Privilege Escalation
Privilege escalation is a type of cyberattack where an attacker gains elevated access to resources or functionality that are typically off-limits to them. It involves exploiting vulnerabilities or misconfigurations in a system to obtain higher-level permissions than they are authorized to have.
There are two main types of privilege escalation:
Horizontal privilege escalation: An attacker accesses another user's resources with similar privileges.
Vertical privilege escalation: An attacker gains access to the resources of a privileged user, such as an administrator.
Attackers might use various techniques to achieve privilege escalation, including:
Exploiting software vulnerabilities
Bypassing authentication mechanisms
Manipulating file permissions
Injecting malicious code
ThreatNG helps prevent privilege escalation by offering an attacker's view of an organization's external attack surface and digital risks. It detects and evaluates vulnerabilities and exposures that an attacker could exploit to gain initial access and escalate privileges. The features outlined directly support stopping the initial access and persistence stages of a cyberattack, which often lead to privilege escalation.
External Discovery and Assessment
ThreatNG performs unauthenticated, external discovery to map an organization's attack surface without needing any internal connectors. This includes identifying various assets and potential entry points that an attacker might target. The platform then performs several external assessments to uncover risks that could lead to unauthorized access and, subsequently, privilege escalation.
Cyber Risk Exposure: ThreatNG's Domain Intelligence module assesses cyber risk exposure by examining factors like certificates, subdomain headers, vulnerabilities, and sensitive ports. It also factors in Code Secret Exposure, which discovers code repositories and investigates their contents for sensitive data. Furthermore, it considers Cloud and SaaS Exposure and compromised credentials on the dark web, which increase the risk of successful attacks. For example, if ThreatNG finds a leaked AWS access key in a public code repository, an attacker could use it to gain initial access to an AWS account. An attacker could then use this initial access to explore the environment and attempt to escalate their privileges within the cloud infrastructure.
Breach & Ransomware Susceptibility: This assessment helps identify vulnerabilities that could lead to a violation, which is often a first step before privilege escalation. It uses domain intelligence to find exposed sensitive ports, private IPs, and known vulnerabilities. It also leverages dark web intelligence to track compromised credentials and ransomware gang activity. For example, the discovery of a publicly exposed RDP port with a known vulnerability and compromised credentials on the dark web would be a significant finding that could allow an attacker to gain initial access and potentially escalate privileges.
Subdomain Takeover Susceptibility: ThreatNG evaluates this by analyzing subdomains, DNS records, and SSL certificate statuses. An attacker could exploit a susceptible subdomain to create a malicious site for phishing, stealing credentials, or spreading malware, which are all methods to gain initial access to a user's account with the intent to escalate privileges.
Investigation Modules
ThreatNG's investigation modules provide detailed insights into the identified risks, allowing for targeted remediation efforts.
Sensitive Code Exposure: This module identifies public code repositories and mobile apps that contain exposed secrets and credentials. For example, it can find a Stripe API Key in a public repository or an SSH Private Key in a mobile app, which an attacker could use for initial access and subsequent privilege escalation.
Dark Web Presence: This module identifies an organization's mentions on the dark web, including compromised credentials and ransomware events. A company email and password found here could be used by an attacker for horizontal privilege escalation, gaining access to another user's account with similar permissions.
Intelligence Repositories
ThreatNG uses intelligence repositories, branded as DarCache, to enrich its findings and prioritize threats.
DarCache Vulnerability: This repository combines information from NVD, EPSS, and KEV to provide a holistic view of vulnerabilities. It also includes Verified Proof-of-Concept (PoC) Exploits. This allows an organization to prioritize vulnerabilities that are not only severe but also likely to be weaponized or are actively being exploited. For instance, if ThreatNG identifies a vulnerability on a web server, it can reference DarCache KEV to confirm it's a known exploited vulnerability and provide a link to a PoC exploit from DarCache eXploit. This allows security teams to understand exactly how an attacker could exploit the vulnerability to gain initial access.
Continuous Monitoring and Reporting
ThreatNG continuously monitors the external attack surface, digital risks, and security ratings of all organizations. This continuous, attacker-centric approach allows for the discovery of new "unknown-unknowns" as they emerge. For example, if a developer mistakenly exposes a new API key in a public code repository, ThreatNG's continuous monitoring would detect it and notify the organization before an attacker could exploit it.
ThreatNG's reporting capabilities translate these findings into actionable intelligence. The Prioritized Report categorizes risks as High, Medium, Low, or Informational, helping an organization focus on the most critical issues first. It also provides Reasoning, Recommendations, and Reference links in its Knowledgebase to offer practical advice on risk mitigation. This helps an organization take proactive measures to close potential entry points that could lead to privilege escalation.
Synergy with Complementary Solutions
ThreatNG's capabilities can be a force multiplier when used alongside other cybersecurity solutions.
Vulnerability Scanners: ThreatNG's continuous external discovery can identify a full list of a client's internet-facing assets, including shadow IT and forgotten subdomains. This refined asset list can then be fed into a traditional vulnerability scanner, ensuring that the scanner covers the organization's true, evolving attack surface instead of relying on a potentially incomplete list. For example, if ThreatNG finds an unlisted staging server, it can be added to the scanner's scope, preventing a potential blind spot.
Security Information and Event Management (SIEM) Systems: ThreatNG's findings from its investigation modules, such as compromised credentials from the dark web or leaked API keys from public repositories, can be sent to a SIEM. The SIEM can then correlate this external threat intelligence with internal log data, allowing for the detection of suspicious login attempts or unauthorized access using the newly discovered credentials or keys. For example, if ThreatNG identifies a leaked password for a specific user, the SIEM can be configured to alert security teams of any subsequent login attempts using that account.
Endpoint Detection and Response (EDR) Tools: ThreatNG can identify external threats and vulnerabilities that could be used to compromise an endpoint. This information can be used to strengthen EDR policies. For example, if ThreatNG discovers a publicly exposed server with a known vulnerability, the EDR could be configured to monitor for unusual process execution or file modifications originating from that server, thus catching an attacker's initial foothold before they can escalate privileges.
