A data breach can be a catastrophic event for any organization. One way to help curb potential exploits is to get a handle on potential attack vectors. In this post, we will cover what an attack vector is, the most common ones to be aware of, and key ways to reduce opportunities for bad actors to exploit system vulnerabilities.
What is an attack vector?
An attack vector is the combination of a bad actor’s intentions and the path they use to execute a cyberattack on an organization. For example, a cybercriminal looking to infect a network with ransomware may use a phishing email to gain access. In this case, the phishing email is the attack vector.
Hackers continually attempt to gain unauthorized access to your computer, server or networked system of devices and cause a malicious outcome, or attack. The method by which they attempt to achieve that outcome is the attack vector.
What are examples of common attack vectors?
SQL injection is a common attack vector in web applications. It takes advantage of a vulnerability that allows attackers to modify queries as they are executed on the underlying database. Man-in-the-middle is another common attack, in which connections are intercepted for anything from simple spying to introducing rogue content.
Phishing exploits combine deceit with malware. Attackers often send legitimate-looking email messages to your users, knowing that eventually an unsophisticated user will click on an embedded link or attachment. That leads to a malware infection or to a “watering hole” with a form requesting more information that the site captures for later use or sale.
Currently, the attack that most often grabs headlines is ransomware, a type of malware that spreads quickly and encrypts all the files it infects. The attacker effectively holds your data hostage and demands payment of a ransom, usually in an untraceable format such as a cryptocurrency. The most notorious instances of ransomware affect large municipalities, shipping lines, infrastructure and hospitals, but small and medium businesses (SMB) often fall victim, too.
Other common attack vectors include, but are not limited to:
- Vulnerability exploits — All software contains weaknesses. When attackers find them, they can use them to gain access to networks and data.
- Zero-day vulnerabilities — Some vulnerabilities are designed to open a window and strike at a given time, while zero-day vulnerabilities strike as soon as they infect the system.
- Shadow IoT devices — Unauthorized hardware like USB drives and small computing devices can sit attached to a server or workstation, unobserved by IT staff. If secreted onto the network by somebody with internal access, such a device can capture and send a lot of data before being discovered.
- Unsecure applications — Most IT groups deal with this by enforcing a list of applications that are approved or disapproved for use on the network. This issue has weighed on companies in the era of BYOD, as control of devices has shifted away from company-issued hardware and IT has had to obtain user permission for updates. That loss of control has made it more difficult to maintain tight security.
- Supply chain — To the extent that your company depends on software for its survival and success, the supply chain behind that software becomes an attack vector. A single exploit in the supply chain ripples out to all the businesses running the software, as build tools and repositories incorporate the exploit and distribute it.
- Humans themselves — The highest-leverage attack vector is an authenticated user who can simplify the task of providing access. From those unwitting users who keep opening rogue email attachments to those who act with ill intent, humans interacting with data tend to be the most powerful vector.
What is the relationship between an attack vector and a company’s attack surface?
Think of an attack vector as every attempt to storm the castle of your network. Your attack surface, then, represents the full scope of your vulnerabilities, similar to holes in your castle walls and ladders you left outside. It’s a measure of your overall security posture because it reflects all the ways in which you’re weak and liable to exploitation.
Suppose you use remote desktop protocol (RDP) for your remote workers, but you haven’t added the necessary security layers, or you’re lax about authentication for those RDP sessions. If you’re secure in all the other areas and have them locked down, then your attack surface is limited to RDP. The fewer places you’re vulnerable, the smaller your attack surface in the face of attempts to breach your network.
What do threat actors do?
Threat actors are people who intend to compromise an organization’s security, data, information or reputation. Common classes of threat actors include cybercriminals, nation-state actors, ideologues, insiders and even your own competitors. As described above, threat actors have the what (intent), so they manage and direct the activities of the hackers, who have the how (skills).
Hackers sniff around for openings and clues to openings, like the email address of an administrative assistant with access to executive data. Their thinking is that, although the devices of your CXOs are secure, the devices of admin staff are less secure.
Or, they run port scanning tools, looking for ports that you’ve left unprotected on your firewall. That’s one way to find and exploit RDP, or initiate a SQL injection attack on a database.
Most devious is social engineering, in which hackers perform the digital equivalent of simply talking their way through the door and into your building. It’s a confidence game in which they con their target into revealing information like a password or a location. They can then use the information for the next step in their attempt to plant a malicious payload on your network.
Best practices for reducing risk from attack vectors
- Monitor and manage your endpoints — If you’re not controlling the systems that people are using, then the effect is like tying a blindfold on yourself. The best way to anticipate and avoid an attack is to know what’s happening on all the devices in your environment, then configure those devices for limited function. That means mitigating the risk that something will exploit a feature of an application or the operating system.
- Restrict administrator privileges where possible — Do your users really need full admin rights on their company-issued devices? Sure, it’s nice not needing to escalate privileges for them, but the downside is that they can easily install their own programs.
- Reassess permissions consistently — Instead of infrequent, one-off monitoring, stay on top of changes to permissions. Your goal is to monitor frequently so that, if you discover a vulnerability, you can minimize damage from it. That’s better than stumbling onto it and hoping it hasn’t been there a long time. If you don’t brush your teeth for a couple of months, you’ll pay the price, and the same is true for monitoring.
- Monitor suspicious behavior — Suppose a new network service account has popped up in the last few days. IT didn’t create it. Why was it created? Who needed it? For what purpose? It could be completely benign, but it could also be something malign. The same applies to unexpected hardware devices. Make sure you can explain every new event on your network.
- Back up data frequently and securely — If an outage or a natural disaster strikes, you’ll restore from backups and resume business. But if your production machines are attacked with ransomware, there will be a chance that your backups are infected as well, in which case restoring won’t solve your problem. Instead, back up to a system with a different authentication scheme from that of your production environment. That way, if attackers steal a domain admin account on your product network, they can’t use it to attack your backups.
- Align with the organization — Even though spending money on security is a no-brainer, figuring out how much money to spend on security is not a no-brainer. Network security competes for budget in the same way that Operations, Marketing, Sales, R&D and all other company functions do. To keep the tail from wagging the dog, it’s important to align your security budget with all the other budgets. “Risk mitigation” can mean investing in defense against one attack vector this quarter and a different the next.
- Train employees on security — No organization can afford to overlook the human factor inherent to almost every attack vector. That’s why it’s important to inform and remind all network users of the ramifications and consequences of their actions. You reap the benefits of good training every time an employee pauses before opening an attachment or clicking on an unrecognized link.
Conclusion
Maybe you have no control over the next attack vector a bad actor will use, but you have control over your organization’s defense against it. As important as it is to understand attack vectors, it’s more important to understand endpoint security challenges and establish and maintain strong endpoint security.
It’s always a good idea to look to flexible endpoint management software to help you discover, manage and secure your devices via traditional and modern methods.
