INVITATION TO CYBERSECURITY 84 4.1.3.2 Escalating Privileges When hackers gain their initial access to a victim machine, they inherit the privileges of the victim user or process that was exploited. For hackers, the deeper the access the better. It is preferable for hackers to exploit administrator users and processes so they have root access from the beginning. However, hackers will take whatever initial access they can get, and this sometimes means a lower level of permissions that might not be enough for them to accomplish their actions on objectives. For example, a cyber attacker may want to copy certain files that his initial victim does not have access to. In this case, the hacker must escalate privileges. The goal is to work their way up into administrator access so they can gain root. A hacker can escalate privileges by exploiting vulnerabilities in the OS or in a higher-level process. 4.1.3.3 Pivoting Escalating privileges allows a hacker deeper access into one computer; pivoting gives the hacker broader access to the victim organization. Victim computers are often part of a network of computers. The initial foothold provides the hacker the opportunity to gain access to other systems. The initially compromised computer is seen as a jumping off point to explore further. Hackers perform network scanning to determine what other computers are accessible from the victim machine. In physical space this is similar to getting the lay of the land in an unfamiliar setting by looking for landmarks and referencing a map. Nmap is a popular command line tool used for scanning networks and computers (see Figure 4.5). From his new vantage point on the victim machine, the hacker is likely to uncover new targets that he could not have accessed from his original attack position. In other words, the attack surface has expanded, and hackers have further territory to explore. Once they pivot to a new victim machine, the process can be repeated, because they have yet another new vantage point. Hacking into additional machines on the network may not be that difficult because of the trust relationships that exist on networks. It is convenient for computers on the same network to have easy access to one another, and hackers can take advantage of this trust. One famous attack called passing the hash exploits a trust-relationship vulnerability by allowing a hacker to authenticate to other machines without knowing the login credentials. Beyond this, shared drives may be accessible as well as internal servers. Because these devices are not Internet-facing and are only accessible from inside the network, there may be little or no security controls in place. Some actions on objectives can only be accomplished by navigating through the network. One of the most famous and sophisticated attacks on record is known as Stuxnet. The victim was an Iranian nuclear enrichment facility in Natanz, and the attackers are alleged to be Israeli and United States working in a joint operation. Because the victim network was not Internet-connected, the attackers had no C2 access. Therefore, the malware was programmed to pivot autonomously from its initial access point, and it succeeded in its
RkJQdWJsaXNoZXIy MTM4ODY=