Attack vectors are the ways an attacker can breach sensitive data or compromise an organization.
After reading this article you will be able to:
Copy article link
An attack vector, or threat vector, is a way for attackers to enter a network or system. Common attack vectors include social engineering attacks, credential theft, vulnerability exploits, and insufficient protection against insider threats. A major part of information security is closing off attack vectors whenever possible.
Suppose a security firm is tasked with guarding a rare painting that hangs in a museum. There are a number of ways that a thief could enter and exit the museum — front doors, back doors, elevators, and windows. A thief could enter the museum in some other way too, perhaps by posing as a member of the museum's staff. All of these methods represent attack vectors, and the security firm may try to eliminate them by placing security guards at all doors, putting locks on windows, and regularly screening museum staff to confirm their identity.
Similarly, digital systems all have areas attackers can use as entry points. Because modern computing systems and application environments are so complex, closing off all attack vectors is typically not possible. But strong security practices and safeguards can eliminate most attack vectors, making it far more difficult for attackers to find and use them.
Phishing: Phishing involves stealing data, such as a user's password, that an attacker can use to break into a network. Attackers gain access to this data by tricking the victim into revealing it. Phishing remains one of the most commonly used attack vectors — many ransomware attacks, for instance, start with a phishing campaign against the victim organization.
Email attachments: One of the most common attack vectors, email attachments can contain malicious code that executes after a user opens the file. In recent years, multiple major ransomware attacks have used this threat vector, including Ryuk attacks.
Account takeover: Attackers can use a number of different methods to take over a legitimate user's account. They can steal a user's credentials (username and password) via phishing attack, brute force attack, or purchasing them on the underground market. Attackers can also try to intercept and use a session cookie to impersonate the user to a web application.
Lack of encryption: Unencrypted data can be viewed by anyone who has access to it. It can be intercepted in transit between networks, as in an on-path attack, or simply viewed inadvertently by an intermediary along the network path.
Insider threats: An insider threat is when a known and trusted user accesses and distributes confidential data, or enables an attacker to do the same. Such occurrences can be either intentional or accidental on the part of the user. External attackers can try to create insider threats by contacting insiders directly and asking, bribing, tricking, or threatening them into providing access. Sometimes malicious insiders act of their own accord, out of dissatisfaction with their organization or for some other reason.
Vulnerability exploits: A vulnerability is a flaw in software or hardware — think of it as being like a lock that does not work properly, enabling a thief who knows where the faulty lock is to enter a secured building. When an attacker successfully uses a vulnerability to enter a system, this is called a vulnerability "exploit." Applying the software or hardware vendor's updates can fix most vulnerabilities. But some vulnerabilities are "zero-day" vulnerabilities — unknown vulnerabilities for which there is no known fix.
Browser-based attacks: To display webpages, Internet browsers load and execute code they receive from remote servers. Attackers can inject malicious code into a website or direct users to a fake website, tricking the browser into executing code that downloads malware or otherwise compromises user devices. With cloud computing, employees often access data and applications solely through their Internet browser, making this threat vector of particular concern.
Application compromise: Instead of going after user accounts directly, an attacker may aim to infect a trusted third-party application with malware. Or they could create a fake, malicious application that users unknowingly download and install (a common attack vector for mobile devices).
Open ports: A port is a virtual entryway into a device. Ports help computers and servers associate network traffic with a given application or process. Ports that are not in use should be closed. Attackers can send specially crafted messages to open ports to try to compromise the system, just as a car thief might try opening doors to see if any are unlocked.
There is no way to eliminate attack vectors altogether. But these approaches can help stop both internal and external attacks.
An attack surface is the combination of all attack vectors available to an attacker. The more attack vectors an organization has, the greater the attack surface. Conversely, an organization can reduce their attack surface by eliminating attack vectors wherever possible.
Think of an attacker as being like an offensive player in association football (soccer), and the attack surface as the goal. Without a goalkeeper, the front of the goal presents a fairly large area for the player to kick the ball through. However, the goalkeeper reduces the area available to the offense by positioning themselves in strategic places, and the goalkeeper's teammates may do the same by how they defend.
Similarly, all organizations have a "goal" that external attackers target: the attack surface and the sensitive data behind it. But security products and practices are like the goalkeeper and the defenders, keeping attackers from using those attack vectors.
To find out how Cloudflare helps eliminate attack vectors, read about Cloudflare's SASE platform, Cloudflare One.