Table of Contents
Share this entry
Public clouds are changing the way businesses do, well, everything. There is a paradigm shift for how we secure public cloud environments; it is widely accepted that the perimeter has changed from the network to identities. This means the value of securing the identities in your cloud has grown dramatically. Adding to this shift in the paradigm is the need to secure not only your person identities (users) but also your non-person identities (machines). This includes things like AWS Roles, Azure Service Principles, GCP Service Accounts, VM, serverless functions, etc.
Bad actors are looking to exploit misconfigurations in the cloud, with privilege escalation and the manipulation of identity entitlements and permissions to get them what they want. More than 50% of enterprises have identities with privilege escalation ability to elevate to the super admin role, giving them keys to the kingdom. In this blog, we’ll review what a privilege escalation attack is, how they are used to create excessive permissions on your identities, and what common techniques are used to gain entry into your cloud.
What Is Privilege Escalation?
As defined, “Privilege escalation is the act of modifying the permissions of an identity to give it increased rights that it was designed for. This can either be done directly or indirectly and involve modifying the rights of a resource, or configuration setting, and then using it on your behalf.” The result is that a person — or a non-person identity with more privileges than intended — can perform unintended actions on resources in your cloud with permissions that they were not authorized to perform, oftentimes with determination ends to data.
These excessive privileges can be used to maliciously create chaos in your cloud environment. This can range from minor inconveniences, to significant data breaches and even deleting your entire cloud environment, Forrester estimates that 80% of security breaches involve privileged credentials – the pot of gold at the end of a privilege escalation attack.
Finding excessive permissions is a tough task, but with the right tools, you can significantly improve the security of your data in the public cloud environment.
There are two types of privilege escalations types used in an attack: horizontal privilege escalation to access the functionality and data of different identities and vertical privilege escalation to obtain elevated privileges, typically of an admin.
Why Is It Important to Prevent Privilege Escalation Attacks?
By obtaining identity entitlements, a bad actor can perform a series of actions that can negatively affect the cloud environment.These actions can trigger business disruption, expose sensitive data or resources, or even result in a complete takeover of your cloud. The potential for business harm is endless. Preventing privilege escalation attacks by securing your identities and data should be a top priority.
Identities, person and non-person, are the new perimeter, which makes them easy to exploit if you are still securing data through old security methods. There are third-party tools created to help manage the overwhelming responsibility of securing your environment from every angle.
Organizations need to understand and monitor cloud IAM configurations, to eliminate weak or accidental configurations that if left unchecked, will inevitably lead to a disaster. Security teams need to quickly find potential risks, like excess privileges that can lead to privilege escalation, and ultimately to critical data stored in a public cloud. Any organization needs to have full visibility into the identities in the cloud and understand their true end-to-end permissions.
The org also needs continuous monitoring to ensure that those permissions stay as intended (at least-privilege) and are alerted if permissions drift from the security baseline. That said, this is much harder than it sounds, so you also need the right processes and third-party tools to achieve this state of security. Let’s learn some more about what privilege escalation looks like.
How Does Privilege Escalation Happen?
Bad actors often start with a low-level identity, and then exploit permissions to move laterally until they gain a level of privilege where they’re poised to cause irreparable damage.
If you believe privilege escalation is an old threat, think again. With the move to cloud, it’s gaining attention because of inherent risks and the fact that many organizations have adopted cloud with such enthusiasm that they’ve failed to cover the fundamentals in security—leaving many gaps for bad actors to exploit without a lot of effort.
Privilege escalation regularly goes unnoticed, especially in a complex cloud environment where companies already have difficulty gaining visibility into their internal users, identities, and actions. A bad actor could spend days, if not weeks, inside your environment and you may not even know it. They could even expose sensitive data and, in 50% of cases, you might be completely unaware of the breach until a third party informs you of it.
Bad actors seem to always find new ways to infiltrate your cloud environment, but there’s a serious lack of information when it comes to the specifics they’re already using. To help you set up your cloud environment more securely and close vulnerable gaps, consult the following extensive list of common and primary methods:
- Self-Assigning Privileges Using a New IAM Policy
- Escalating Privileges Using Inactive IAM Policies
- Using an Existing Profile to Create a New EC2 Instance
- Creating Access Keys for A Privileged User
- Creating a Login Profile for an Inactive User
- Updating the Login Profile for an Active User
- Attaching a New Policy to a User
- Attaching a New Policy to a Group
- Attaching a New Policy to a Role
- Creating or Updating Inline User Policy
- Creating or Updating Inline Group Policy
- Creating or Updating Inline Role Policy
- Adding Themselves to a Privileged Group
- Updating Role Policy to Assume a New Role
- Passing a Role to a Function and Invoking It
- Passing a Role to a Function and Triggering It
- Updating The Code of an Existing Function
- Passing a Role to a Glue Development Endpoint
- Updating an Existing Glue Development Endpoint
- Passing a Role to Cloud Formation
- Passing a Role to Data Pipeline
- Creating Users and Assigning Permissions
Pathways of Privilege Escalation Attacks
More reminiscent of traditional on-prem security are methods like vertical and horizontal privilege escalation, but the cloud is a new environment facing new techniques. In our research, we’ve identified 5 major pathways for privilege escalation in the public cloud:
Direct Self Escalation
This is when an Identity can modify its own rights. It has all the permissions it needs to move throughout your environment or, e.g. make itself an administrator.
Indirect Escalation
This is where one identity can modify another identity’s credentials to impersonate it. For example, an identity has the permission to modify roles in AWS. While this identity is unable to read sensitive data itself, it can modify other roles so that they can read that data, and then jump into this new role and reach their goal ultimately.
Unintended Inheritance
This is often the result of the complexity in your cloud, including a web of rules, policies, trust relationships and permissions that give access at an unintended level. For example in Azure, a security team using a VM may have that identity at least privilege, but then higher up in the RBAC model, at the management group level, it was set that all devs in the application group have permission to read across the tenant. The result is a VM having unintended inheritance to read data across the environment.
Confused Deputy
A low-level identity of permission gets access to a resource or a service with a higher level of permission and then uses that to perform actions on its behalf. For example, an EC2 instance is publicly accessible, but it also happens to have an exploitable vulnerability. On this workload was an AWS role with access to read sensitive data. Suddenly, a low-level identity is exploited and used to perform a malicious act on behalf of a bad actor.
Resource Permissions Escalations
An identity has the permissions to change the configuration settings on a resource to allow the identity to perform unintended actions on that resource. For example, this identity, be it a VM, is at least privilege itself, but it somehow has the permissions to change the configurations of a datastore that normally it only has read access to, but now they want the ability to delete it all.
To summarize, privilege escalation is a very real and pressing threat, especially for both companies that are still in their infancy, and well down the road of their cloud journey. Whether you’ve been using the cloud for years or you just recently considered adopting it, understanding the risks of privilege escalation and other common methods is the first step to protecting your organization.
Manage Privileges With Sonrai Security
The easy answer to preventing privilege escalation attacks is getting your environment to least privilege, but we know it’s not that simple. When it comes to least privilege in the cloud, the goal is not just getting there but maintaining that position. You need to not only create identities at least privilege, but continually reevaluate each level and type of permissions that are required for your Identities.
The maintenance is possible with continuous monitoring, which requires setting a baseline and then looking for deviations from that baseline. When a deviation is found, you need to, either manually or with the help of automation react as quickly as possible to minimize the risk and get back to the least privilege to ensure the identity cannot be exploited.
All of this is possible with Sonrai Dig. Dig is built around the principles and best practices of managing identities securely in the cloud, and it helps take the load off your security team’s back by getting you to least privilege and then providing continuous monitoring to keep you there. You cannot protect what you cannot see, so reveal all the privilege escalation risks in your cloud by signing up for a demo of Dig.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditRead the latest news and insights
Sonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.