November 8, 2023

Threat actors use a variety of techniques to gain access to an organization’s network and carry out cyber attacks in which they steal data and perform other criminal acts. To defend against malicious actors, organizations need to understand how they could be compromised, starting with the attack vectors. This helps the company prioritize its resources and implement defensive measures where they will have the biggest impact. 

Attack vector definition

An attack vector, also referred to as a threat vector, is the entry point or method that cybercriminals use to launch and execute an attack. They exploit the attack vector’s vulnerabilities to gain entry into the network and carry out their objective, whether that’s to infect systems with ransomware or exfiltrate valuable data. 

Attack vector vs attack surface

An attack surface refers to all the IT systems and components that malicious actors can exploit through the attack vectors. In other words, these are all the entry points and pathways—including human (e.g., employees and partners) and technology (e.g., devices and apps)—that threat actors can take across the enterprise. 

How cyber attackers utilize attack vectors

Attack vectors help threat actors achieve their end goals, which could be anything from disrupting organizational operations to stealing sensitive data that could be monetized. The attack vector is a means to an end. For example, before they can traverse the network, cyber attackers need to open a backdoor into a machine, establish a connection with a command-and-control center, and control the computer remotely. 

Common attack vectors

There are numerous attack vectors within each organization, and malicious actors often explore multiple vectors to find the weakest point. Among the most common and effective vectors are malware, phishing, vulnerabilities, and weak or stolen credentials. These vectors serve as the launching pad in numerous data breaches and other cyber attacks, and they are frequently used in tandem. 


Phishing is a prevalent technique that attackers use to steal login credentials, distribute malware, and convince people to take malicious actions. Cybercriminals know that it’s a lot easier to trick humans than technology, which is why the majority of data breaches involve a human component. Phishing is an effective attack vector because it exploits human nature and emotions, whether it’s curiosity, carelessness, or fear. 

An umbrella term, phishing often refers to various types of attacks. Most commonly, the attempts are made through email, but could also take the form of phone calls (known as “vishing”) and text messages (“smishing”). Cybercriminals can use mass phishing attempts that rely on generic messaging sent to as many potential victims as possible, or they can launch targeted attacks such as spear phishing that are more sophisticated and personalized to specific individuals or categories of people. 


Threat actors deploy malware through means such as phishing email attachments, compromised websites, and detachable media (e.g., USB drives). Various malware families serve different purposes, ranging from encrypting files and systems for ransom (ransomware), recording keystrokes (keyloggers), and infecting other systems (viruses), to creating a backdoor into the system (e.g., Trojan horses, which masquerade as legitimate software). 


One of the ways that malware can compromise a computer, server, or another endpoint is by exploiting weaknesses, such as faulty software code. These are known as vulnerabilities. Vulnerabilities, however, are not related only to technology—they could also include people and processes.  

From a technology standpoint, the most common vulnerabilities are misconfigurations and unpatched software. While some actors exploit vulnerabilities that are unknown or don’t have fixes yet (known as zero-day exploits), more commonly they rely on known exploits. It could take months—even years—for some organizations to apply security patches after vendors make them available, which gives cyber attackers plenty of time to act. 

Weak or Compromised Credentials 

Credentials are the most sought-after type of data for cybercriminals, who commonly use compromised or weak logins to break into an organization. They can easily obtain logins through phishing or on the dark web, and this attack vector is more effective than, for example, hacking through a firewall because it allows them to stay under the radar longer. An estimated 60% of breaches involve credentials. 

How cyber attackers exploit attack vectors

Threat actors exploit attack vectors at different stages of the so-called kill chain, which refers to the series of steps or stages in a cyber attack. Cyber attack stages begin with reconnaissance (assessing the landscape and identifying targets and tactics) and end with the completion of the main objective—in the case of a data breach, exfiltration. The steps in this process include the following.  

Identify a target system

During the reconnaissance stage, cyber attackers decide which system they should attempt to compromise, whether it’s an email server, web database, endpoint, etc. They’re working from the outside in, performing actions such as scanning systems for vulnerabilities. For example, they could use automated software to scan for open ports or misconfigured databases. 

Utilize data collection and observation tools

At this stage, attackers use scanning tools, malware, phishing, and other techniques to collect as much data about the target organization and system as possible. The goal is to identify weaknesses so they can determine the best ways to exploit them. For example, they may look for computers that run outdated operating systems or applications that have security flaws. 

Utilize tools created to exploit attack vectors

Once the attackers have identified vulnerabilities in the targeted systems, they use the attack vectors to gain a foothold. To achieve this, they either rely on off-the-shelf malware and other tools or create their own (such as scripts they write). 

Install malicious software

After the initial foothold, the cyber attackers deploy malware and use other techniques to strengthen their presence inside the network. For example, they could escalate privileges to a user or system with administrator rights. Additionally, they use malware for actions such as covering their tracks (deleting logs) and establishing a route to the outside location where they’ll exfiltrate the data. 

Steal important data 

Attackers copy or transfer data either manually or with automated tools to the location they control, using methods like remote access software (potentially the same one they used to get in) and DNS tunneling (abusing DNS protocols to evade defenses). Their goal is to remain stealthy for as long as possible in the environment while extracting the data. 

Cyber attacks associated with attack vectors

DDoS (Distributed-Denial-of-Service) attacks

In a DDoS attack, the adversaries are targeting infrastructure rather than data, with the goal of disrupting operations or services. To achieve this, they overwhelm a server with requests or traffic from multiple remote locations, essentially creating a major jam or crash that denies access to legitimate systems and users. 

Botnet attacks

A botnet consists of a large network of computers and other devices that have been infected by malware and are remotely controlled by the attackers. They use the botnets for purposes such as launching DDoS attacks, sending phishing emails, and hacking systems with brute force attacks. 

Customer data theft

A common type of attack is one that targets databases, servers, and other systems that store large volumes of valuable information, such as customer data. Cyberattackers whose purpose is data theft typically monetize personally identifiable information (PII) by selling it on the dark web, using it to commit financial fraud through identify theft, or holding the data for ransom. 

Threat actors who exploit attack vectors

Both internal and external actors can leverage attack vectors, though malicious insider actions are less common than attacks from outside the organization. 

Malicious insiders

Malicious insiders could be disgruntled employees or perhaps former associates whose access to systems hasn’t been revoked. For example, they may deploy malware to shut down systems in retaliation or impersonate other employees in a phishing attempt. 


These actors are motivated by something other than money, typically looking to make a point or attract attention to a specific cause. 

Business competitors

Business competitors may pursue intellectual property, such as patents and proprietary research, that could give them insights into their rivals. Corporate espionage attackers employ the same tactics as those looking to steal data or create disruption. 

Cybercriminal groups

The majority of cyber attacks are carried out by organized crime groups that are financially motivated. These groups are part of a booming underground economy that operates the same way the legitimate business world does—with cybercriminals specializing in different areas and trading services and products on the dark web. 

Nation-state actors

Sophisticated groups sponsored by nation-states are often behind some of the most damaging and widespread cyber attacks. Even when these groups are after highly targeted organizations, such as critical infrastructure providers, many other businesses get caught in the crosshairs of these attacks. 

Partner with SailPoint

SailPoint supports the enterprise by enabling only authorized internal and external users to access data and systems. Learn more about our approach to identity security and how it can benefit your organization. 

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Schedule a Demo