Attack Vectors:
What They Are and How They Are Exploited

Bart Lenaerts-Bergmans - April 13, 2023

Attack vector defined

An attack vector is the method or combination of methods that cybercriminals use to breach or infiltrate a victim’s network.

Adversaries typically develop an arsenal of attack vectors that they routinely use to carry out their attacks. Over time and with repeated use, these attack vectors can become virtual “calling cards” for cybercriminals or organized eCrime gangs, making it possible for threat intelligence analysts, cybersecurity service providers, law enforcement, and government agencies to assign an identity to different adversaries.

Recognizing and tracking an adversary’s attack vectors can help organizations better defend against existing or upcoming targeted attacks. In addition, knowing who is behind an attack — determined in part by their use of a signature attack vector — can help the organization understand the adversaries’ capabilities and take steps to protect the business and its assets in the future.

Attack vector vs attack surface vs threat vector vs threat actor

What is an attack surface?

An attack surface is the sum of all possible security risk exposures in an organization’s environment. Put another way, it is the collective of all potential vulnerabilities (known and unknown) and controls across all hardware, software, network components, and people.

Attack surfaces can be categorized into three basic types:

  1. Digital attack surface: Encompasses the entire network and software environment of an organization. It can include applications, code, ports, and other entry and exit points.
  2. Physical attack surface: All of an organization’s infrastructure such as desktop systems, laptops, mobile devices, servers, access gates, telco infrastructure, and even electrical feeds.
  3. Social engineering attack surface: Attacks that exploit the human mind, used often in phishing, pretexting (smishing), vishing (voicemail), and other manipulative techniques to mislead the human

What is a threat vector?

Threat vector is a term used to describe the method a cybercriminal uses to gain initial access to a victim network or infrastructure. Threat vector is often used interchangeably with attack vector.

What is a threat actor?

A threat actor, also known as a malicious actor or digital adversary, is any person or organization that intentionally causes harm in the digital sphere. They exploit weaknesses in computers, networks, and systems to carry out disruptive attacks on individuals or organizations.

The term “threat actor” includes cybercriminals, but it is much broader. Ideologues such as hacktivists (hacker activists), terrorists, insiders, and even internet trolls are all considered threat actors.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

How are attack vectors exploited

Threat vectors generally fall into one of two categories:

  1. Passive attack vectors
  2. Active attack vectors

Passive attack vectors

A passive attack vector is an attack technique where the adversary monitors a victim’s system for any vulnerability, such as an open port, misconfiguration, or unpatched software application, that they can exploit to gain access.

In a passive attack, adversaries typically do not aim to harm the system or disrupt business operations. Rather, their goal is to gain access to data and other sensitive information.

Because passive attack vectors do not typically disrupt the system or alter the environment in any way, it can be difficult for organizations to recognize that an attack is in progress and take the necessary steps to protect the business from further damage.

Examples of passive attack vectors include port scanning, sniffing, eavesdropping (such as man-in-the-middle attacks), and many social engineering attacks.

Active attack vectors

An active attack vector is an attack technique used by an adversary that alters a system or disrupts its operation.

Like passive attacks, many adversaries who leverage active attack vectors are attempting to gain access to sensitive data. However, unlike passive attacks, criminals who engage in an active attack may also do so simply to wreak havoc and cause chaos within the victim’s IT environment.

Examples of active attack vectors include malware, ransomware, distributed denial-of-service (DDoS) attacks, credential theft, and other common techniques.

10 common types of attack vectors

Social engineering attacks

Social engineering is when an adversary targets a human and uses the power of emotion, such as love, fear, or greed, to manipulate the person into taking a desired action. Typically, the goal of a social engineering attack is to obtain information that can be used to carry out a more elaborate attack, gain access to sensitive data or user credentials, or score a relatively low-level “quick win,” such as spurring an employee to purchase and share digital gift cards with the attacker.

Social engineering attacks are of great concern to cybersecurity professionals because, no matter how strong the security stack is and how well-honed the policies are, a user can still be fooled into giving up their credentials to a malicious actor. Once inside, the malicious actor can use those stolen credentials to masquerade as the legitimate user, thereby gaining the ability to move laterally, learn which defenses are in place, install backdoors, conduct identity theft and, of course, steal data.

Common examples of social engineering include phishing, pretexting, and baiting.

Compromised and weak credentials

Another common attack vector involves the use of compromised or weak credentials. In credential-based attacks, adversaries use a variety of methods to steal, crack, guess, or co-opt a user’s system ID, password or both to access the system or carry out activity while masquerading as that user.

Gaining credentials allows attackers to impersonate the account owner and appear as someone who has legitimate access, such as an employee, contractor, service account, or third-party supplier. Because the attacker appears to be a legitimate user, this type of attack is challenging for defenses to detect.

Examples of credential-based attacks include:

  • Credential theft: The act of stealing personal information such as usernames, passwords, and financial information in order to gain access to an online account or system.
  • Pass-the-Hash (PtH):  An attack where an adversary steals a “hashed” user credential and uses it to create a new user session on the same network. Unlike other credential theft attacks, a pass the hash attack does not require the attacker to know or crack the password to gain access to the system. Rather, it uses a stored version of the password to initiate a new session.
  • Password spraying: When an adversary uses a common password (e.g., password123) against multiple accounts on the same application in an attempt to gain access to the system by chance.

Insider threats

An insider threat is a cybersecurity risk that comes from within the organization — usually by a current or former employee or other person who has direct access to the company network, sensitive data, and intellectual property (IP), as well as knowledge of business processes, company policies, or other information that would help carry out such an attack. Not all insider threat actors act intentionally; some may have become a pawn and their digital assets have been compromised for usage by external threat actor.

Security misconfigurations and vulnerabilities

Security misconfiguration is any error or vulnerability present in the configuration of code that allows attackers access to sensitive data, leading to a data breach or complete system compromise.

Some of the most common security misconfigurations are AD misconfigurations, which are vulnerabilities within the Active Directory domain. These common security misconfigurations range from attackers gaining administrative privileges to issues arising from services running on hosts with multiple administrators.

Another example is a security misconfiguration that was discovered in JIRA, a collaboration tool. One misconfiguration exposed many companies to the vulnerability of releasing corporate and personal data. In this case, it was an authorization misconfiguration in Global Permissions that caused the security risk.

Ransomware

Ransomware is a type of malware that encrypts a victim’s data where the attacker demands a “ransom,” or payment, in order to restore access to the user’s files or network. Typically, the victim receives a decryption key once payment is made to restore access to their files. If the ransom payment is not made, the threat actor may publish the data on data leak sites (DLS) or block access to the files in perpetuity.

Ransomware has become one of the most prominent types of malware, targeting a wide variety of sectors including government, education, financial, and healthcare sectors, with millions of dollars extorted worldwide every year.

Malware

Malware (malicious software) is a program or code that is created to do intentional harm to a computer, network, or server. Cybercriminals develop malware to infiltrate a computer system discreetly to breach or destroy sensitive data and computer systems.

Common types of malware include viruses, ransomware, keyloggers, trojans, worms, spyware, malvertising, scareware, backdoors, and mobile malware.

Man-in-the-middle attacks (MITM)

A man-in-the-middle attack is a type of cyberattack in which an attacker eavesdrops on a conversation between two targets. The attacker may try to “listen” to a conversation between two people, two systems, or a person and a system.

The goal of a MITM attack is to collect personal data, passwords, or banking details, and/or to convince the victim to take an action such as changing login credentials, completing a transaction, or initiating a transfer of funds.

Session hijacking

Session hijacking is a cyberattack technique where an adversary takes over, or hijacks, a legitimate user’s session by obtaining the session ID. Once the criminal has taken over the session, they can masquerade as the compromised user and access any system or asset that the user has privileges for.

Brute force attacks

A brute force attack uses a trial-and-error approach to systematically guess login info, credentials, and encryption keys. The attacker submits combinations of usernames and passwords until they finally guess correctly.

Once successful, the actor can enter the system masquerading as the legitimate user and remain inside until they are detected. They use this time to move laterally, install back doors, gain knowledge about the system to use in future attacks, and steal data.

DDoS attacks

A distributed denial-of-service (DDoS) attack is a malicious, targeted attack that floods a network with false requests in order to disrupt business operations. When an organization experiences this type of attack, users are unable to perform routine and necessary tasks, such as accessing email, websites, online accounts, or other resources that are operated by a compromised computer or network.

While most DDoS attacks do not result in lost data and are typically resolved without paying a ransom, they cost the organization time, money, and other resources in order to restore critical business operations.

Learn More

Want to stay up to date on recent adversary activities? Stop by the Research and Threat Intel Blog for the latest research, trends, and insights on emerging cyber threats.Research and Threat Intel Blog

How to secure attack vectors

There is a wide range of attack vectors, each of which exploits a specific vulnerability, be it a person, unpatched software, misconfigured service, or a weak password. There is no single defense mechanism that will protect the organization from all attack types. Further, it is important to recognize that many attack vectors target people, which means that most security tools, no matter how advanced, will be of limited use in protecting the organization from such techniques.

The mix of digital and personal attack vectors is why it is so important for organizations to take a comprehensive approach to security and incorporate a mix of preventative, defensive, proactive, and reactive security measures to best protect the organization and its assets. Here we share a list of best practices for developing and deploying a comprehensive security strategy:

1. Develop a robust employee cybersecurity training program.

Employees are on the front line of your security. Make sure they follow good hygiene practices — such as using strong password protection, connecting only to secure Wi-Fi, and being on constant lookout for phishing attacks — on all of their devices. Provide comprehensive and regular security awareness training sessions to ensure they understand the evolving threat landscape and are taking the necessary steps to protect themselves and the company from all forms of cyber risk.

2. Track the operating system configuration and keep all  software patched and up to date.

Hackers are constantly looking for holes and backdoors to exploit. By vigilantly updating your systems, you’ll minimize your exposure to known risks and limit attack vectors that utilize misconfigurations and other IT vulnerabilities as a pathway.

3. Prioritize Cloud Protection

Adversaries are aggressively targeting cloud infrastructure. The number of observed cloud exploitation cases grew and adversaries are using a broad array of TTPs (e.g., misconfigurations, credential theft, etc.) to compromise critical business data and applications in the cloud. Stopping cloud breaches requires agentless capabilities to protect against misconfiguration, control plane and identity-based attacks, combined with runtime security that protects cloud workloads.

4. Continuously monitor the environment for malicious activity and indicators of attack (IOAs).

Enable an endpoint detection and response (EDR) system to monitor all endpoints, capturing raw events for automatic detection of malicious activity not identified by prevention methods.

5. Integrate threat intelligence into the security strategy.

Monitor systems in real time and keep up with the latest threat intelligence to identify the adversary universe that may be targeting your organization. Data on a threat actor’s next move is crucial to proactively tailoring your defenses and preempting future attacks.

6. Protect against identity-based attacks

Enable full, real-time visibility into the AD, both on-premises and in the cloud, and identify shadow administrators, stale accounts, shared credentials, and other AD attack paths.

Harden AD security and reduce risks by monitoring authentication traffic and user behavior and enforce robust security policies to proactively detect anomalies.

Enable continuous monitoring for credential weakness, access deviations, and password compromises with dynamic risk scores for every user and service account.

7. Extend multi factor authentication (MFA) security

Protect unmanaged endpoints with risk-based conditional access and extend multifactor authentication (MFA) protection to legacy applications and tools using proprietary analytics on user behavior and authentication traffic.

Enforce consistent risk-based policies to automatically block, allow, audit, or step up authentication for every identity.

8. Create a baseline of user activity

Centralize user activity and behavior across all relevant data logs, including access, authentication, and endpoint.

Leverage this data to create a baseline of activity for each individual user, user group, function, title, and device that can help identify unusual or suspicious activity.

Assign a customized risk score to each user and endpoint to provide additional context to the cybersecurity team.

9. Leverage behavior analytics and AI to identify threats

Leverage analytics and AI-enabled tools to monitor behavior for users and devices in real time.

Cross reference alerts with the risk score to provide additional context into the event and prioritize response efforts.

10. Practice makes perfect

Execute red team/blue team exercises. While technology is clearly critical in the fight to detect and stop intrusions, security teams are the crucial link in the chain to stop breaches. For security teams, practice makes perfect. Encourage an environment that routinely performs tabletop exercise and red/blue teaming to identify gaps and eliminate weaknesses in your cybersecurity practices and response. And security teams shouldn’t be the only ones practicing — initiate user-awareness programs to combat the continued threat of phishing and related social engineering techniques.

Identifying Attack Vectors with CrowdStrike

At CrowdStrike, we believe that a key part of preventing and defending against cyberattacks is understanding the adversaries who may target your organization and the attack vectors they rely on.

We offer robust actor profiling services so we can identify the adversaries that may target our clients, as well as their capabilities and intentions. This allows us to develop customized strategies with our customers to protect their data and assets most at risk and strengthen defenses in the areas most often exploited by threat actors.

As part of our Human Intelligence (HUMINT) offerings, we developed the CrowdStrike Adversary Universe to help organizations better understand the humans behind these attacks and the methods they use.

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.