classify vulnerabilities by severity using CVSS scores and your own qualitative data.
- Patch the highest criticality vulnerabilities as soon as possible. You will generally not have the resources to patch everything, so it’s important to target your resources carefully.
-
Denial of Service
Denial of service attacks (DoS) aim to shut down a system, service, or network. Often, this could be a website, server, customer application, or other mission-critical system. Generally, hackers achieve this by flooding the target with internet traffic so it can’t manage the load – and subsequently goes offline.
Distributed denial of service (DDoS) attacks are a variation of this. The goal is the same, but in this case, the hackers will co-ordinate attacks from different machines or locations in order to mask the attack and maximize the potential damage.
How to stay safe against DoS and DDoS
- DoS attacks can be avoided by limiting traffic from any one endpoint, device, or IP address.
- DDoS accounts are trickier to avoid, but can generally be protected with rate limiting – where servers automatically reject traffic they can’t handle.
- Segment your network and install firewalls to limit the spread of any successful attack.
- Use modern technology with realtime anomaly detection to identify and dynamically prevent suspicious activity.
-
Phishing and Social Engineering
Phishing refers to a range of tactics used to trick end users into revealing sensitive information – usually login credentials.
Here’s a common example: The hacker sets up a fake login page that looks exactly like the homescreen for Slack, email, or some other service the user uses all the time. On it is an email and password box, tricking the user into thinking they’re signing in as normal. From there, the user adds their login details, clicks ‘enter’, and… sends their password right to the hackers.
There are many variations of this. Generally, attackers will already have access to email addresses or phone numbers (hence why these details are so lucrative on the dark web). They’ll then send legitimate-looking messages to the target to trick them into clicking on a link or filling in their details.
Phishing is often used as the first point of entry into an IT environment. A successful phishing attack can often go undetected by both the end user and their organization, laying the perfect groundwork for hackers to survey and move laterally through your systems.
In other situations, more sophisticated phishing scams might be the goal of the attack itself, particularly if the hacker is attempting to steal sensitive information, personal details, or intellectual property.
How to stay safe against phishing:
- Invest in user training so employees can spot the warning signs.
- Use up-to-date cybersecurity tools such as a security information and event management (SIEM) platform to detect anomalous behavior like suspicious emails and links.
- Keep security patches up-to-date, since hackers may use these to execute a successful phishing attack.
- Install multi-factor authentication to create an extra layer of defense.
-
SQL Injection
An SQL attack occurs when a hacker injects malicious SQL code into a database or server, giving them the ability to view, modify, or delete information within a database, or in some cases to execute commands on the server.
There are several potential uses of this attack:
- To directly view (and therefore steal) sensitive employee or customer information, which can then be sold or used to aid a further attack.
- Find financial information and account details of the organization, employees, or customers with which funds can be directly transferred.
- Identifying potential privileged accounts to target as part of lateral movement.
- Install exploits or malware onto the organization’s server.
- Delete digital records and .log files to remove evidence of the attack and evade detection.
SQL injections, therefore, can be both the end goal of the attack and a method used to aid a wider strategy. Generally, hackers achieve SQL injection via a vulnerability in a web page or application.
How to stay safe against SQL injection
- Apply least privilege to reduce attack surface.
- Use firewalls that are capable of blocking SQL injection in realtime.
- Use database encryption so information is less easy to access and steal.
- Replace SQL queries with parameterized queries and prepared statements.
-
Supply Chain Attacks
Supply chain attacks are becoming an increasingly common strategy for hackers. They’ll generally target organizations via third-party suppliers, partners, or vendors, all of whom might require privileged access in some form or another. Often, the target organization has less visibility and control over the security of their third parties, making this an attractive weak link for hackers to exploit.
One of the most well-known examples of this is the 2013 Target attack, where hackers successfully gained access to a third-party contractor via phishing. This gave the attackers the access they needed to install malware on Target’s systems and steal sensitive customer information.
Increasingly, hackers are also gaining access via commercial software products. This was the case in one of the most prolific attacks in modern history: The 2020 SolarWinds breach. Here, attackers inserted malicious code into SolarWinds’ Orion system – an IT monitoring system that required privileged access to the IT systems of its customers.
Hackers then had access to the IT environments of these customers, which included the US government and several multinational organizations.
How to stay safe against supply chain attacks
- Apply least privilege to third-party and service accounts as well as internal employees
- Create robust contractual security requirements for all third-party vendors, partners, and suppliers
- Misconfigurations
Misconfigurations can be tricky to define, since they refer to a range of different issues and challenges. Essentially, these are any instances of poor IT policy and best practise making it easier for hackers to target and access your IT environment. There are several examples of this, and each generally has its own solution:
- Hard-coded credentials being available in the code of software, servers, IoT devices, and more.
Solution: Use modern PAM software to identify hard-coded credentials. Then, replace them with passwords that can be encrypted, vaulted, rotated, or some combination of all three.
- Blank or default passwords being used, making them easier to guess through brute-force tactics.
Solution: Implement strict policies that require passwords to be unique, complex, and regularly rotated.
- Overprivileged user and service accounts creating a wide attack surface for hackers to target and move laterally through.
Solution: Implement least privilege and remove all excessive permissions across both user and service accounts.
- A lack of password rotation or just-in-time access makes passwords easier to guess and removes any barriers to the hacker once they’ve successfully signed in.
Solution: Implement password rotation and just-in-time access so stolen passwords become useless (once rotated) and infiltrated accounts can still be locked down.
- Account sharing makes it easier for hackers to gain access, since passwords are often shared in messages, emails, or other insecure media. It also makes it easier for hackers to evade detection, since the account is already associated with multiple accounts, identities, and behaviors.
Solution: Avoid account sharing wherever possible. If they are used, access should be granted via secure digital tokens or password vaults. Ideally, shared account passwords should not be visible to the end user.
- Lack of multi-factor authentication on privileged accounts can also make life easier for hackers, since there are fewer barriers for them to overcome before gaining access.
Solution: Implement MFA on all privileged accounts as standard and, ideally, all other accounts as well. This ensures an extra layer of defense should the password be corrupted.
- Lax or weak access controls on files, folders, and local devices will also increase your attack surface. This is because poor access policies essentially create more accounts through which sensitive information can be accessed.
Solution: Implement robust identity and access management (IAM) policies so sensitive information can only be viewed by the smallest possible number of people.
- Insecure protocols such as HTTP instead of HTTPs or SSL instead of the newer TLS can also make you vulnerable. Hackers can exploit these details to capture, analyze, modify, or steal data – often as it’s transmitted from client to server. This can sometimes include unencrypted login details.
Solution: Always use up-to-date protocols and avoid working with third-party software vendors or suppliers who don’t.
- Lack of realtime monitoring can also make it easier for the hacker to evade capture once they’ve already infiltrated an environment. This technology can help organizations detect suspicious activity through anomaly analysis – since hackers’ activity is often quite idiosyncratic.
Solution: Implement realtime monitoring so suspicious behavior can be detected and locked down before damage is done.
- No PAM controls on service accounts can create further access points for hackers. Machine identities such as RPA workflows, IoT devices, and applications often need access to perform an automated function. Like with the SolarWinds attack, hackers can exploit these accounts to gain access. Organizations often forget to secure service accounts like they would with user accounts, creating an open door for hackers.
Solution: Apply least privilege to both user and service accounts.
With so many misconfigurations to remember, it’s vital that you have access to the most recent privileged access management solutions. Without the functionality these tools offer, it’s impossible to identify and remediate the issues we’ve listed in this section.
- Credential exploitation
Credential exploitation is another umbrella term that refers to a range of tactics and strategies that hackers use to gain access to login credentials. This could include plain text passwords, password hashes, digital tokens, API keys, SSH keys, or more.
- Brute force guessing: As you’d expect, this simply involves hackers guessing until they get it right. In these cases, passwords are generally simple to guess, like “Password1”, “1234”, or the user’s date of birth. Poor policies around password rotation and strength can make it much easier for hackers to do this successfully.
- Password spraying: Similar to brute force guessing, but with a broader attack surface. Attackers may try to gain access by trying a few commonly used passwords across several accounts. Many will use bots to do this quickly and automatically.
- Phishing: As discussed, phishing attacks are a popular way to get hold of login details. Often the hacker needs to have access to phone numbers or email addresses in order to target a particular person with a phishing scam.
- Pass the hash: A ‘hash’ is an encrypted string of characters that can authenticate users instead of the actual password. Often, hackers can scrape these hashes from active memory and gain access without needing to know the plain text password it substitutes for.
- Password scraping: Similar to pass-the-hash, this involves the attacker scanning the IT environment for plain text passwords. These can be stored in active memory or available in an application’s source code.
- Keylogging: Attackers might also use keylogging software to record the keystrokes of users, including passwords, as they’re typed in. This is a type of malware that attackers can install as part of lateral movement.
- Data breaches: Sometimes, plaintext passwords can be bought on the dark web, giving hackers direct access to accounts.
- Man-in-the-middle: This generally involves the hacker taking advantage of an insecure connection to access data as it moves between eg a server and a client device. Insecure protocols are a common example of this.
In almost all of these cases, the hacker is generally trying to access the environment in the first place, or move laterally after having gained access. These techniques can be used to infiltrate both privileged and non-privileged accounts.
How to Stay Safe Against Credential Exploitation
- Create robust policies to ensure passwords are unique, strong, and regularly changed.
- Implement MFA so hackers have another level of protection to overcome in order to gain access.
- Use password-less technologies wherever possible, including single sign on, password vaulting, and encryption. These can ensure the end user doesn’t need to see the plain text password and can instead be authenticated via MFA, single sign on, a digital token, or the password vault itself.
Privileged Threat Vectors: How Heimdal Keeps You Safe
When it comes to privileged access management, one of the biggest dangers is highly manual processes. If the process is manual, there’s a high chance of error – and that’s where you see the biggest breaches. In the highest profile cases, you constantly see the targets being users with privileges they shouldn’t have.
Mikkel Pederson, Head of Global Sales Enablement, Heimdal®
If you’ve made it this far, you’ll understand that the privileged threat landscape is incredibly complex. Staying safe requires a clear understanding of the dangers you’re trying to protect yourself against. But perhaps, more importantly, it also requires the right technology.
That’s where Heimdal® with its Privileged Access Management solution comes in, giving you the tools you need to:
- Manage access permissions on endpoints and desktops
- Execute zero-trust policies across all systems
- Create customizable realtime access-blocking policies
- Enable just-in-time access
- Manage role-based access controls and delegation policies from one central window
Request a free trial to find out more.
Heimdal® Privileged Access Management
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
Privileged Threat Vectors: FAQs
What are privileged threat vectors?
Privileged threat vectors refer to avenues exploited by attackers to gain unauthorized access to high-level system privileges. The goal of these attacks is to enter an IT environment undetected and elevate hackers’ own privileges. Often, they’re seeking to get access to admin rights so they can install malicious software or access sensitive data.
How do privileged threat vectors differ from other cyber threats?
Unlike typical cyber threats, privileged threat vectors aim to exploit the elevated permissions of administrative or privileged accounts. These vectors pose a more significant risk as they provide attackers with broad control over system resources, potentially leading to severe security breaches and data compromises. Crucially, however, attackers may still target non-privileged accounts as they pass through the IT environment and attempt to remain undetected.
What measures can organizations take to mitigate privileged threat vectors?
Organizations can implement several strategies to mitigate privileged threat vectors effectively. These include enforcing the principle of least privilege, regularly reviewing and updating access controls, implementing multi-factor authentication for privileged accounts, monitoring and logging privileged access activities, and conducting regular security assessments and audits.