According to BeyondTrust’s Microsoft Vulnerabilities Report 2024, Elevation of Privilege was the #1 vulnerability category for the fourth year in a row for Microsoft vulnerabilities in 2023.

It’s not the identities themselves that attackers target, but the privileged access they unlock. Compromised accounts, whether through cloud hijacking or endpoint vulnerabilities, become dangerous due to their permissions. The less privilege a user has, the lower the risk.

The Microsoft Vulnerabilities Report 2024 predicts a surge in sophisticated identity-based attacks. How should organizations build comprehensive defenses against such attacks, from both external threat actors – such as through ransomware and phishing – and insiders?

CybersecAsia sought out some answers from James Maude, Director of Research, BeyondTrust.

What has been consistent over the past four years is that Elevation of Privilege has become the number one vulnerability category. Elevation of Privilege refers to the ability for attackers to gain capabilities without proper authorization and accounted for 40% of the total vulnerabilities in 2023. As organizations have improved their security posture by removing local administrator rights this has caused an increased focus on exploiting vulnerabilities to elevate privilege.

The good news this year is that we have seen a reduction in Elevation of Privilege vulnerabilities of 31% compared with the previous year. While the numbers still remain high the reduction of Elevation of Privilege vulnerabilities is a positive sign, as it reduces a threat actor’s options, for example, when deploying malware that exploits elevated privileges to disable other security controls.

Given the importance to threat actors of being able to access privileges, organizations need to adopt a robust Privilege Access Management strategy to remove and secure privileges to prevent them from being taken advantage of by cyber attackers.

What are some challenges faced by organizations when protecting themselves against external and insider threats?

JM: The approach of many security teams is heavily oriented towards threat detection, which is an important part of security strategy. But this needs to be built on a solid foundation of proactive attack surface reduction, uncovering and protecting the paths to privilege before they are exploited by an attacker. This both helps prevent attacks and limits the “blast radius” of attacks that succeed, greatly reducing risk.

This foundation proactive approach means putting defenses in place that limit the effectiveness of malware and deny attackers the privileges to wreak greater damage when they do get into systems. It also gives defenders time to catch up and remediate the threat.

We are expecting a rise in the volume and sophistication of identity-based attacks as threat actors have greater success on this front harness AI tools to craft better phishing campaigns, conduct social engineering and launch attacks at scale.

When thinking about securing identities it is important to remember, that it isn’t the identities themselves that have value, it’s the paths to privilege that the identities offer that have value to threat actors. Those paths could be privileges directly assigned to the identity, like Domain Admin, but they could equally be hidden misconfigurations in the identity infrastructure. For example where complex nested group memberships allow a path to elevate the privileges of a unprivileged account to Domain Admin, providing a back door for attackers.

Organizations need to identify and reduce the number of unnecessary privileges and access identities in their organization have – both human and machine – in order to reduce the risks around cyber-attacks.

What does the ‘least privilege’ mean in the context of security, and why is it important?