One thing is certain in terms of cybersecurity. Attacks will and do occur regularly. While security is the responsiblity of all employees in an organization, active defense is up to IT and Info Sec teams. One way to help defend organizations effectively and efficiently is to understand the existing attack surface and potential attack vectors that exist for attackers to exploit. Essentially, these are the points of attack and paths that attackers can take to infiltrate networks and systems. We will unpack and describe these terms in the rest of this post.
Attack Surface
As brought up in the opening paragragh, the attack surface is comprised of the different points in a network or system that are open for connections. For example, these points could be application servers that provide a service to customers and employees. While these connections are necessary to serve business purposes, they can also potentially be exploited by attackers. In order to properly defend networks and systems, it is imperative to have an inventory and understanding of the attack surface. You cannot effectively defend what you do not know even exists.
Attack Vectors
While the attack surface describes the potential entry points into a network or system, an attack vector is the specific path taken by a threat actor to attack a sytem. For a contrast example, while an open web server is in the attack surface, the HTTP/HTTPS application port/service would be the attack vector. Attack vectors describe the method or direction taken by a threat actor to exploit a vulnerability. Examples of potential attack vectors include:
- Direct access
- The direct access vector describes the ability for attackers to gain physical access to a system. This would be like someone being able to walk up to an unlocked workstation and gain unauthorized access to a system.
- Removable media
- A great example of removable media as an attack vector is a small, USB flash drive. Flash drives are great tools for storage, but can be easily exploited as a means of attack. If you do not know for sure what is on a flash drive, it is dangerous to plug it into a system. We often hear examples of pen tests or experiments at security conferences in which flash drives are strategically left around unattended or actively handed out to see if people will accept them and plug them into their workstations.
- Email
- Email has to be one of the largest attack vectors out there, and has been for some time. Phishing schemes are very prevalent and prove to be a relatively low effort vector for attackers. If malicious emails can get past security controls, they can inflict major damage.
- Remote access
- Remote access is similar to the web server example I gave above. Remote access provides us the ability to gain access to systems when we are off-site. While it is very useful, it has the potential to be exploited by attackers as well.
- Supply chain
- Supply chain is an attack vector that has gained popularity in recent years. Often as consumers, we place trust in the companies from which we purchase goods and services. The same is true for businesses. Businesses are also consumers of goods and services from other companies. Attackers can leverage that supply chain to infect and infiltrate customers of these services. If a threat actor can inflitrate a product that has many consumers, they have the ability to potentially infiltrate or infect those consumers as well.
- Social media
- Social media as an attack vector, to me, is a bit different than the other examples here. Rather than leveraging social media to gain access to or infect systems, it can be used to maliciously influence people or provide disinformation as an influence campaign.
- Cloud
- Just because services get hosted and leveraged in the cloud, does not mean that security concerns go away. There is a shared responsibility model with cloud computing. The cloud service providers are responsible for security of the cloud, and the consumers are responsible for security in the cloud. There have been many stories of security researchers finding unsecured cloud databases on the internet. Cloud is very much a viable attack vector.
It does seem that when it comes to cybersecurity, the decks are often stacked against the defenders. There is a saying that I’ve heard before that goes something like, defenders have to be constantly ready and successful; attackers only have to be successful once to gain access. While information security can prove to be challenging, we are in much better shape when we are aware of the attack surface and potential attack vectors that attackers can leverage.