What is an attack vector? Assess your attack surface and how to avoid cyber attacks.

Share on facebook
Share on twitter
Share on linkedin
Share on email
what is attack vector

Stay up to date

Stay up to date with the latest threat reports, articles & mistakes to avoid.

Simple, yet important content.
No salesy pitches and all that, promise!

Attack vectors are defined as the means or paths by which hackers gain access to computers remotely with malicious intentions such as delivering payloads or carrying out other harmful activities. Some common ones are malware, social engineering, phishing and remote exploits.

Cybercrime is a booming business with no signs of slowing down. It’s not just about stealing sensitive data and information anymore, it has evolved to become document theft or identity fraud which can have dire consequences for the victim. For example, ransomware often presents as an email attachment that when clicked will cause systems files to be encrypted in order to gain access to ransom money from you!

A cybersecurity measure is put in place when the security team starts to understand an organisations’ security vulnerabilities. Knowledge about these potential vulnerabilities or weaknesses helps to identify where security breaches are most likely to occur and protective measures are then implemented around cyber activities.

Attack vector vs attack surface

  • Attack vector: An attack vector is a point of entry into a system that the attacker may use to exploit vulnerabilities. There are two types: direct and indirect. Direct attack vectors are those which affect the target directly, such as malware or phishing emails. Indirect attack vectors are those where the attacker indirectly exploits vulnerabilities in other systems, such as via an Internet browser vulnerability in on Windows operating systems.
  • Attack surface: An attack surface is the sum of the various security risk exposure points of a system, website or network. An attack surface is also the aggregate of the known, unknown (potential) vulnerabilities across all software, hardware and network components of a system. Hackers can leverage different layers/components (including software/hardware) of a system to mount an attack. 

A data breach is any incident in which sensitive, protected or confidential information is unintentionally disclosed to unauthorised individuals. Data breaches can occur when a business’s systems are hacked by an unauthorised party that could be internal or external.

Threat vector vs vulnerability

  • Vulnerability: A vulnerability is a weakness in the system, which an attacker can use to break into information systems. Diagnosing the weak points in a system or network is seen as the first protective step in the right direction against security breaches by a malicious third party. The understanding of vulnerability is key information on taking measures to beef up security.
  • Threat Vector: A threat vector (or attack vector) is defined as different pathways that cybercriminals follow to gain unauthorised access into a computer, network or system.

What are common attack vectors?

Attack vectors exist in different forms relevant to the target assets position and exposure. The most common examples of attack vectors include compromised credentials, weak and stolen credentials, malicious insiders, missing or poor encryption, misconfiguration, ransomware, phishing, trust relationships, zero-day vulnerabilities, brute force attack, distributed denial of service (DDoS).

Compromised credentials

Access credentials most often comprise a username and password. The most common kind of attack vector, compromised credentials is when an attacker gains access to a user’s account and steals their login information. This is commonly used by phishing schemes or other forms of social engineering techniques.

The degree of access that the credential of a user gives is related to the level of risk associated with a compromised credential in addition to the underlying data in that account. One method for avoiding this type of attack would be using two-factor authentication on anything that has sensitive data.

Access credentials of an enterprise that grant administrative or back end access to systems are associated with a higher level of risk than clients’ credentials. Security tools, network devices and servers also hold credentials that enable device intercommunication. Intruders can exploit this to gain free access to the system of an enterprise.

How to avoid it?

  • Have detection measures in place by ensuring your threat intel teams have the right tool-sets. You can also subscribe to credential leakage detection services that help you with leakage detection but also with risk analysis. Not all leaked credentials present critical risk, this must be analysed without adding fear factor to the event.
  • Enterprises can employ good password policies to guarantee a positive password strength for all users. This will prevent weak and common credentials from being compromised.
  • Avoid accessing different systems and applications with similar passwords. A breach in the security of an application can pose a threat to other applications where access is gained using the same credential.
  • Security incidents that can occur through leaked credentials can be reduced by using biometric and MFA.

Weak Credentials

Reusing passwords and using weak passwords expose associated accounts to unnecessary risks. It implies that a single account breach may help attackers to infiltrate further leading up to full compromise of the internal network in certain scenarios.

How to avoid it?

  • Password hygiene and usage should be monitored regularly to identify high-risk users and devices
  • Employees in the organisation should be educated on how to create secure passwords, secure password practices and digital risks associated with authentication attacks.

Insider attacks

As the name says, it is about attacks originating from within an organisation. Malicious insiders are a common attack vector often costing businesses dearly due to the trust placed on users verification. However, not all insider threats are malicious. There have been cases where naive employees unintentionally expose internal data. Whereas others may be disgruntled employees who divulge sensitive information about the vulnerabilities in the company. These malicious insiders can cause untold harm to an organisation by taking advantage of access to sensitive data. A detailed article on insider attacks, detection indicators is a recommended read.

How to detect and avoid insider attacks?

There are many ways in which insider threats can be detected through the help of direct and indirect indicators. Direct Indicators would include exporting large amounts of files to another medium such as external storage, or abnormal activities on a corporate network. Indirect indicators could potentially come from working outside work hours, misbehaviour or erratic moods regarding a specific individual; they may also show up when you observe someone acting suspiciously while at their desk for an extended period of time.

Insecure encryption practices

Encrypting data involves the conversion of data from plaintext into an unintelligible text called a ciphertext using algorithms. This ciphertext, on reaching its intended recipient, is then decrypted back to intelligible text with the help of corresponding keys that have been transmitted along as well.

The primary aim in encrypting digital data is ensuring it stays confidential and secure whether being stored or transferred across networks over internet channels for processing purposes. It’s important to note that encryption has relevance not only when storing but also transferring information and while undergoing various processes such as the transmission process itself which substantially requires a certain level of confidentiality protection against any possible threats like eavesdropping attack within network environments often consisting of highly vulnerable unencrypted traffic flows during relay between endpoints.

Examples of missing or poor encryption implementation or where efforts were made to do it from scratch include:

  • Writing your own random number generators that are not cryptographically secure (remember the Sony PS3 hack and bitcoin crypto hacks?)
  • Encryption doesn’t provide message integrity. Sometimes this assumption leads to security risks.
  • Hardcoded keys
  • Reusing initialization vectors that nullify the entire encryption process.
  • Use of ECB mode of operation. ECB mode does not utilise IV. It’s also insecure because it discloses duplicate blocks information in cleartext.

When data is missing or poor encryption controls are implemented, it means that sensitive data, which is stored or transmitted in its plaintext, is in danger of getting into the wrong hand.  A malicious third party can access such stored data or intercept data in transit and manipulate it for self-gain. The hacker can also apply brute-force methods to decrypt weakly encrypted data.

How to avoid it?

  • Regularly review your encryption practices to identify gaps and ensure internal crypto baselines adhered to at all times.
  • Make sure that keys are never shared or stored on a device. Storing keys under the mat are easy to find, right?
  • Consider utilising strong encryption practices rather than reinventing the wheel. Do not assume your developers are security experts, especially in cryptography.
  • Do not rely on cloud providers to secure your sensitive data. It is your responsibility to ensure data is secure in transit, during processing and at rest.

Misconfiguration attack vector

A misconfiguration attack vector is the failure to configure a computer or network device properly. A user with root privileges could, for example, disable logging on company servers and then enable it again after the desired data has been stolen. The attacker would also have permissions to change settings in order to prevent access logs from being recorded (disabling all settings).

Applications and devices that are misconfigured present third parties with an easy point of entry. For instance, the use of default passwords and usernames to launch a system without changing them is an open letter to security breaches.

How to avoid misconfiguration attacks?

  • Establish baselines for secure hardening processes and ensure they are implemented before release.
  • Monitor device and application setting change and using the best-recommended practices as standards for comparison can help expose risks for misconfigured devices.

Discuss your concerns today

Ransomware

Ransomware is a type of malware that encrypts the data on your machine until you pay for it to be released. Ransomware is an attack vector has been increasing in popularity and sophistication, with different versions able to hijack webcam feeds or block network access altogether. Common ransomware attack vectors are RDP (Remote Desktop Protocol), Phishing and exploitation of unpatched vulnerabilities. Unpatched vulnerabilities have been taken advantage of by threat actors in the past.

It is no more about infection these days, it is assumed that one way or another malware can make it into your perimeter. What matters is how an organisation follows a holistic approach to contain such threats quickly. It is equally important to be ready to contain the infection, limit its spread and infection rate as soon as possible and ensuring the minimum impact.

Stopping the malware in different stages would help against malware and ransomware attacks. It will help to reduce:

  • the likelihood of infections
  • the lateral movement of malware throughout the organisation
  • the impact of the infection

How to avoid ransomware attacks?

To avoid ransomware, organisations must act on this five-step process.

  1. To reduce the malware delivery – Use of multi-factor authentication, web & email filtering and ensure secure remote access is highly recommended.
  2. To prevent malware infection, ensure secure OS configurations, tactical patch management and restrictions such as Office macros should be in place.
  3. To limit the impact of an attack, implement the principle of least privilege, regularly review permissions and segregate obsolete systems.
  4. User education and training should cover everyone without exceptions, regular training including supply chain contacts.
  5. Ensure regular backups and utilise cloud services where possible. Keep one copy offline where possible. Remember, always test backups.

Phishing

A type of threat vector that involves the hackers impersonating as a genuine institution to lure individuals into divulging sensitive information. This vector is the single most dangerous attack vector aiming at the human element resulting in high success for criminals.

This sensitive data includes passwords, details of credit cards and other personal information. The target can be contacted via telephone, text message or email by the person impersonating as a genuine organisation or colleague. Phishing has a reputation as one of the most patronised social engineering vectors among other vectors. Phishing schemes can appear innocent, and they can also be very complex. Phishing schemes can bypass levels of measures of traditional security, including endpoint controls and email gateways.

How to prevent Phishing attacks?

  • It is not OK to blame users. It doesn’t help.
  • Make it difficult for attackers. Use anti-spoofing measures: DMARC, DKIM, SPF and ask your contacts to do the same.
  • Don’t rely on training courses. Help your staff to spot phishing emails. Encourage active reporting of such incidents.
  • Defence in depth approach should be followed. Include 2-factor authentication and effective authorisation processes, web and email filtering and endpoint protection measures.
  • Ensure logging and monitoring controls are in place. Prepare, implement and TEST incident response plan.

Trust relationships

A common attack vector is a trust relationship in which one system trusts another system. There are two domains – an authenticating domain and a trusting domain. The authenticating domain looks at the trusting domain and gives it access to all of its resources without being fooled by any fake websites or emails or anything like that. A breach can occur when the credentials of a trusted user are cached.

How to avoid it?

Zero-day vulnerabilities

A vulnerability that everyone is ignorant of until a breach occurs is called a zero-day vulnerability. An attack is referred to as a zero-day attack when an exploit is available before a patch is out by a vendor. This exploitation provides attackers with an extra window of opportunity due to the non-availability of the patch. Preventing it can prove difficult as an organisation must rely on its current measures and controls consisting of a multi-layered approach.

Brute force attacks

A brute force attack is a form of password guessing that uses an automated process to check for passwords one-by-one. Brute force attacks can be performed manually or in the background by malware on your computer system without you being aware.

Such attacks are often aimed to find and gain access into accounts where weak passwords or default passwords are used.

Discuss your concerns today

How to avoid brute force attacks?

There are ways to protect yourself from brute force attacks by using strong passwords, by turning on two-factor authentication if possible and making sure you use different passwords for every account.

Additionally, it is important that secure coding practices are used early in your applications, logging and monitoring controls are in place and alerting mechanisms to inform you in case.

Distributed Denial of Service (DDoS) 

A distributed denial of service attack takes down a website by sending too many requests to the site’s servers. This is called a Denial-of-Service or DOS attack for short. The objective is usually either making an online service unavailable for users (known as downtime) by overloading its hosting capacity or forcing the target offline completely.

DDoS attacks leverage the power of multiple computers that have been infected by malware to target a single system. Infrastructure layer attack, application-layer attack and volumetric attacks are the major classifications of DDoS attacks.

How to avoid DDoS attacks?

  • Reduce attack surface by regularly reviewing your network footprint and internet presence.
  • One mitigation is by placing resources behind Content Delivery Networks (CDN) and proxies. Multiple cloud providers are offering such facilities without much complexity of implementation these days.
  • Firewalls and load balancers can also be used to restrict direct traffic to web servers and other assets.
  • Keep a response plan handy in case an attack is successful.

SQL Injection attack and application attack vectors

A SQL injection attack is a code injection technique that can utilize the input of an end-user to penetrate and alter data in an underlying database. The attacker sends specially formatted queries via different entry points, such as a web form where the user must enter their login credentials or special privileges are required for access.

Multiple other attack vectors exist that can affect web applications and the underlying components. These range from Cross-site Scripting to XXE (External XML entity) attacks. OWASP is the go to standard for checking the most common web application security risks. These are:

  1. Injection
  2. Broken authentication
  3. Sensitive data exposure
  4. XML External Entities (XXE)
  5. Broken access controls
  6. Security misconfigurations
  7. Cross-site scripting (XSS)
  8. Insecure deserialization
  9. Using components with known vulnerabilities
  10. Insufficient logging and monitoring

How to avoid SQL Injection and other web application attacks?

  • Swear by secure SDLC practices that include secure coding practices for developers and associated checkpoints to help you identify your weaknesses early.
  • Commission regular web application penetration tests, source code reviews and database hardening checks to identify and mitigate risks.

If you wish to read detailed prevention steps for each of the OWASP 10 issues, read OWASP Top 10 for web applications and API Top 10.

The above list is by no means complete, it is aimed at common attack vectors that are utilised to gain unauthorised access into the organisations. There are endless more attack vectors based on the target asset category, exposed services and the associated weaknesses. Constant evaluation of attack surface, implementation of basics such as least privilege principle, architectural practices based around defence-in-depth approach are some of the pointers as a good start.

Other frequently asked questions around attack vectors.

Which two attack vectors are protected by malware protection software?

  • Malware protection software will protect against attack vectors such as infected email attachments.
  • A robust password policy and two-factor authentication can help to prevent passwords from being compromised, which is an attack vector that relies on attackers gaining access to your account using a user name and password combination they obtained by guessing it or stealing it in order to gain access into user accounts.

Which two attack vectors are protected by cloud security?

  • Protecting against website attack vectors by monitoring the network and downloading updates
  • Protecting email attack vectors with SPF, DKIM, DMARC.

Protect your business from various attack vectors by discussing your concerns with Cyphere. Our truly third-party opinion ensures that we provide advice that works best for your environment, without worrying about product/vendor commercial inclinations. Get in touch for a call today.

Table of Contents

BOOK A CALL