<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

Struggling to implement least privilege in your organization? Join StrongDM featuring Forrester for this upcoming webinar. Register now!

What is an Attack Vector? 15 Common Attack Vectors to Know

Summary: In this article, we’ll take a deep dive into attack vectors. You’ll learn what they are, the most common types, how they’re used, and why hackers continually use them to exploit vulnerabilities. By the end of this article, you'll have a thorough understanding of the fifteen most common types of attack vectors and what you can do to prevent your organization from falling victim to them.

What is an Attack Vector in Cybersecurity?

A cybersecurity attack vector is a path that a hacker or malicious actor uses to gain unauthorized access to a network, server, application, database, or device by exploiting system vulnerabilities.

An attack vector is often a complex process that requires threat actors to gather intelligence to understand their targets, identify security weaknesses, and then attempt to make their way into the system. Once they’ve gained access, the hacker can wreak havoc by compromising sensitive data, infecting software with malware, or causing a complete system shutdown.

Attack vector, attack surfaces, and threat vectors: What's the difference?

An attack vector often gets mixed in with the terms "attack surface" and "threat vector." A threat vector in cybersecurity is generally synonymous with an attack vector—a method by which a hacker gains unauthorized access to a private system.

Attack surface, on the other hand, refers to all possible entry points someone could use to access a system. In other words, it's the sum of all attack vectors within an IT environment and organizational network. Hackers thoroughly evaluate attack surfaces before selecting their attack vector based on discovered vulnerabilities.

Two Ways Bad Actors Exploit Attack Vectors

As bad actors undergo attack campaigns, they might take different paths when exploiting system vulnerabilities. The two main types of threat vectors are active attacks and passive attacks.

Active attack

Active attack vectors seek to directly harm, alter, or damage an organization's systems and network resources. They are easier to trace than passive attacks because they cause significant disruptions to an operation or IT production environment. Common active attack vector examples include malware deployment, denial-of-service (DoS) attacks, and domain hijacking.

Malware and DoS attacks, two of the most common active attack vectors, cost companies an average of $2.5 million and $2 million per incident, respectively.

Passive attack

A passive attack vector is less apparent, where the hacker exploits vulnerabilities only to gain information without actually causing operational disruption or altering data systems. Phishing, for instance, is a typical passive attack vector that seeks to acquire information, such as someone's access credentials.

The average cost of credential compromises to a business as a result of a passive attack vector has doubled since 2015 to $2.1 million per incident.

15 Common Types of Attack Vectors to Know

1. Weak or compromised access credentials

Compromised access credentials give hackers a linear path into a computer system or organizational network. Usernames and passwords for account profiles are often stolen and leaked via phishing or brute force attacks, making it easy for cybercriminals to enter networks undetected because it looks like usual login activity.

How to avoid it

Enact and enforce strict password management policies requiring long and complex passwords, implement systems for secure password storage, and demand frequency rules for changing passwords. A passwordless authentication system nearly eliminates this attack vector: no passwords means no credentials can be compromised.

2. Phishing

In a phishing attack, scammers pretend to be a trusted entity to get users to voluntarily release sensitive information—generally via a spoofed email address. The victim is tricked into downloading malicious files or providing sensitive information either by responding to the email or by clicking on a link to a fake web page where they enter their credentials.

How to avoid it

Cybersecurity awareness training is the best preventive measure, particularly modules for detecting scams. Also, implement spam filters and block websites that don't meet security criteria. As a failsafe, keep software up to date in case malware is delivered via email, and utilize MFA for verification.

3. Malware

Malware (malicious software) is often distributed through phishing (as a downloadable file) or within a network to devices or applications that have already been compromised. There are many types of malware, including ransomware, viruses, trojans, and spyware.

How to avoid it

Educate employees on how to recognize phishing attacks. Well-designed firewalls also help prevent malware fruition—specifically malware delivered over the internet—by stopping it before it hits a network or individual endpoint. Lastly, keep software applications up-to-date to ensure the anti-malware and anti-virus mechanisms detect the most recent and prominent threats.

4. Unpatched software

Unpatched software is both an attack vector and a vulnerability. As a vulnerability, operating systems, servers, and applications that have bugs or security flaws enable an opportunity for sophisticated hackers to manipulate the code or access the system. As a vector, they can target software to deploy zero-day attacks, in which a vulnerability is exploited before the development teams can fix them.

How to avoid it

Ensure all software remains up-to-date by enabling automatic updates across systems. For internal software, teams can run vulnerability assessments to find potential entry points and flaws in their code to fix them.

5. Third-party vendors & service providers

In recent years, cybercriminals have been targeting software vendors, managed service providers (MSPs), security consultants, and cloud solution providers. These entities store data on their customers, and a hacker that infiltrates such an organization gains access to the information for many people at once.

How to avoid it

To mitigate the risk of this vertical, organizations must leverage privileged access management tools that can enforce least privilege principles and control identity-based vendor access. These solutions produce an audit trail and ensure vendor users only have enough temporary resource access to complete the workflow or project.

6. Insider threats

Disgruntled employees or upset former staff that still have access to systems and resources can be a massive threat to your business. In these scenarios, the attack vector comes from the inside, where the threat actor could steal sensitive information, install malware on network devices, or find ways to shut down the operation.

How to avoid it

Insider attacks can be mitigated by following the principle of least privilege, which only lets authorized users access enough resources to perform their job functions. Continuous monitoring and modern-day security frameworks such as Zero Trust are also effective strategies.

7. Lack of encryption

This attack vector assumes that data stored at rest or in transit does not contain the proper encryption—allowing a hacker who gains unauthorized system access to steal, delete, or manipulate organizational data easily. If no form of encryption or hashing gets utilized, unauthorized users can view the data in plain text format.

How to avoid it

Businesses should use data-loss prevention (DLP) solutions such as email encryption tools to protect data-in-transit and fill any security gaps caused by unencrypted data. Furthermore, they should only invest in software systems incorporating robust encryption methods during processing and rest stages.

8. Misconfigurations

Misconfigurations occur when there's an unintended vulnerability within the security settings or design of an application, database, or other computer systems. In cloud environments, for instance, it's common for an administrator to fail to update their default credentials or unintentionally give standard users privileged access. Unknown or unfixed misconfigurations leave organizations open to a wide range of inside and outside attacks.

How to avoid it

Vulnerability assessments are a great way to identify any system misconfigurations within a network. Organizations can also leverage automated confirmation management tools to track technology resources, automate access provisioning tasks, and reduce system deployment issues caused by human error.

9. Trust relationships

A trust relationship is the connection protocol in which multiple systems “trust” each other, and one authentication ultimately gives users access to an entire network of resources. While convenient for login processes, it paves the way for an attack vector. Compromised credentials of a trusted user or domain can end up giving unauthorized access to all trusted resources within the connection.

How to avoid it

Security teams must obtain visibility on all trusted relationships within their network, including third-party connections of vendors. Network segmentation also reduces risk by dividing resources into segments and requiring authentication at each point—letting organizations protect their relationships and isolate potential incidents to one area.

10. Brute force

Brute force is a method where a hacker attempts to access a system by running password combinations until successful. They often use a software program that automatically tests the combinations, usually with a list of the most common passwords or passwords containing personal data of the target. A successful attack can lead to a data breach and access to other accounts that recycle the same password.

How to avoid it

Avoiding brute force attacks comes down to proper credential management. Organizations must enforce policies that outline requirements for constructing long passwords containing alphanumeric and special characters that avoid personal information.

11. DDoS attacks

A distributed denial-of-service (DDoS) attack is when a cyber criminal seeks to shut down network resources, such as servers, applications, and websites, by flooding them with overwhelming traffic or messages. An organization could halt its operations and lose access to critical data if successful.

How to avoid it

While security controls for DDoS attacks vary by target, network monitoring solutions help decipher legitimate vs. anomalous traffic to stop a DDoS attempt before its successful. Also, application firewalls protect servers and let organizations control who can access the application. Finally, teams can utilize the anycast network diffusion method, which prevents overwhelming one server with network traffic by scattering traffic across numerous servers.

12. SQL injections

Structured query language (SQL) lets servers communicate with databases so users can pull and manage data sets. An SQL injection is when a hacker essentially tricks the system to expose certain information by using a malicious SQL command—allowing them to view, steal, or delete sensitive data.

How to avoid it

Many SQL injections take advantage of outdated or vulnerable software, so organizations must maintain a comprehensive software patching system and keep their programs up to date. Company databases should also incorporate input validation controls. These control the length and format requirements of SQL commands—preventing any commands that fall outside the parameters from getting processed.

13. Cross-site scripting

Cross-site scripting (XSS) attacks use vulnerable but trusted company websites to target their visitors. A hacker injects malicious scripts throughout the web pages, such as embedding a link within a comments section on a forum page. If a website visitor were to click the malicious link, malware could deploy on their endpoint device and possibly let the hacker hijack the user's website account.

How to avoid it

Organizations must deploy content-security policies that let them control whether malicious scripts can get inserted into the site and prevent the code from executing on the web visitor's browser. They should also undergo website sanitation to remove unwanted data and unsafe hypertext markup language (HTML) tags from web pages.

14. Man-in-the-middle attack

Man-in-the-middle (MITM) attacks are when a hacker puts themselves between a client and server, typically a user and a web application, to steal data. It starts with an interception, where a criminal hacks a vulnerable Wi-Fi network or creates a spoofed website or malicious Wi-Fi hotspot. Then, hackers instigate a decryption phase, in which they monitor and capture communication data, such as user credentials, for further use.

How to avoid it

Organizations can protect themselves from MITM attacks by setting employee governance policies like avoiding non-secure websites or unknown Wi-Fi sources to prevent user data interceptions. Additionally, enforcing authentication controls such as MFA restricts hackers from obtaining access even after credentials are stolen.

15. Session hijacking

Also known as browser cookie theft, session hijacking is a man-in-the-middle attack that targets online account data, such as usernames and passwords, by taking over and monitoring user-browsing sessions. Once they’ve stolen an internet protocol (IP) address, they can hijack the cookie data to track online activity, including pre-saved passwords.

How to avoid it

Businesses can prevent this attack vector by deploying top-of-the-line antivirus tools on endpoints that protect from the malware used to execute a session hijacking. Additionally, they should provide session protection solutions to employees, such as virtual private networks (VPNs), that encrypt user data while browsing the web.

How StrongDM Simplifies Protection from Attack Vectors

StrongDM provides a centralized solution to securely manage users, connect network resources and systems, and observe the activity. The People-First Access Platform combines authentication management, authorization, and provisioning capabilities into one tool.

91% of organizations agree that authentication management solutions such as MFA are important to stopping credential theft and phishing attacks.

IT, cybersecurity, and DevOps leaders can ensure attack vectors are neutralized with simple yet streamlined methods for protecting credentials, verifying users, offboarding employees who may be insider threats, and automating user provisioning. The platform is fully built to handle granular access management that follows the principle of least privilege while developing and maintaining solid network architecture such as Zero Trust.

About the Author

, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

CISA Zero Trust Maturity Model
CISA Zero Trust Maturity Model (TL;DR Version)
In the 1990s, the TV series “The X-Files” made the phrase “Trust No One” popular. Now, with cybercrime increasing at an alarming rate, “trust no one” – or Zero Trust – is a phrase echoing through enterprises. In 2021, the average number of cyberattacks and data breaches increased by 15.1%. That same year, the U.S. government spent $8.64 billion of its $92.17 billion IT budget to combat cybercrime. It also released the CISA Zero Trust Maturity Model.
DoD Zero Trust Strategy Explained (TL;DR Version)
DoD Zero Trust Strategy Explained (TL;DR Version)
On the heels of President Joe Biden’s Executive Order (EO) 14028, the memo recommending Zero Trust Architecture to protect US government computers, the US Department of Defense (DoD) issued its own Department of Defense Zero Trust Strategy. Published in October 2022, the DoD Zero Trust Strategy addresses the rapid growth of cyber threats and the need for an enhanced cybersecurity framework.
Zero Trust vs. SASE: Everything You Need to Know
Zero Trust vs. SASE: Everything You Need to Know
Concerned about providing secure access to the data and tools employees need to do their jobs in a cloud or hybrid environment? Don’t worry. Solid strategies exist for protecting distributed resources. Zero Trust and SASE are two architectural approaches that provide strong security in today’s cloud-first world. The information in this article will help you decide which strategy works best for your business. Robust cloud security is attainable.
Have You Nailed Zero Trust (Webinar)
Have You Nailed Zero Trust?
Recipe for Zero Trust is just 7 ingredients. Where does it go wrong? Why is it so hard to nail? This webinar breaks it down in simple steps.
Zero Trust Memo From Executive Order 14028 (TL;DR Version)
Zero Trust Memo From Executive Order 14028 (TL;DR Version)
It is no surprise that President Joe Biden issued a Zero Trust executive order to protect federal government networks. On May 12, 2021, recognizing the dire situation, Executive Order (EO) 14028 was issued, focusing on protecting the U.S. from cybercriminals and cyberattacks. EO 14028 specifically recommends Zero Trust Architecture as necessary to defend the nation against threat actors. This post provides a summary of Executive Order 14028.