Hacker Lifecycle Phase 3: Gaining Access and Privilege Escalation - IncMan SOAR’s Defense Mechanisms

Back to all articles

privilege escalation

In recent weeks we have discussed the first and second phases of the hacker lifecycle. Phase 1: Reconnaissance and How IncMan SOAR Playbooks Enable Protection and Phase 2: Scanning Penetration Testing and IncMan SOAR’s Protective Mechanisms. In this blog we will discuss Phase 3.

Gaining Access and Privilege Escalation

Let's now explore one of the most exciting phases of the hacker lifecycle which is ‘Gaining Access’ into the system. Now that the hacker has completed the second phase of ‘Scanning and Enumeration’, plus all of the “Reconnaissance” work from phase one, gaining access into the system or asset begins. This is only possible if a vulnerability has been discovered and can be exploited to grant access into the system. Once access into the system has been achieved, it will be possible to accomplish any task one so desires, although, certain security solutions like IncMan SOAR support integrations with other third-party tools and automate processes that make it extremely difficult on the hacker to obtain their goal.


Gaining Access

Gaining access is considered to be one of the most detrimental phases within the hacker lifecycle. It is during this stage that the threat actor has the capacity to perform the most amount of damage possible. Any number of attack types could occur at this point such as ransomware attacks, deploying viruses and worms, installing spyware and keystroke loggers, and installing rootkits. There are numerous ways in which the threat actor could have gained access into the system. A few of the methods that may have been used might include exploiting a vulnerability found in an application or network asset, some form of social engineering, or even through the means of an insider threat.


Additionally, once inside the network, they will carry out lateral movements and traverse in-between different systems to determine where the most valuable intelligence is located. However, depending on the privileges of the hackers user profile specific capabilities may be restricted preventing the hacker from achieving there end game goal. This is why privilege escalation plays such a vital role in this distinct phase.

Privilege Escalation

Escalation from a normal user account to an administrative account will authorize the hacker to gain access into systems and areas un-obtainable through standard user profiles. Therefore, the actor will try to find a user within the system that has administrative capabilities and replicate their profile. The hacker can now traverse anywhere within the network and deploy certain types of malware like rootkits which can only be successfully implemented through administrative rights. Additionally, if there are certain applications that have been found to have vulnerabilities that can be exploited it will be possible to manipulate these applications to perform functions outside of their normal intentions.

IncMan’s SOAR Technology Defending Against Gaining Access & Privilege Escalation

IncMan’s SOAR automated Playbooks are designed to provide a step by step linear approach to assist in the Incident Response lifecycle. In the case of ‘Gaining Access and Privilege Escalation’, there are a number of actions that can be defined within each phase of the Incident Response process. Each one of these tasks can be tailored to accommodate the needs of the organization. For example, a few of the tasks or actions that could be included in this explicit scenario might include:

  • Formal validation of firewall rules to include updated black/white listings of IP, Domain Name, and URL Reputation

  • Periodic auditing of user accounts verification of privileges and administrative capabilities

  • Continuous scanning to ensure that all network systems, applications, and assets are hardened and patched with no available vulnerabilities to exploit

  • Assuring that all network assets are devoid of any default login credentials

  • Ensuring that the alerts provided by the security tools network environment are regularly monitored and validated for false positives or potential compromises

These are just a few examples that should be included in the specially crafted IncMan Playbook that will be needed to aid in the prevention of a hacker being able to gain access and escalate privileges.

In Summary

This summarizes the third phase of the hacker lifecycle known as ‘Gaining Access & Privilege Escalation’. We illustrated how IncMan’s proprietary Playbook workflows provide its users and their organization with a step-by-step process to combat against this attack. This proprietary Playbook will not only prevent the probability of gaining access but if access has already been gained will supply the necessary actions for breach remediation. Stay tuned for our next blog that will cover the second to the last phase of the hacker lifecycle known as ‘Maintaining Access.’

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo