Many organizations struggle with identifying authentication theft incidents over their networks. These organizations likewise have difficulty detecting “hot spots,” which are machines where authentication theft may occur. Specifically, hot spots are machines that allow attackers to extract information and escalate their privileges using the extracted information or properties of the machine, including, credentials, host IP, signature, or time of day, etc. Hotspots either have exposed, or currently are exposing, privileged accounts to authentication theft.
In order to move vertically and climb to “higher” assets in terms of sensitivity or privileged access rights, an attacker can compromise the account of one of higher privileges, for example, an account of a high power user like an administrator. For instance, the hot spot machine can allow connections from both medium and highly privileged accounts. If an attacker is able to escalate their privileges using an administrator's privileges, or by use of properties of the machine, the attacker may access other network resources, thus potentially expanding their freedom of movement throughout the network and compromising more of the network.
If attackers are able to escalate their privileges using an administrator's privileges, the attackers may possibly take control of an organization's IT infrastructure, disable security controls, steal confidential information, commit financial fraud, and otherwise disrupt operations. Privilege escalation is used in many network security breaches today, in both on-premises networks and in cloud environments.
Current systems attempt to avoid creation of hot spots using layered network architectures and network segmentation. Some tools allow organizations to draw attack vectors based on use of privileged credentials. Some existing approaches for collecting network information and identifying hot spots include: BloodHound, Cyberark DNA®, PowerView, and PingCastle. However, tools like BloodHound, for example, are static, one-time execution tools that do not account for the dynamic nature of organizational networks and privilege escalation. Moreover, tools like BloodHound do not allow for any action once a risk is recognized.
Similarly, the tier doctrine guides organizations to segregate network access based on sensitivity or privileged tiers. For example, an administrator account with local administrator access to Tier 1 assets, should not have access to tier 0 or tier 2 assets. If such access is possible, privileged accounts from another tier might be able to compromise the administrator account, on a hotspot to which they are both connected, and use the administrator account's privileges to take over another tier of the network. Accordingly, eliminating hot spots by creating secure work flows based on the tier doctrine, may help organizations reduce future risks and contain a machine compromise to a tier compromise (i.e., not a full network compromise). Nevertheless, it can be restrictive and to an organization to establish such secure work flows, and if there are exceptions to the work flows the problems of hot spots remain significant.
It would be advantageous, therefore, to mitigate privileged escalation techniques by identifying possible locations in a network that are prone or exposed to attacks, which use privileged or sensitive accounts in order to perform escalation. There is thus a need for technological solutions for actively identifying network resources that have privileged access escalation vulnerabilities.