The increasing connectivity and openness of today’s information systems often lets cyber-attackers find ways into a system across many different paths. Data from the 2016/2017 Global Fraud and Risk Report by Kroll shows that more than 85% of executives experienced a cyber incident over the past year. It’s important to say that an “incident” is not necessarily synonymous with a breach. The report summed up the type of incidents this way:
One of the hallmarks of targeted cyber attacks is to seek, from an execution toehold on a host, to increase its computational privileges in order to assert greater control of the system. Once the attacker has attained this position, it may become tremendously difficult to detect them, especially if they act and persist through a kernel rootkit. Fortunately, the privilege elevation process tends to be noisy, and can be detected prior to succeeding, if one looks for the proper clues. This article presents detection heuristics for privilege elevation on Linux systems.