Elevation of Privilege

Establish and maintain the capability to detect, prevent, and respond to privilege escalation incidents. Ensure Privileged Access Management tools, monitoring baselines, and response procedures are in place before an incident occurs.

Identify and confirm privilege escalation activity through monitoring, alerting, and initial triage. Determine the method and scope of privilege abuse and establish the incident timeline.

Perform deep analysis of the privilege escalation incident to understand the full attack chain, identify root causes, and gather forensic evidence to support containment and eradication decisions.

Limit the impact of the privilege escalation by revoking unauthorized access, isolating compromised accounts, and preventing further lateral movement while maintaining business operations where possible.

Remove the root causes of the privilege escalation by eliminating vulnerabilities, misconfigurations, and attacker persistence mechanisms. Harden access controls and enforce least privilege across the environment.

Restore normal operations by re-enabling cleaned accounts, validating access controls, and confirming that privilege baselines are restored. Monitor closely for any signs of re-escalation or attacker return.

Conduct a thorough post-incident review to document lessons learned, update detection capabilities, improve access control policies, and strengthen the organization's resilience against future privilege escalation attacks.