Common attack vectors in cybersecurity

A deep dive into defining attack vectors, what they are, the most common examples in cybersecurity, and how to mitigate against attack vectors.

Chapter 1

What is an attack vector?

1.

Defining attack vector

The attack vector in Internet security refers to an attacker's path, means, or route to exploit a vulnerability and break through the attack surface. Doing so gives them more information and access to a targeted system. Once in, the attacker can execute an action that should not be allowed, such as viewing or exfiltrating sensitive data or messing with the integrity of the content in the compromised system.

Difference between attack vector vs. attack surface

While the attack vector refers to the means or tactics used by an attacker to try to penetrate past an attack surface, the attack surface refers to any interface, physical or digital, where an attacker could try to enter their own input or deploy an attack vector to get unauthorized access to a system and extract data or other sensitive information. It could also be used as a point within a chain of attacks. Securing the external attack surface is a hot topic for security experts right now.

Some examples of attack surfaces include:

  • Middleware
  • Cloud storage
  • Web APIs
  • DNS, Domains and Subdomains
  • Emails
  • Routers
  • Web VPNs
  • Ports
  • Hosted apps, e.g., issue tracking tools
  • Frameworks
  • Github repo
  • Physical employee devices

How and why do hackers exploit attack vectors?

Every attacker approaches hacking their target in different ways. Depending on the information they’ve gathered through open-source intelligence and other reconnaissance, the types of attacks used to hack into the target will change. For instance, malicious hackers may use passive reconnaissance tools such as session capture to monitor vulnerabilities without interacting with them, traffic analysis, eavesdropping, and supervision. They might also use more active reconnaissance methods such as phishing and port scanning to engage with your target systems, launch DDoS attacks, target weak credentials, or infiltrate your systems with malware, unpatched vulnerabilities, and ransomware.

Chapter 2

Cyber attack vector examples

2.

Weak or Stolen credentials/credentials stuffing

A host's list of weak or stolen credentials and passwords can easily be purchased or gathered by an attacker and then misused for brute-forcing or credential stuffing attacks to get past a login interface. Examples of interface attack surfaces include:

  • Public user logins
  • Exposed web VPNs
  • Exposed remote desktop protocols
  • Email clients
  • Third-party software login

Contrary to some beliefs, the best practice here is not to always change passwords but to keep a password manager where you only need to memorize one complex and unique password and not reuse it over and over again.

Phishing

An attack vector touches both web and physical attack surfaces because it leverages email or SMS to get a company insider to click on a malicious link. A successful phishing attempt then opens up access to the company’s network.

Most companies conduct security training to increase individual awareness for phishing attacks, and keeping it top of mind can help prevent these attacks from succeeding. In addition to training, assessing email configurations such as SPF/DMARC and DKIM records can reduce the chances of an attack.

Intercepting traffic

If your data is not encrypted correctly, attackers can eavesdrop on your traffic to steal sensitive user data such as usernames, passwords, and credit card credentials. Stolen session cookies could be leveraged further in a chain of vulnerabilities by attackers.

Even though Google reports that 95% of Google traffic is encrypted with HTTPS, attackers still have chances to listen in via man-in-the-middle attacks such as dodgy Wi-Fi connections or bypass CORS and post messages. Such vulnerabilities in websites and other encryption issues can be detected and assessed with the help of external attack surface management tools.

Accidentally exposed assets on the internet

The constant acceleration towards digitalization and remote work culture has accelerated cybersecurity attacks and incidents, with 67% reported attacks targeting remote workers. Work is no longer limited to a secured work network, forcing organizations to provide employees access to, for example, remote desktop protocols and web login interfaces. In 2020, threat actors were exploiting exposed Microsoft Remote Desktop Protocol (RDP) servers that were suddenly online because of the necessity of remote work access.

If an attacker locates a team member's access point, they could exploit this exposure using stolen user login details or brute-forcing. As a result, activating multi-factor authentication is recommended to add an extra layer of security for the attacker to overcome.

With employees working outside of the physical workplace perimeters and using unsecured WiFi networks, hacking incidents and accidental exposure of critical business ports and other internal environments are increasing. Having an asset discovery tool that will crawl the cloud environment and ports to help map out what is exposed can go a long way towards securing the entire organizational network. Read more tips on securing remote work.

Subdomain takeover

Subdomain takeover happens when an attacker gains control over a subdomain of a target. This can be done when a subdomain is pointing to a third-party provider that is no longer in use - seeing that an attacker can register another non-existing domain name on the third-party service and hijack the subdomain.

Subdomains are not limited to the attack surface an organization has direct control of, such as internal domains and apps you build, but can also include external attackable points. A subdomain takeover can be particularly problematic because subdomains aren’t always closely guarded assets, which means they can go undetected for some time.

Hostile subdomain takeover is a term coined by Detectify Security Researchers whereby an attacker registers and claims ownership of a subdomain that has been forgotten or abandoned by the original site owner. The following graphic demonstrates a likely scenario of how this can happen:

Zero-day attacks

A zero-day(0-day) is a unique attack vector that exploits a vulnerability in software that the technology creator is unaware of, which means there is no fix or patch at the time of discovery. As soon as the vendor is aware of the issue, it’s a race against time to remediate and roll out the patch to affected users. Discovering and developing zero-day vulnerabilities is an industry in itself and controversial among cybersecurity experts.

Finding a zero-day is probably one of the most coveted achievements for a hacker, and Detectify receives this class of submissions through Detectify Crowdsource, our community of ethical hackers. When we receive zero-days from a Crowdsource hacker, we work with the ethical hacker and vendor to ensure the disclosure is responsible. The vendor has 45 days to patch the vulnerability, and we work together to develop the security module that goes into the Detectify scanning engines. Learn more about how Detectify handles zero-day submissions.

Social engineering

Social engineering attacks are the art of using psychological manipulation to get you to divulge confidential information or perform a specific action to give access to bad actors. It includes everything from persuading victims to visit a website with a malicious payload (a common practice in XSS and CSRF exploits) to gaining access to a company’s office and hacking on-site. Attackers have even taken to Facebook Messenger with a combination of social engineering and malicious JavaScript to spread adware.

Social engineering goes hand in hand with hacking - malicious hackers are often skilled in the art of social engineering. Following tips to protect yourself from social engineering, such as verifying the source and keeping a tab on your attack surface, is key to protecting yourself.

Denial-of-service attack (DoS attack)

A denial-of-service (DoS) attack occurs when users cannot access information systems, devices, or other network resources due to a malicious actor. Websites, emails, and online accounts are just some of the services that can be affected. Anything that relies on an affected computer or network is at risk.

A DoS attack is accomplished by flooding the targeted host or network with traffic until the target cannot respond or crashes, preventing access for legitimate users. The consequences of DoS attacks for organizations can be severe, not just time and money but also resources needed to rectify the issues and inaccessible services for users.

Malicious insiders

A malicious insider is often an employee that exposes or exploits vulnerabilities at their workplace and is usually found in a role that gives them access to sensitive data and information. According to a 2017 SANS Survey, 40% of respondents said that malicious insiders would cause the most significant damage in cybersecurity attacks.

Top 10 Web Application Security Risks from OWASP

( OWASP Top 10 for 2021)

  1. Broken Access Control
  2. Cryptographic Failures (formerly known as Sensitive Data Exposure)
  3. Injection (Cross-site Scripting - XSS) is now part of this category in the 2021 edition)
  4. Insecure Design (a new category for 2021, with a focus on risks related to design flaws)
  5. Security Misconfiguration (the former category for XML External Entities - XXE is now part of this category)
  6. Vulnerable and Outdated Components (formerly known as Using Components with Known Vulnerabilities)
  7. Identification and Authentication Failures (previously Broken Authentication)
  8. Software and Data Integrity Failure (a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity)
  9. Security Logging and Monitoring Failures (previously Insufficient Logging & Monitoring)
  10. Server-Side Request Forgery
Chapter 3

Minimizing danger from attack vectors

3.

How do you detect attack vectors on your web apps?

An attack vector on its own is not a vulnerability or at least not exploitable until proven so. From a hacker's point of view, something has to happen for an attack vector to be viable — for example, a misconfigured S3 bucket, a spoofable email domain, or an unclaimed subdomain.

Detectify Discovery light bulb graphic
Discover

What internet-facing assets do I have?

To find potential attack vectors, you need to understand what technology your organization uses that could be compromised, alongside any other available critical information. External attack surface management tools like Detectify call this the first step, i.e., the "Discovery" phase.

By mapping out all of the assets belonging to your DNS records, you'll discover both known and unknown public-facing assets you have. Grammarly, a Detectify customer, had the difficult task of creating an inventory of its product offerings and applications. They were about to build their own and then discovered Detectify, which has provided Grammarly with an effortless discovery and alerting system for vulnerabilities in their system.

Detectify Assess magnifier graphic
Assess

What vulnerabilities or anomalies do I have?

Once the "Discovery" phase or information gathering is complete, you must look into the relevant attack vectors that could be chained together to exploit the possible vulnerabilities, aka the "Assessment" phase.

Here you will need access to automated security tests that can keep up with the pace of exploit development. There is where working directly with ethical hackers can prove to be advantageous. They can provide testing that looks for unique vulnerabilities in software and technologies companies rely on daily, like AWS and other cloud technologies.

Photobox is one customer that benefits from using Detectify Crowdsource ethical hackers. The organization understood that crowdsourced ethical hacking research could far outpace open source tools. The combination of new research and automation from Detectify is a vital part of Photobox's security setup.

How do we apply “Prioritize” and “Remediate” to attack vectors at Detectify?

When vulnerabilities are assessed and identified, the next step entails prioritizing them with internal risk assessments based on CVSS scoring or other frameworks. Of course, finding and prioritizing vulnerabilities is far from enough, and action needs to be taken to prevent the most harmful and risky ones from causing too much damage.

Fortunately, we've got you covered. Detectify leverages automation and the expertise of its ethical hacking community to help discover weaknesses in your organization's external attack surface and tech stacks. Attack surface management tools like Detectify assists customers in mapping out the technologies discoverable by attackers and simulate automated hacking using attack vectors or payloads provided by a community of 400 ethical hackers.

Detectify has produced high-quality results with zero false positives, which is a significant advantage for Bühler
Patrick Zimmermann, Information Security Manager, Bühler Group
Chapter 4

Attack vector summary

4.

This ultimate guide to common attack vectors in cybersecurity has offered insights into what an attack vector is, examples of cyber attack vectors, and how you and your organization can minimize the danger of potential attack vectors.

Many external attack surface management tools stop at the "Discovery" phase of assets. Tools like Detectify go further by combining monitoring of assets with vulnerability scanning to help organizations with the next steps in protecting their attack surfaces. We give you the most accurate information about your attack surface as things change and help you and your organization decipher the most critical and crucial vulnerabilities to prioritize.

The only way to secure your attack surface is to hack it, and that's why Detectify is the only EASM solution using the ethical hacker community to collaborate on research and methodology.

Start vulnerability testing to find exploitable anomalies across your attack surface with Surface Monitoring and Application Scanning.

Surface Monitoring

Continuously monitor and secure known and unknown internet-facing assets.
View product details.

Application Scanning

Run in-depth and unlimited scans against web apps with targeted scan profiles.
View product details.