What is an Attack Vector?
Attack vectors are methods or pathways hackers use to gain illegal access to a computer, system, or network to exploit system vulnerabilities. Attackers exploit system weaknesses to launch attacks, steal access credentials, cause data breaches, or other serious issues. Common attack vector examples include malicious web links and email attachments, sharing viruses and malware, pop-up windows, and duped personas in instant messages.
Although financial gain often fuels these attacks, hackers have many reasons for exploiting ransomware attack vectors. Some steal money from organizations and people or instead demand a ransom by holding personally identifiable information (PII) and other data. Hackers capitalizing on cyber security attack vectors could be professional hacking groups or individuals, disgruntled former employees, business competitors who want a competitive advantage, hacktivists or organized, politically-motivated groups, or groups sponsored by actual governments.
How attack vectors are exploited
In each case, attackers exploit attack vectors in the same basic ways:
- Identify target computer system to exploit or penetrate
- Use tools to collect data and observe the target, such as emails, malware, network sniffing, and social engineering
- Identify best attack vector using collected information and create tools to exploit it
- Use tools to break the security system and install malicious applications or software
- Monitor the network, infect devices with malware bots, or steal financial and personal data.
Some attack vectors in cyber security lead to simpler cyber attacks that steal banking information or credit card data—but many hackers are less obvious and have developed more sophisticated monetization techniques.
Some hackers infect systems with bots or botnets they can access off-site, remotely from a command and control server to steal data, perform cyber attacks, send spam attack vectors.
Hackers may steal customer data and target organizations that collect and store personal customer data in large amounts. Attackers can use personalized healthcare information (PHI) to obtain prescription drugs illegally, or commit credit card or insurance fraud.
Denial of service (DoS) attacks that exploit website attack vectors, web application attack vectors, or DNS attack vectors can lead to unplanned service outages as systems become overloaded. Private attackers might exploit attack vectors for ransomware in this way, or businesses might initiate DoS attacks against competitors via attack vectors for web applications to hurt sales and damage IT infrastructure.
Some hackers are not motivated by financial gain, and are hoping to embarrass someone or leak secret information to the public. Political actors might exploit cloud attack vectors to take massive swaths of the internet offline at once to make a political statement. The majority of cyber attacks for most IT organizations, however, originate with hackers trying to steal financial and personal data.
Types of attack vectors
Here are some of the most common cyber attack vectors used by hackers.
Categorized as a social engineering attack, phishing is a potent and popular attack vector. The goal of phishing is typically theft of user data, including credit card numbers and login credentials. The primary goal of most phishing attacks is to penetrate systems to obtain usernames and passwords as well as other financial and account data.
Malware refers to any malicious software that infects IT infrastructure with malicious code, such as worms, viruses, and trojans. Launching these zero-day attacks against known or detected vulnerabilities is a common tactic that is tough to avoid entirely, but organizations greatly reduce risk by monitoring and maintaining up-to-date antivirus and firewall protection. Malware infections impact service availability while compromising valuable data.
Ransomware is a type of malware intended to help attackers engage in cyber-extortion by encrypting files on a device or system so they are unusable. Hackers demand an exchange: victims are to pay the ransom for a decryption key. If the ransom is not paid, they may find their information leaked, sold, or deleted. (The decryption key may or may not really exist, as some victims find themselves without their data even if the ransom is paid.) Common ransomware attack vectors include email phishing and unsecured remote desktop protocol connections.
Software developers write patches for any major security vulnerabilities they identify in their applications and release them for users to install. Failing to install patches regularly can allow hackers to exploit known vulnerabilities.
Many servers that store sensitive data use structured query language or SQL to communicate. An SQL injection forces the server to expose information with malicious SQL.
Among the most popular attack vectors are weak and compromised credentials. When usernames and passwords or other information are exposed to a third party such as a website or mobile app, compromised credentials can occur. This often happens when phishing victims reveal their login details in a vishing call or on a spoofed website. Lost and stolen credentials allow attackers to access corporate systems and user accounts undetected, and then escalate their access level.
To avoid the risk of compromised credentials, users and organizations should deploy multi-factor authentication (MFA). If they use passwords they should consider a password manager. It is also critical to educate employees on the signs of a potential cyberattack and the security risks they face. Relying on passwords alone and to verify identity leaves organizations at risk, however.
Cyber and Infrastructure Security Agency (CISA) defines insider threat as risk from harm that an insider can do, wittingly or unwittingly, with his or her authorized access, to organizational equipment, facilities, information, mission, networks, personnel, resources, or systems. When employees expose confidential information to attackers—whether intentional or not—the entire organization is at risk.
Insider attacks are often difficult to detect, because they stem from people with legitimate access to systems and sensitive information who are disgruntled or unhappy enough to hide their behavior. Continuous monitoring to determine what normal behavior is becomes essential to identifying unusual activity related to insider attacks.
Cross-Site Scripting (XSS)
Encryption obscures the contents of a message and converts digital data into a ciphertext or code to protect it. This ensures that unauthorized parties and cyber criminals cannot read the data within a message or steal sensitive information.
Transmitting sensitive data in plaintext with poor, missing, or weak encryption risks its exposure if accessed via brute-force attack. Strong encryption methods such as TripleDES (Data Encryption Standard), Rivest-Shamir-Adleman (RSA), and Advanced Encryption Standard (AES) ensure sensitive information is encrypted all the time—in processing, at rest, and in transit.
Distributed Denial of Service (DDoS)
Using multiple machines or a botnet an attacker floods a server with internet traffic to launch a DDoS attack. This hampers access to services and can crash the organization’s site. Defenses against DDoS attacks include filtering traffic with firewalls, restricting the number of requests a server can receive with rate-limiting, conducting regular risk assessments, and scattering traffic with traffic differentiation.
A man in the middle (MITM) attack refers to a hacker positioning themself between a user and an application, often by exploiting public Wi-Fi networks. When a perpetrator inserts themself into a conversation this way it is generally either to impersonate one of the parties or to eavesdrop, so that sensitive information is stolen although it seems as if a normal exchange took place
Brute Force Attack
A brute force attack is a relentless trial-and-error approach in which the hacker tries numerous passwords or combinations in an attempt to access encrypted data. Brute force works across many endpoint security attack vectors and so is technically a method more than its own vector, yet merits a mention here regardless.
Attack vector vs attack surface
Although some refer to attack surface and attack vector as if these concepts are the same thing, there are differences between attack surface vs attack vector. Furthermore, there are important distinctions between an attack vector vs vulnerability.
The attack surface comprises all points on the network where an attacker can attempt to gain unauthorized access to information systems and any data via any asset. The attack surface of a larger business can be massive, with potentially hundreds of attack vectors leaving hundreds of thousands of targeted assets vulnerable. Cumulatively, this means that securing an attack surface can be tantamount to monitoring hundreds of billions of signals in real-time.
Attack vectors are the techniques attackers deploy to infiltrate or breach your network. Certain attack vectors take aim at humans that have network access, looking for weaknesses, while other attack vectors target weaknesses in overall infrastructure and security. Some forms of attack vectors include compromised credentials, man-in-the-middle attacks, malware and ransomware, and phishing emails.
To sum up, an attack vector is the means an attacker uses to exploit security weaknesses and vulnerabilities. The attack surface is all of the system’s data and human nexus points, public and private. A data breach is any access or theft of protected, sensitive, or confidential data by an unauthorized party. A vulnerability is a particular issue in the code of software, a website, or an application that has a security impact; attack vectors exploit, reach, or trigger vulnerabilities.
How do attackers exploit attack vectors?
An attacker commits a passive attack by monitoring a computer system for vulnerabilities or open ports or to conduct reconnaissance and collect information on their target. Because they involve altering neither system resources nor data, passive attacks can be difficult to detect. The threat from the attacker arises not from damage to organizational systems, but from breached confidentiality of data.
Attackers use active attack vectors to affect the regular operations of an organization or disrupt its system resources. Active attack vectors include malware attacks, phishing emails, denial-of-service (DoS) attacks, and targeting weak passwords.
A masquerade attack is a common example of an active attack in which a hacker gains access privileges to system resources by stealing login credentials and impersonates a trusted user. Hackers often deploy active attack vectors to gain enough information to successfully launch a broader cyberattack.
Passive Attack vs Active Attack
Passive reconnaissance attack vectors allow attackers to monitor systems for vulnerabilities without interacting with them by using tools like search engines and other sources of public information. Active reconnaissance attack vectors enable hackers to engage with target systems using methods like port scans.
APIs: the new leading attack vector
According to estimates from Gartner, by 2022 APIs will become the most frequent attack vector. API makes up about 83% of all web traffic, offering a direct route into the critical data and systems of organizations.
Businesses transfer data and connect services with APIs. Exposed, broken, and hacked APIs are often at the heart of serious data breaches. Strong API security can prevent the exposure of sensitive financial, medical, and personal data.
API security is far more complex than simply detecting run-time attacks, because data exfiltration and breaches often resemble normal application behavior. This means many organizations are at risk, because current application security systems such as SIEMs and web application firewalls (WAFs) alone are not enough to prevent all attacks. API security is less about a supplemental tool for an existing security scheme, and more about a process of discovering APIs, identifying misconfigurations, mitigating vulnerabilities, and testing new APIs.
The TLS standard retains a private internet connection and ensures that data transmitted between a server and a client or between servers is unmodified and encrypted. This ensures that even if an attacker successfully exposes sensitive data, they will not be able to read, modify, or otherwise use it.
SOAP APIs use built-in Web Services Security (WS Security) protocols that define a rules set guided by authentication and confidentiality. SOAP APIs support standards set by the World Wide Web Consortium (W3C) and the Organization for the Advancement of Structured Information Standards (OASIS), the two major international standards bodies.
SOAP APIs use a combination of XML signatures, XML encryption, and SAML tokens to verify authorization and authentication. Overall, SOAP APIs deliver security measures that are more comprehensive, although because they demand more management, they are recommended for organizations that handle sensitive data rather than across the board.
Common strategies for improving API security include:
- API gateway. API gateways analyze and control how APIs are used and authenticate traffic, serving as the major locus of API traffic enforcement.
- Encryption and Signatures. Use a method such as TLS to encrypt data and require signatures to ensure that only authorized users are decrypting, viewing, accessing, and modifying data.
- Monitor for Vulnerabilities. Monitor API components, drivers, the network, and the operating system to understand how each piece functions alone and as part of the whole. Engage in attack vector analysis to identify weak points that might function as access points for APIs. Track data leaks and identify security issues with sniffers.
- Quotas and Throttling. Place quotas on calls to the API and track its use over time. Increased calls on an API can be a sign of a programming mistake or abuse. Set rules for throttling to protect APIs from Denial-of-Service attacks and traffic spikes.
- Tokens. Establish trusted identities, assign them tokens, and then use them to control access to resources and services.
How Noname Security protects APIs
The API security threat can feel overwhelming. Security teams lack visibility into the depth of the threat, leaving the techniques and tools for controlling exposure feeling truly out of reach. The Noname API Security Platform drives a multi-faceted API security process starting in the API development stage with testing and continuing throughout the API lifecycle. The platform uses a combination of API discovery, API testing tools, continuous monitoring, and run-time threat mitigation.
Assess your security posture
Acquire a clear and accurate picture of your organization’s potential exposures and what its true surface looks like across APIs and web applications. Our API discovery tool that comprehensively finds and inventories all APIs, including legacy and shadow APIs.
Actively conduct API testing
As part of the API software development lifecycle, API security testing should be used to remediate any potential issues pre- and postproduction. Noname validates the integrity of each API before and after they are deployed.
Continually monitor API traffic
Track API consumption and analyze API traffic metadata. Real-time traffic analysis identifies new APIs and changes in existing APIs. The analysis process is automated, repeatable, and actionable. Identify issues so they can be remediated before they can be exploited.