In our previous blog post, we looked at the attack surface of a network– the collective vulnerabilities cyber criminals can take advantage of to gain access to a network or system.  This time, we are taking a look at attack vectors: the specific path, method or scenario that an attacker can use to exploit the attack surface in order to manipulate a network or system and extract data. The list below doesn’t include all of the attack vectors out there, but they are some of the ones we’ve seen people fall victim to most often.

Compromised Credentials – Login credentials are a gold mine.  Using AI, attackers are able to process, aggregate and correlate data from numerous data breaches and other attacks at incredible speeds and attempt to log into a wide range of accounts. Once they infiltrate an account, they can carry out further attacks.  

According to Verizon's 2024 Data Breach Investigations Report - more than half of all data breaches involved the use of compromised credentials

Weak Credentials – Using a default or weak password or reusing passwords between accounts is the main cause of data breaches.  Data breaches lead to compromised credentials, which are very useful for account takeovers and many other attack vectors.  

Phishing Attacks – Phishing attacks are the second most popular attack vector after compromised credentials.  Using data from breaches they are able to select targets and collect publicly available information from social channels and business websites.  This information is then used with AI-powered language models to quickly produce targeted, more convincing emails.

Malware –An umbrella term used to describe any program, firmware, software or code created to be intentionally harmful to servers, systems, computers, tablets, phones and other electronic devices.  Ransomware, viruses, worms, rootkits, adware and spyware are all types of Malware. These attacks are most often delivered via phishing emails, drive by downloads, USB devices and collaboration tools.

Security Vulnerabilities – Any flaw or weakness that is able to be exploited, accidentally or intentionally triggered is a security vulnerability.  Attackers are quick to exploit these vulnerabilities in devices, information systems, internal controls and system design to enter or establish a foothold within a network.  

Brute Force Attacks – These “spray and pray” attacks are the equivalent of using every key on a key ring to try to open a lock.  Attackers will try multiple combinations of compromised credentials to find a username / password match and gain entry to a network, device or account.

Distributed Denial of Service (DDoS) – Designed to flood a network, system, service or other resource with excessive HTTPS requests and traffic in attempt to disable the system entirely or prevent users from gaining access.    

SQL Injections- Structured Language Query is a domain-specific used to manage data within databases.  Attackers use malicious SQL statements within the code to modify, gain access or retrieve data from SQL databases.

Cross-Site Scripting – Involves a malicious code or script being injected into trusted websites, web-based applications and web servers.  These attacks are difficult to find because the client facing code of targeted webpage or application appears legitimate.  Using cross site scripting can enable threat actors to access sensitive data, make modifications to applications, steal credentials and high-jack session cookies that may contain login information and MFA tokens.  

Spoofing This broad term involves cybercriminals masquerading as a trusted contact, entity or device by disguising an email address, sender name, phone number, IP address or website URL. Attackers typically change just a number or a letter in order to convince users that they are interacting with a trusted contact or source.

Man-in-the-Middle – These attacks take place when an attacker eavesdrops, intercepts or manipulates communications between two other parties, without either party realizing it. The most common methods attackers use to gain access to the “middle” are using compromised credentials and fake Wi-Fi hotspots. After successfully inserting themselves, attackers often use spoofing to continue the attack.  Business Email Compromise is a type of Man-in-the-Middle attack.

In 2023, the IC3 division of the FBI received 21,489 Business Email Compromise complaints with losses totaling over 2.9 billion dollars

Vishing – Attacks and scams that happen over the phone and though voice email.  Recently, threat actors have been using a combination of phishing and vishing to make attacks more convincing.

Smishing – Attacks and scams that happen via SMS and text messages.

Quishing – Attacks and scams that use malicious or altered QR codes to lead victims to fake websites that appear legitimate in attempt to harvest credentials or deliver malware.

Recognizing Social Engineering, Scams and Attacks

Being informed about attack vectors and how they work can help you better identify them.  Understanding the attack surface of your network can give insight for the types of attack vectors your network could be more susceptible to.

As you can see, many of these vectors are connected or have things in common, like the use of compromised credentials and social engineering to fool victims and gain access. Keep in mind many of these vectors are often used together and can be exploited manually, automatically or a combination of both.  

Security Best Practices

Implement company-wide annual cybersecurity training and ongoing security training to help keep security top of mind.

Create a long, complex password for each account. Do not re-use passwords, especially for work related accounts.  A password manager can help keep track of your passwords and keep them safe.

Check to see if any of your email address or passwords have been compromised in a data breach (the haveibeenpwned website will check both for free).  Any credentials that have been included in a breach should be changed as soon as possible.

Whether it is a call or email, verify any request to change contact information, banking or payment information or out-of-the-blue purchase requests.  If you receive a call or text, call back using the known contact number to verify changes and transactions.  When a request comes via email, never use the reply button – use forward and type in the correct email address for that contact or better yet, pick up the phone and call them for verification.

Never click on links or open email attachments from unknown senders. On a PC, you can hover over a link to reveal the address and save attachments so they can be scanned before opening.  Be extra vigilant when opening mail on mobile devices since these options are not possible.

Use a generic contact email address on your company website instead of direct email addresses. Do not give contact information to unknown parties over the phone.

Limit details about company hierarchy and travel on social media sites.

Keep software and applications updated. Make a habit of checking for updates if they are not set to do so automatically and remove any unused apps.

Report phishing attempts and suspicious emails or phone calls to management and/or your IT department.