What is an attack vector? Examples of cybersecurity threat vectors

Attack vectors are the means or paths by which hackers gain access to computers remotely with malicious intentions, such as delivering payloads or carrying out other harmful activities. Some common ones are malware, social engineering, phishing and remote exploits.

Cybercrime is a booming business with no signs of slowing down. It’s not just about stealing sensitive data and information anymore; it has evolved into document theft or identity fraud which can have dire consequences for the victim. For example, ransomware often presents as an email attachment that, when clicked, will cause systems files to be encrypted to gain access to ransom money from you!

A cybersecurity measure is put in place when the security team starts to understand an organisations’ security vulnerabilities. Knowledge about these potential vulnerabilities or weaknesses helps identify where security breaches are most likely to occur, and protective measures are implemented around cyber activities.

Attack vector vs attack surface

You might be wondering, How are attack vectors and attack surfaces related? An attack vector is the sum of all attack surface points put together. For example, phishing, vishing are common attack vectors of social engineering attacks. 

• What is an Attack vector? An attack vector is a point of entry into a system that the attacker may exploit vulnerabilities. There are two types: direct and indirect. Direct attack vectors are those which affect the target directly, such as malware or phishing emails. Indirect attack vectors are those where the attacker indirectly exploits vulnerabilities in other systems, such as via an Internet browser vulnerability in Windows operating systems.
• Attack surface: An attack surface is the sum of the various security risk exposure points of a system, website or network. An attack surface is also the aggregate of the known, unknown (potential) vulnerabilities across all system software, hardware, and network components. Hackers can leverage a system’s different layers/components (including software/hardware) to mount an attack. 

A data breach is any incident in which sensitive, protected or confidential information is unintentionally disclosed to unauthorised individuals. Data breaches can occur when a business’s systems are hacked by an unauthorised party, internal or external.

Threat vector vs vulnerability

• Vulnerability: A vulnerability is a weakness in the system, which an attacker can use to break into information systems. Diagnosing the weak points in a system or network is seen as the first protective step in the right direction against security breaches by a malicious third party. The understanding of vulnerability is key information on taking measures to beef up security.
• Threat Vector: A threat vector (or attack vector) is defined as different pathways that cybercriminals follow to gain unauthorised access into a computer, network or system.

What are common attack vectors?

Attack vectors exist in different forms relevant to the target assets’ position and exposure. These could be from website attack vectors targeting online businesses or specific websites, endpoint security attack vectors, network to malware attack vectors. 

The most common examples of attack vectors include compromised credentials, weak and stolen credentials, malicious insiders, missing or poor encryption, misconfiguration, ransomware, phishing, trust relationships, zero-day vulnerabilities, brute force attack, and distributed denial of service (DDoS).

Examples of cybersecurity threat vectors and prevention measures

Here is the list of common cyber threat vectors, with explanation of attacks followed by prevention tips to ensure your attack surface is minimised. 

Compromised credentials

Access credentials most often comprise a username and password. The most common attack vector, compromised credentials, is when an attacker gains access to a user’s account and steals their login information. This is commonly used by phishing schemes or other forms of social engineering techniques.

The degree of access that a user’s credential gives is related to the level of risk associated with a compromised credential in addition to the underlying data in that account. One method for avoiding this type of attack would be using two-factor authentication on anything that has sensitive data.

Access credentials of an enterprise that grant administrative or back end access to systems are associated with a higher level of risk than clients’ credentials. Security tools, network devices and servers also hold credentials that enable device intercommunication. Intruders can exploit this to gain free access to the system of an enterprise.

How to avoid it?

• Have detection measures in place by ensuring your threat intel teams have the right tool-sets. You can also subscribe to credential leakage detection services that help you with leakage detection and risk analysis. Not all leaked credentials present critical risk; this must be analysed without adding fear to the event.
• Enterprises can employ good password policies to utilise multi-factor mechanisms along with good password strength for all users, or even passwordless sign-ins where possible. This will prevent weak and common credentials from being compromised. A large number of passwords attacks will be reduced in case of passwordless usage.
• Avoid accessing different systems and applications with similar passwords. A breach in the security of an application can pose a threat to other applications where access is gained using the same credential.
• Security incidents that can occur through leaked credentials can be reduced by using biometric and MFA.

Weak Credentials

Reusing passwords and using weak passwords expose associated accounts to unnecessary risks. It implies that a single account breach may help attackers infiltrate further, leading to full compromise of the internal network in certain scenarios.

How to avoid it?

• Password hygiene and usage should be monitored regularly to identify high-risk users and devices.
• Employees in the organisation should be educated on creating secure passwords, secure password practices and digital risks associated with authentication attacks.

Insider attacks

As the name says, it is about attacks originating from within an organisation. Malicious insiders are a common attack vector that is often costing businesses dearly due to the trust placed on the verification of users. However, not all insider threats are malicious. There have been cases where naive employees unintentionally expose internal data. Whereas others may be disgruntled employees who divulge sensitive information about the vulnerabilities in the company. These malicious insiders can cause untold harm to an organisation by taking advantage of access to sensitive data. A detailed article on insider attacks, detection indicators is a recommended read.

How to detect and avoid insider attacks?

There are many ways in which insider threats can be detected through the help of direct and indirect indicators. Direct Indicators would include exporting large amounts of files to another medium such as external storage or abnormal activities on a corporate network. Indirect indicators could potentially come from working outside work hours, misbehaviour or erratic moods regarding a specific individual; they may also show up when you observe someone acting suspiciously while at their desk for an extended period of time.

Insecure encryption practices

Encrypting data involves the conversion of data from plaintext into an unintelligible text called a ciphertext using algorithms. On reaching its intended recipient, this ciphertext is then decrypted back to intelligible text with the help of corresponding keys transmitted along.

The primary aim of encrypting digital data is to ensure it stays confidential and secure, whether stored or transferred across networks over internet channels for processing purposes. It’s important to note that encryption has relevance not only when storing but also transferring information and while undergoing various processes such as the transmission process itself, which substantially requires a certain level of confidentiality protection against any possible threats like eavesdropping attacks within network environments often consisting of highly vulnerable unencrypted traffic flows during relay between endpoints.

Examples of missing or poor encryption implementation or where efforts were made to do it from scratch include:

• Writing your own random number generators that are not cryptographically secure (remember the Sony PS3 hack and bitcoin crypto hacks?)
• Encryption doesn’t provide message integrity. Sometimes this assumption leads to security risks.
• Hardcoded keys
• Reusing initialization vectors that nullify the entire encryption process.
• Use of ECB mode of operation. ECB mode does not utilise IV. It’s also insecure because it discloses duplicate blocks information in cleartext.

When data is missing, or poor encryption controls are implemented, sensitive data stored or transmitted in its plaintext is in danger of getting into the wrong hands.  A malicious third party can access such stored data or intercept data in transit and manipulate it for self-gain. The hacker can also apply brute-force methods to decrypt weakly encrypted data.

How to avoid it?

• Regularly review your encryption practices to identify gaps and ensure internal crypto baselines are adhered to at all times.
• Make sure that keys are never shared or stored on a device. Storing keys under the mat are easy to find.
• Consider utilising strong encryption practices rather than reinventing the wheel. Do not assume your developers are security experts, especially in cryptography.
• Do not rely on cloud providers to secure your sensitive data. It is your responsibility to ensure data is secure in transit, during processing and at rest.

Misconfiguration attack vector

A misconfiguration attack vector is the failure to configure a computer or network device properly. A user with root privileges could, for example, disable logging on company servers and then enable it again after the desired data has been stolen. The attacker would also have permission to change settings to prevent access logs from being recorded (disabling all settings).

Applications and devices that are misconfigured present third parties with an easy point of entry. For instance, the use of default passwords and usernames to launch a system without changing them is an open letter to security breaches.

How to avoid misconfiguration attacks?

• Establish baselines for secure hardening processes and ensure they are implemented before release.
• Monitor device and application setting change and using the best-recommended practices as standards for comparison can help expose risks for misconfigured devices.

Ransomware

Ransomware is a type of malware that encrypts the data on your machine until you pay for it to be released. Ransomware is an attack vector increasing in popularity and sophistication, with different versions that can hijack webcam feeds or block network access altogether. Common ransomware attack vectors are RDP (Remote Desktop Protocol), Phishing and exploitation of unpatched vulnerabilities. Unpatched vulnerabilities have been taken advantage of by threat actors in the past.

It is no more about infection these days; it is assumed that one way or another, malware can make it into your perimeter. What matters is how an organisation follows a holistic approach to contain such threats quickly. It is equally important to be ready to contain the infection, limit its spread and infection rate as soon as possible and ensure the minimum impact.

Stopping the malware in different stages would help against malware and ransomware attacks. It will help to reduce:

• the likelihood of infections
• the lateral movement of malware throughout the organisation
• the impact of the infection

How to avoid ransomware attacks?

To avoid ransomware, organisations must act on this five-step process.

1. Using multi-factor authentication, web & email filtering, and ensuring secure remote access are highly recommended to reduce malware delivery.
2. To prevent malware infection, ensure secure OS configurations, tactical patch management and restrictions such as Office macros should be in place.
3. To limit the impact of an attack, implement the principle of least privilege, regularly review permissions and segregate obsolete systems.
4. User education and training should cover everyone without exceptions, regular training including supply chain contacts.
5. Ensure regular backups and utilise cloud services where possible. Keep one copy offline where possible. Remember, always test backups.

Phishing

A type of threat vector involves hackers impersonating as a genuine institution to lure individuals into divulging sensitive information. This vector is the single most dangerous attack vector aiming at the human element resulting in high success for criminals.

This sensitive data includes passwords, details of credit cards and other personal information. The target can be contacted via telephone, text message or email by the person impersonating as a genuine organisation or colleague. Phishing has a reputation as one of the most patronised social engineering vectors, among other vectors. Phishing schemes can appear innocent, and they can also be very complex. Phishing schemes can bypass levels of measures of traditional security, including endpoint controls and email gateways.

How to prevent Phishing attacks?

• It is not OK to blame users. It doesn’t help.
• Make it difficult for attackers. Learn about spoofing attacks and use anti-spoofing measures: DMARC, DKIM, SPF and ask your contacts to do the same.
• Don’t rely on training courses. Help your staff to spot phishing emails. Encourage active reporting of such incidents.
• A defence-in-depth approach should be followed. Include 2-factor authentication and effective authorisation processes, web and email filtering and endpoint protection measures.
• Ensure logging and monitoring controls are in place. Prepare, implement and TEST incident response plan.

Trust relationships

A common attack vector is a trust relationship in which one system trusts another system. There are two domains – an authenticating domain and a trusting domain. The authenticating domain looks at the trusting domain and gives it access to all its resources without being fooled by fake websites, emails, or anything like that. A breach can occur when the credentials of a trusted user are cached.

How to avoid it?

• Trust relationships can be managed to reduce the damage that a hacker can cause. An example of zero-trust security practice is Google’s BeyondCorp.

Zero-day vulnerabilities

A vulnerability that everyone is ignorant of until a breach occurs is called a zero-day vulnerability. An attack is a zero-day attack when an exploit is available before a patch is out by a vendor. This exploitation provides attackers with an extra window of opportunity due to the non-availability of the patch. Preventing it can prove difficult as an organisation must rely on its current measures and controls with a multi-layered approach.

Brute force attacks

A brute force attack is a form of password guessing that uses an automated process to check for passwords one-by-one. Brute force attacks can be performed manually or in the background by malware on your computer system without you being aware.

Such attacks are often aimed at finding and gaining access into accounts where weak or default passwords are used.

How to avoid brute force attacks?

There are ways to protect yourself from brute force attacks by using strong passwords, turning on two-factor authentication if possible and making sure you use different passwords for every account.

Additionally, secure coding practices must be used early in your applications, logging and monitoring controls are in place and alerting mechanisms to inform you in case.

Distributed Denial of Service (DDoS) 

A distributed denial of service attack takes down a website by sending too many requests to the site’s servers. This is called a Denial-of-Service or DOS attack for short. The objective is usually making an online service unavailable for users (known as downtime) by overloading its hosting capacity or forcing the target offline completely.

DDoS attacks leverage the power of multiple computers that have been infected by malware to target a single system. Infrastructure layer attacks, application-layer attacks and volumetric attacks are the major classifications of DDoS attacks.

How to avoid DDoS attacks?

• Reduce attack surfaces by regularly reviewing your network footprint and internet presence.
• One mitigation is by placing resources behind Content Delivery Networks (CDN) and proxies. Multiple cloud providers are offering such facilities without much complexity of implementation these days.
• Firewalls and load balancers can also be used to restrict direct traffic to web servers and other assets.
• Keep a response plan handy in case an attack is successful.

SQL Injection attack and application attack vectors

A SQL injection attack is a code injection technique that can utilize an end-user’s input to penetrate and alter data in an underlying database. The attacker sends specially formatted queries via different entry points, such as a web form where users must enter their login credentials or special privileges are required for access.

Multiple other attack vectors exist that can affect web applications and the underlying components. These range from Cross-site Scripting to XXE (External XML entity) attacks. OWASP is the go-to standard for checking the most common web application security risks. These are:

1. Injection
2. Broken authentication
3. Sensitive data exposure
4. XML External Entities (XXE)
5. Broken access controls
6. Security misconfigurations
7. Cross-site scripting (XSS)
8. Insecure deserialization
9. Using components with known vulnerabilities
10. Insufficient logging and monitoring

How to avoid SQL Injection and other web application attacks?

• Swear by secure SDLC practices that include secure coding practices for developers and associated checkpoints to help you identify your weaknesses early.
• Commission regular web application penetration tests, source code reviews and database hardening checks to identify and mitigate risks.

If you wish to read detailed prevention steps for each of the OWASP 10 issues, read OWASP Top 10 for web applications and API Top 10.

The above list is by no means complete; it is aimed at common attack vectors that are utilised to gain unauthorised access into the organisations. There are endless more attack vectors based on the target asset category, exposed services and the associated weaknesses. Constant evaluation of attack surface, implementation of basics such as the least privilege principle, secure architectural practices based around defence-in-depth approach are some of the pointers as a good start.

Other frequently asked questions around attack vectors.

Which two attack vectors are protected by malware protection software?

• Malware protection software will protect against attack vectors such as infected email attachments.
• A robust password policy and two-factor authentication can help prevent passwords from being compromised, an attack vector that relies on attackers gaining access to your account using a user name and password combination they obtained by guessing it or stealing it to gain access into user accounts.

Which two attack vectors are protected by cloud security?

• Protecting against website attack vectors by monitoring the network and downloading updates
• Protecting email attack vectors with SPF, DKIM, DMARC.

Protect your business from various attack vectors by discussing your concerns with Cyphere. Our truly third-party opinion ensures that we provide advice that works best for your environment without worrying about product/vendor commercial inclinations. Get in touch for a call today.