What is a threat vector?
Cybersecurity threat vectors, or attack vectors, are methods or mechanisms cybercriminals use to gain illegal, unauthorized access to computer systems and networks. The motivations for using cybersecurity threat vectors vary by the type of attacker.
Cybercriminals that effectively leverage cybersecurity threat vectors include:
- individual hackers
- disgruntled former employees
- politically motivated groups
- hacktivists
- cybercrime syndicates
- state-sponsored groups
Following a successful infiltration with a threat vector, cybercriminals may use additional vectors to perform additional misdeeds, such as:
- Stealing valuable information (e.g., login credentials, personally identifiable information (PII), protected health information (PHI), trade secrets, financial data)
- Launching ransomware for extortion
- Damaging systems
- Causing system failures
- Taking control of systems
There are many examples of cybersecurity threat vectors. Most can be categorized as active or passive.
Examples of passive cybersecurity threat vectors include those that use methods to gain access without affecting system resources, such as phishing, pretexting, baiting, piggybacking, tailgating, and other social engineering vectors.
Conversely, examples of cybersecurity threat vectors that are active share a disruptive characteristic; they seek to alter a system or affect its operation. Examples include malware, ransomware, exploiting unpatched vulnerabilities, email spoofing, man-in-the-middle attacks, and denial-of-service (DoS) attacks.
Why understanding threat vectors is important
Cyberattacks continue to cause significant losses and disruption. Understanding cybersecurity threat vectors facilitates an understanding of the entry points into computer systems and networks. With this information, vulnerabilities can be remediated and gaps closed. It also highlights the scale of the attack surface and can be used to identify areas that can be eliminated to minimize its size.
A proactive approach to learning about cybersecurity threat vectors is an effective way to significantly reduce risk, because most cyberattacks take the path of least resistance, targeting known vectors that are often overlooked.
Examples of threat vectors and how to mitigate them
Drive-by download attacks
Drive-by download attacks infect a device while users are simply browsing websites, even legitimate and trusted websites. This threat vector is initiated when cybercriminals take advantage of vulnerabilities in users’ browsers that allow malware to be injected.
The malware is downloaded after users clicks on a link, pop-up window, or advertisement. Users are lured into clicking with special offers, warning messages, and update alerts.
Examples of how organizations enable protection from these threat vectors include:
- Deploying security tools that proactively detect and respond to threats, such as next-generation firewall (NGFW), endpoint detection and response (EDR), and network detection and response (NDR).
- Keeping browsers and plugins up to date with updates directly from the provider.
- Training users to identify and not click suspicious pop-ups and advertisements on websites.
Insider threats
Insider threats are either malicious or negligent. A malicious insider is a user with internal access privileges, such as an employee, former employee, or partner who uses their access to attack an organization. Malicious insiders are particularly troublesome examples of cybersecurity threat vectors because they have access to and know the locations of data and systems. They often steal data for financial gain or expose it to harm the organization’s reputation.
While the damage they do is not intentional, negligent insiders are also problematic examples of cybersecurity threat vectors. Negligent insiders generally cause security problems by making mistakes, such as revealing their passwords or connecting to the internet using public Wi-Fi or personal virtual private networks (VPNs).
Examples of how organizations enable protection from insider threats include:
- Watching for disgruntled employees and closely monitoring data and network access for every device they use.
- Continuously educating and reminding insiders of security best practices and their benefits.
- Prohibiting the connection of removable media or the copying of data to removable devices.
- Using NDR to detect irregular behavior, such as accessing systems at odd hours or exfiltrating data at high volume.
Malware
Malware is a short name for malicious software. It describes many strains of software that are purpose-built for attacks.
Common examples of cybersecurity threat vectors in the malware category include ransomware, spyware, worms, Trojan attacks, and viruses.
Malware is used to gain unauthorized access to systems and networks with the sole intent of causing trouble—from stealing sensitive data to disrupting operations.
Examples of how organizations enable protection from these threat vectors include:
- Implementing sandboxing and firewalls to partition data and applications.
- Knowing the characteristics of an attack.
- Using antivirus and anti-malware software to detect and block threat vectors.
Misconfiguration
There are many examples of cybersecurity threat vectors associated with misconfiguration. Misconfigurations that can facilitate threat vectors may happen when setup pages are enabled, a user uses default usernames and passwords, or errors occur when setting up cloud services (e.g., Amazon Web Services, Google Cloud Platform, Microsoft Azure).
Examples of how organizations enable protection from misconfiguration include:
- Establishing and enforcing procedures and systems to tighten configuration processes.
- Monitoring application and device settings.
- Using automation wherever possible.
Missing or poor encryption
When encryption is implemented poorly or not at all, cybersecurity threat vectors multiply. When it is not properly encrypted, sensitive information is open to attacks. Data can be stolen during transmission (e.g., a man-in-the-middle attack), or cybercriminals can steal it at rest from data storage.
Examples of how organizations enable protection from missing or poor encryption include:
- Avoiding the assumption that following compliance guidelines means suitable encryption is in place.
- Not relying on low-level encryption to protect sensitive data.
- Ensuring that sensitive data is encrypted at rest, in transit, and in processing.
- Using strong encryption methods.
Weak, compromised, or stolen credentials
Credential exposure remains one of the leading examples of cybersecurity threat vectors. Weak passwords and password reuse make users’ login credentials easy targets for cybercriminals, who use them to gain access to systems, applications, and networks, then initiate their nefarious propagation across managed devices and Internet of Things (IoT) devices.
Usernames and passwords are still the most common type of access credentials. They are highly susceptible to threat vectors such as phishing scams and malware. They are also often exposed to third parties, such as mobile applications and websites. Regardless of whether credentials were weak and a cyberattacker deduced them or the credentials were lost or stolen, the result is the same—bad actors gain unauthorized access that can be used as a launch point to escalate their privileges within a network.
It is important to note that credential holders are not limited to people. Servers, network devices, and even security tools often use credentials as part of the integration and communication between devices. These machine-to-machine credentials are particularly risky, because they can be used to move throughout the enterprise, both vertically and horizontally. IoT devices, which are notorious for weak credentials, are frequent targets.
Examples of how organizations enable protection from these threat vectors include:
- Continuously monitoring for data exposures and leaked or compromised credentials.
- Prohibiting password sharing across services.
- Forbidding password reuse to access multiple applications and systems.
- Educating users on the risks and importance of good credential usage.
- Employing multi-factor authentication with biometric authentication.
- Implementing strong password requirements and enforcing them.
- Using a single sign-on tool.
Phishing
Many examples of cybersecurity threat vectors are associated with phishing. Phishing is a social engineering attack method that uses email, text messages, or telephone calls. The attacker poses as a trusted messenger to trick the target into sharing sensitive information (e.g., login credentials, financial information, credit card details).
Phishing messages sometimes entice people to share information verbally. Other approaches trick targets into clicking malicious links.
Phishing is one of the most effective cybersecurity threat vectors; it has defeated even the most sophisticated cyber defense systems by preying on people’s weaknesses.
Examples of how organizations enable protection from phishing include:
- Blocking malicious websites.
- Conducting phishing drills.
- Deploying a next-generation firewall (NGFW) with malware detection and threat intelligence.
- Educating staff on how to recognize phishing messages.
- Installing an endpoint detection and response (EDR) solution.
- Keeping software patched and updated.
- Monitoring and tracking web browsing and email click-through behavior for users.
- Requiring multi-factor authentication (MFA).
- Using spam filters.
Ransomware
Ransomware is a form of malware that encrypts systems and renders them inaccessible. Cybercriminals then threaten to delete or expose the data on systems unless a ransom is paid.
Examples of cybersecurity threat vectors in the ransomware category abound. Ransomware is spread and activated in the same way as malware and phishing. It is a powerful and effective threat vector that continues to menace organizations of all sizes.
Examples of how organizations enable protection from ransomware include:
- Keeping software patched and updated.
- Following all protocols used for malware and phishing.
Remote access services
Remote access services are examples of cybersecurity threat vectors that turn an important productivity tool into a potential point of entry for cybercriminals. These solutions allow users to connect to remote systems and networks.
Examples of remote access services include virtual private networks (VPN) and Windows remote desktop services. These solutions enable users to access their workstations using another device, but they can also be detected and exploited by cybercriminals. Once a remote access point is discovered, cybercriminals can hack into the connection (e.g., using a brute-force attack, exploiting misconfigurations and vulnerabilities).
Examples of how organizations enable protection from these threat vectors include:
- Allowing remote access only for users who truly need it.
- Ensuring that remote access services are up to date.
- Requiring strong passwords.
- Setting an account lockout policy.
- Using multi-factor authentication.
Removable media
Removable media is an older example of a cybersecurity threat vector; from floppy disks to flash drives, it has persisted as a threat vector. Once data has been copied to removable media, there is a risk of it being intercepted and accessed for unauthorized use. Because removable media is small and easy to transport, it can easily be lost, stolen, or used for data exfiltration.
From its early days, removable media has also been used to distribute malware. Floppy disks were used to deliver the first known ransomware in 1989. A floppy disk labeled “AIDS Information Introductory Diskette,” which contained a DOS Trojan horse called the PC Cyborg Troja was mailed to a mailing list. When the disk was launched, the malware encrypted the names of all directories on the user’s C drive.
Flash drives and other removable media continue to serve as delivery agents for malware. Examples of how organizations enable protection from these threat vectors include:
- Disabling the AutoRun feature for removable media.
- Prohibiting removable media from connecting to network devices if not required.
- Setting automatic malware scans on removable media before they are allowed to connect.
Threat vector FAQ
What are examples of attacks that exploit cybersecurity threat vectors?
- Brute force attacks
- Cross-site scripting (XSS)
- Man-in-the-middle attacks
- Session hijacking
- SQL (Structured query language) injections
- Trojan attacks
- Worms
- Zero-day attacks
What is the difference between an attack vector and an attack surface?
Cybersecurity attacks use attack vectors to gain unauthorized access to a system or network. The attack surface is the number of attack vectors a cybercriminal can access.
What are examples of top cybersecurity threat vectors?
- Mobile devices
- Networks
- Remote access portals
- Users
- Web applications
How does a cybercriminal use a cybersecurity threat vector?
- Identifies a target and finds applicable threat vectors
- Gathers information about the target and threat vectors
- Uses the information to identify additional tools needed to launch an attack
- Gains access, then
- Steals data
- Installs malicious code
- Stays hidden and watches for information worth stealing in the future
- Takes control of the compromised system with a command-and-control server
- Extracts data or encrypts data to hold for ransom
Understand cybersecurity threat vectors for effective defense
Cybercriminals of all stripes are motivated, persistent, and plentiful. They prove day after day that they can get around cyber defenses, even in the most sophisticated organizations. There are many examples of cybersecurity threat vectors, but it behooves security professionals to study and understand them to more effectively direct their defense tactics to protect sensitive applications, data, and networks.
Once the threat vectors are well-understood, applying targeted defenses to specific areas across an enterprise’s attack surface is easier and more efficient. While some risk is expected as part of doing business, socializing examples of threat vectors throughout the organization is considered a best practice amongst cybersecurity experts.
