Despite billions of dollars in annual cybersecurity investments, federal agencies still struggle with persistent and damaging breaches. According to Michael Saintcross, Senior Director for Defense and Intelligence Community Business at Optiv + ClearShark, a key culprit is the overlooked threat of privilege escalation. In a recent sponsored podcast produced by Scoop News Group for Optiv + ClearShark, Saintcross emphasized that the primary objective of attackers is to gain elevated access, a critical step often missed by traditional identity, credential and access management (ICAM) strategies.
“As a malicious insider…, I’ve got to escalate privilege to accomplish my mission,” says Saintcross. “You can’t accomplish any of those goals without becoming an administrator or becoming a user that has admin rights.”
Although federal agencies are making significant strides in ICAM, particularly with the push toward zero-trust architectures, Saintcross argues that the focus often remains on managing who gets onto the network, rather than precisely controlling what they can do once inside.
Attackers typically achieve privilege escalation by exploiting vulnerabilities at the network perimeter to gain an initial foothold on an endpoint. According to Saintcross, they move laterally from there, seeking out servers, data repositories and executive systems. He also noted a shift in attacker tactics: “Endpoint detection response has gotten so mature, the attackers are going after the servers, and they’re looking for service accounts for machine-to-machine, API services that have embedded credentials, embedded passwords, key API certificates. They’re compromising those, because that’s the direct path into the crown jewels.”
When it comes to combatting these efforts, a significant challenge lies in the organizational silos that exist between IT and security: Identity management traditionally falls under the Chief Information Officer (CIO), while information security is the responsibility of the Chief Information Security Officer (CISO). This separation, Saintcross suggests, creates a gap that adversaries readily exploit. “Identity security is really the thing that needs to be happening,” he says, stressing the need for a unified approach to how identities are managed and secured from an information security perspective.
Further intensifying the problem is widespread “privilege sprawl” evident across modern IT environments, which now span cloud infrastructure, Software-as-a-Service applications and many IoT and OT devices. While centralized visibility is a factor, Saintcross highlighted that existing ICAM solutions may not be sufficient to address the dynamic nature of privilege in these distributed environments.
“Getting to this concept of zero standing privilege is really where we need to go,” says Saintcross. This involves implementing solutions that eliminate local administrator rights on endpoints, detect and remove “shadow admin” accounts and transition to a model of “privilege entitlement on demand.”
As agencies continue their journey toward zero trust, Saintcross says a granular and proactive approach to managing and securing privileged access is paramount. “Focus on that privilege escalation, elimination and visibility,” he says. “It will not stop being the top control, the highest impact, highest risk reduction effect you can deploy in your mission.”
Listen to the entire podcast conversation now.
This podcast was produced by Scoop News Group for CyberScoop and underwritten by Optiv + ClearShark.
