Common attack vectors in cybersecurity
A deep dive into defining attack vectors, what they are, the most common examples in cybersecurity, and how to mitigate against attack vectors.
What is an attack vector?
Defining attack vector
The attack vector in Internet security refers to an attacker's path, means, or route to exploit a vulnerability and break through the attack surface. Doing so gives them more information and access to a targeted system. Once in, the attacker can execute an action that should not be allowed, such as viewing or exfiltrating sensitive data or messing with the integrity of the content in the compromised system.
Difference between attack vector vs. attack surface
How are attack vectors and attack surfaces related? While the attack vector refers to the means or tactics used by an attacker to try to penetrate past an attack surface, the attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks. Securing the external attack surface is a hot topic for security experts right now.
Some examples of attack surfaces include:
Web APIs
DNS, Domains and Subdomains
Emails
Routers
Web VPNs
Ports
Hosted apps, e.g., issue tracking tools
Frameworks
Github repo
Physical employee devices
How and why do hackers exploit attack vectors?
Every attacker approaches hacking their target in different ways. Depending on the information they’ve gathered through open-source intelligence and other reconnaissance, the types of attacks used to hack into the target will change. For instance, malicious hackers may use passive reconnaissance tools such as session capture to monitor vulnerabilities without interacting with them, traffic analysis, eavesdropping, and supervision. They might also use more active reconnaissance methods such as phishing and port scanning to engage with your target systems, launch DDoS attacks, target weak credentials, or infiltrate your systems with malware, unpatched vulnerabilities, and ransomware.
Cyber attack vector examples
Weak or Stolen credentials/credentials stuffing
A host's list of weak or stolen credentials and passwords can easily be purchased or gathered by an attacker and then misused for brute-forcing or credential stuffing attacks to get past a login interface. Examples of interface attack surfaces include:
Public user logins
Exposed web VPNs
Exposed remote desktop protocols
Email clients
Third-party software login
Contrary to some beliefs, the best practice here is not to always change passwords but to keep a password manager where you only need to memorize one complex and unique password and not reuse it over and over again.
Phishing
An attack vector that touches both web and physical attack surfaces because it leverages email or SMS to get a company insider to click on a malicious link. A successful phishing attempt then opens up access to the company’s network.
Most companies conduct security training to increase individual awareness for phishing attacks, and keeping it top of mind can help prevent these attacks from succeeding. In addition to training, assessing email configurations such as SPF/DMARC and DKIM records can reduce the chances of an attack.
Intercepting traffic
If your data is not encrypted correctly, attackers can eavesdrop on your traffic to steal sensitive user data such as usernames,
passwords, and credit card credentials. Stolen session cookies could be leveraged further in a chain of vulnerabilities by attackers.
Even though Google reports that 95% of Google traffic is encrypted with HTTPS, attackers still have chances to listen in via man-in-the-middle attacks such as dodgy Wi-Fi connections or bypass CORS and post messages. Such vulnerabilities in websites and other encryption issues can be detected and assessed with the help of external attack surface management tools.
Accidentally exposed assets on the internet
The constant acceleration towards digitalization and remote work culture has accelerated cybersecurity attacks and incidents, with 67% reported attacks targeting remote workers. Work is no longer limited to a secured work network, forcing organizations to provide employees access to, for example, remote desktop protocols and web login interfaces. In 2020, threat actors were exploiting exposed Microsoft Remote Desktop Protocol (RDP) servers that were suddenly online because of the necessity of remote work access.
If an attacker locates a team member's access point, they could exploit this exposure using stolen user login details or brute-forcing. As a result, activating multi-factor authentication is recommended to add an extra layer of security for the attacker to overcome.
With employees working outside of the physical workplace perimeters and using unsecured WiFi networks, hacking incidents and accidental exposure of critical business ports and other internal environments are increasing. Having an asset discovery tool that will crawl the cloud environment and ports to help map out what is exposed can go a long way towards securing the entire organizational network. Read more tips on securing remote work.
Related reads
Subdomain takeover
Subdomain takeover happens when an attacker gains control over a subdomain of a target. This can be done when a subdomain is pointing to a third-party provider that is no longer in use - seeing that, an attacker can register another non-existing domain name on the third-party service and hijack the subdomain.
Subdomains are not limited to the attack surface an organization has direct control of, such as internal domains and apps you build,
but can also include external attackable points. A subdomain takeover can be particularly problematic because subdomains aren’t always closely guarded assets, which means they can go undetected for some time.
Hostile subdomain takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner. The following graphic demonstrates a likely scenario of how this can happen:
Top 10 Web Application Security Risks from OWASP
(OWASP Top 10 for 2021)
Cryptographic Failures (formerly known as Sensitive Data Exposure)
Injection (Cross-site Scripting - XSS) is now part of this category in the 2021 edition)
Insecure Design (a new category for 2021, with a focus on risks related to design flaws)
Security Misconfiguration (the former category for XML External Entities - XXE is now part of this category)
Vulnerable and Outdated Components (formerly known as Using Components with Known Vulnerabilities)
Identification and Authentication Failures (previously Broken Authentication)
Software and Data Integrity Failure (a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity)
Security Logging and Monitoring Failures (previously Insufficient Logging & Monitoring)
Minimizing danger from attack vectors
How do you detect attack vectors on your web apps?
An attack vector on its own is not a vulnerability or at least not exploitable until proven so. From a hacker's point of view, something has to happen for an attack vector to be viable — for example, a misconfigured S3 bucket, a spoofable email domain, or an unclaimed subdomain.
Discover
What internet-facing assets do I have?
To find potential attack vectors, you need to understand what technology your organization uses that could be compromised, alongside any other available critical information. Tools like Detectify call this the first step, i.e., the "Discovery" phase.
Assess
What vulnerabilities or anomalies do I have?
Once the "Discovery" phase or information gathering is complete, you must look into the relevant attack vectors that could be chained together to exploit the possible vulnerabilities. This is called the "Assessment" phase.
Here you will need access to automated security tests that can keep up with the pace of exploit development. Working directly with ethical hackers can prove to be advantageous. They can provide testing that looks for unique vulnerabilities in software and technologies companies rely on daily, like AWS and other cloud technologies.
Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.
How do we apply “Prioritize” and “Remediate” to attack vectors at Detectify?
When vulnerabilities are assessed and identified, the next step entails prioritizing them with internal risk assessments based on CVSS scoring or other frameworks. Of course, finding and prioritizing vulnerabilities is far from enough, and action needs to be taken to prevent the most harmful and risky ones from causing too much damage.
Fortunately, we've got you covered. Detectify leverages automation and the expertise of its ethical hacking community to help discover weaknesses in your organization's external attack surface and tech stacks. AppSec tools like Detectify assists customers in mapping out the technologies discoverable by attackers and simulates automated hacking using attack vectors or payloads provided by a community of 400 ethical hackers.
.jpeg)
— Patrick Zimmermann, Information Security Manager, Bühler Group"Detectify has produced high-quality results with zero false positives, which is a significant advantage for Bühler"
Attack vector summary
This ultimate guide to common attack vectors in cybersecurity has offered insights into what an attack vector is, examples of cyber attack vectors, and how you and your organization can minimize the danger of potential attack vectors.
Many external attack surface management tools stop at the "Discovery" phase of assets. Tools like Detectify go further by combining monitoring of assets with vulnerability scanning to help organizations with the next steps in protecting their attack surfaces. We give you the most accurate information about your attack surface as things change and help you and your organization decipher the most critical and crucial vulnerabilities to prioritize.
The only way to secure your attack surface is to hack it, and that's why Detectify uses the ethical hacker community to collaborate on research and methodology.
Start vulnerability testing to find exploitable anomalies across your attack surface with Surface Monitoring and Application Scanning.
Surface Monitoring
Surface Monitoring runs assessment by continuously scanning for vulnerabilities across your attack surface. Starting at the domain level, it discovers and monitors assets you may not even be aware of. View product details.
Application Scanning
Application Scanning goes beyond the capabilities of "traditional" DAST scanners. It leverages proprietary engines for crawling, fuzzing, authentication, and payload-based testing. View product details.
See the power of automated ethical hacker knowledge
Instantly secure your web applications with Detectify. Get started easily by trying both Application Scanning and Surface Monitoring for free.
Start 2-week free trial