T1548 Abuse Elevation Control Mechanism

This control requires both CSP and CSC to independently enforce formal approval processes for user access, implement dynamic and explicit authorization mechanisms. The guidance focuses on implementing technical measures to verify authorization and prevent unauthorized access and execution.

This control requires both CSP and CSC to independently manage privileged access by enforcing time-bound approvals, formal request and justification processes, automated revocation, session restrictions, credential vaulting and rotation, continuous monitoring, and periodic reviews, ensuring privileged access is tightly controlled, monitored, and limited to only what is necessary for specific roles and timeframes. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.

This control describes the periodic, risk-based, and reviews of privileged accounts and high-risk access configurations, ensuring these are accounts are managed and scrutinized to prevent unauthorized access or excessive privileges. Privileged Account Management focuses on implementing policies, controls, and tools to securely manage privileged accounts (e.g., SYSTEM, root, or administrative accounts). This includes restricting access, limiting the scope of permissions, monitoring privileged account usage, and ensuring accountability through logging and auditing.This mitigation can be implemented through account permissions and roles, PAM solutions, or just-In-Time access.

This control describes the implementation of a secure and controlled user access provisioning process. Proper user account management reduces the attack surface by limiting unauthorized access to data, assets, and systems. Managing account access authorizations can reduce the risk of privilege escalation by ensuring accounts cannot perform unauthorized actions.

This control implements secure configuration best practices for hardening cloud platforms to mitigate adversary exploitation and abuse of system functionality. Secure system settings can help prevent adversaries from circumventing mechanisms designed to control elevate privileges and gain higher-level permissions. Performing regular software updates also mitigates exploitation risk.

This control provides for the implementation of best practices for endpoint management. Adjusting system settings and hardening default configurations can mitigate adversary exploitation of elevation control mechanisms and prevent abuse of system functionality.

This control describes separation of duties (SoD) must be implemented by assigning and managing distinct roles for users, applications, and services, minimizing overlapping responsibilities and restricting access to critical functions through centralized role management, multi-level approvals, and automated provisioning tools. Adversaries may abuse permission configurations that allow them to gain temporarily elevated access to cloud resources. Many cloud environments allow administrators to grant user or service accounts permission to request just-in-time access to roles, impersonate other accounts, or pass roles onto resources and services. In terms of mitigations, limit the privileges of cloud accounts to assume, create, or impersonate additional roles, policies, and permissions to only those required. Where just-in-time access is enabled, consider requiring manual approval for temporary elevation of privileges.

This control provides for the implementation of best practices for third-party endpoint management. Adjusting system settings and hardening default configurations can mitigate adversary exploitation of elevation control mechanisms and prevent abuse of system functionality.

The control outlines several testing approaches, including the use of automated tools, to identify vulnerabilities throughout the software development lifecycle from development to production. It emphasizes testing for risks such as injection attacks and session hijacking, and recommends alignment with industry standards like the OWASP Top 10 to enhance application security. Adversaries may attempt to bypass access controls and elevate privileges to gain unauthorized access. Therefore, testing for improper privilege escalation, such as scenarios where a user bypasses access control checks by modifying the URL, can help mitigate these risks.