The United Arab Emirates (UAE) has long been a preferred target by cybercriminals and other digital adversaries around the world. According to government sources, the country fends off almost 150,000 attacks daily. The success of legitimate organizations in the face of this onslaught depends on a deep understanding of the threat they face. To prevail, they must examine what attackers do and how they do it, which means breaking down all their paths to privilege.

by Theshan Mudaly, Senior Solutions Engineer at BeyondTrust

[For more news, click here]

When attackers gain a foothold in an environment, their route to a lucrative payday is limited only by access. Their first goal will be to equip themselves with the highest-possible permissions level. They do this through privilege escalation, a process of promotion from the rights of their stolen credentials to increasingly broader rights. When a threat actor compromises a low-level account (or an insider chooses to act with ill-intent) within a well-managed IT suite, that account will not have access to monetizable resources and data.

The attacker must set out on a chain of steps that exploit vulnerabilities in privilege management (bugs, misconfigurations, or insufficient controls) if they are to go any further.

As cybersecurity professionals will tell you, the traditional image of hackers writing code in real time to burrow through defenses is outdated. Modern threat actors compromise accounts so they can move about digital environments like they belong. They escalate their privileges in one of two ways – horizontal (compromising another account, human or non-human, with more rights than the captured one) or vertical (broadening the access of the captured account).

Order and method

Attackers use five main methods to gain an initial foothold and then go from their shore-landing position to the point at which they possess admin or root privileges. The exploitation of credentials involves taking advantage of a hijacked account to log in normally and leverage the privileges of that account to move laterally. A second method is to leverage unpatched applications or services that allow tunnelling into further areas. A third is to go after systems where settings have been improperly configured, and a fourth is to drop malware that executes a lay-of-the-land attack – surveilling systems and mapping networks prior to infiltration.

Finally, the attacker can tap into the weakest link in any security apparatus – us. Social engineering techniques become more sophisticated every year and this escalation has accelerated with the arrival of readily available generative AI tools. We humans can be duped into helping attackers gain the initial foothold.

Because assailants have so many options with which to escalate privileges, CISOs across the UAE find themselves wondering where to start in blocking paths to privilege. Confronted monthly with figures on the likelihood of an incident and its potential financial impact, security leaders must focus on maximizing their own impact. By tackling the problem of privilege escalation, the SOC indirectly overcomes the problem of the large number of starting points and advancement opportunities observed in modern attacks.

And by tackling privilege escalation through an identity-centric approach, the security function can simplify what previously seemed like an insurmountable challenge. Privileged access management (PAM) has become the de facto standard for protecting organizations against multiple types of incursions in a global ecosystem where digital identity is not as secure as we would like.

Closing doors (and windows)

Instead of the revolving doors currently enjoyed by attackers, let us imagine blocking entry points by deploying identity management best practices at scale. We must take control of the full identity lifecycle.

This includes the provisioning and de-provisioning of all identities to eliminate the vulnerability of orphaned accounts. The organization’s audit of accounts must capture all human and non-human accounts, and surveyors must remember to include the accounts set aside for agentic AI.

Similarly, we must take control of our secrets. If possible, implement a password and secrets management solution as these traditionally enforce credential management policies like the requirement for strong passwords; additionally, they look after discovery, vaulting, central management, check-in, and check-out across human, machine, and AI agent accounts.

Every active account must be reviewed for the privileges it holds and amended to hold only the privileges it needs. This principle of least privilege ensures that low-level accounts hijacked by attackers do not grant them the keys to the organization’s crown jewels. Admin rights should reside where they are functionally necessary – with those identities that could not otherwise perform their assigned tasks. Just-in-time access goes hand in hand with least privilege. Persistent and standing privileges remain a common vulnerability. If we make sure that each privileged account is only granted access for a strictly enforced time window, we drastically narrow the opportunities the account offers our adversaries.

Going further

Extend the identity management posture to granular control over application access and connectivity. This is another way to block elevation attempts, as is the monitoring of privileged sessions to detect and address suspicious activity in real time. We can also harden our systems and applications by using configuration options to, for example, close software ports. Many backdoor options for attackers originate from failures to review software configuration.

Part of the configuration review should be an overhaul of vulnerability management. The enterprise must prioritize the continuous identification of vulnerabilities and manage their mitigation. They must look at each flaw through the lens of risk, prioritizing those that would allow privilege escalation regardless of how easy they would be to exploit.

Finally, the business must enact ways of securing remote access in the era of distributed teams. These methods must also reflect the risk posed by the overprovisioning of privileges, as some remote access attacks can be used for horizontal and vertical escalations.

‘Privilege’ means ‘privilege’

“Privilege” implies an exclusivity that protects sensitive material from unauthorized eyes. Paths to privilege must be watched and protected through strong privilege access management because attackers have found a range of ways to capture and escalate permissions to the point that they can go anywhere and see anything. The best practices laid out here will ensure your organization does not fall prey to their methods.