Attack Vector and Attack Surface)

Essentials in brief

1. What is an attack vector?

In IT security, an attack vector is a way or technique that an attacker uses to exploit a security vulnerability to attack a computer system or software component.

The sum of all attack vectors of an IT system is also called the attack surface. The more attack vectors an IT system offers, the larger its attack surface. And the larger the attack surface, the more options an attacker has to compromise the IT system – i.e. to manipulate, delete, steal or take control of data.

It is often necessary to exploit several attack vectors in succession or even simultaneously so that an attacker can achieve the desired goal.

Example: to steal data, an attacker can exploit the following attack vectors in sequence:

• Exploiting an SQL injection vulnerability in the web application to gain access with normal user rights to the web server via a reverse shell.
• Using these user rights to exploit a misconfiguration in the DMZ-Firewall and an unpatched vulnerability in the database server to gain normal user rights on the database server.
• With the user rights on the database server, a misconfiguration in the Linux operating system of the database server can be exploited to extend the access rights to administrative rights. The attacker has thus created all the conditions to copy the entire database to an external server on the Internet.

2. How are attack vectors exploited?

The basic procedure for exploiting attack vectors is often as follows:

1. The cybercriminals identify a target system to penetrate or exploit.
2. The cybercriminals use data collection and observation tools such as OSINT, emails, malware or even social engineering to gain more information about the target system.
3. The cybercriminals use the information obtained to determine the attack surface with the target’s attack vectors. This is then used to determine the best attack vectors and develop the tools to exploit them.
4. Using the prepared tools, the security measures are breached and an inconspicuous malware is installed. This initial malware often does not yet contain any malicious function, but only makes contact with a central command & control server of the cybercriminals. Then this malware goes to “sleep” and waits for commands.
5. After that, it begins to monitor the network, steal passwords and other access data via keyloggers, and transfer personal and financial data to the internet. In further steps, other computers further inside the network can also be infected. In this case, the initial computer is often even used as a communication proxy.

In the reverse – i.e. to protect attack vectors from being exploited – policies and processes must be put in place. This is to effectively prevent attackers, malicious hackers and criminals from finding information about attack vectors and exploiting them.

3. What is the role of attack vectors and the attack surface?

Depending on the goal an attacker wants to achieve, the examination of the attack surface plays a crucial role.

For a server that is not accessible from the internet, the attack surface is completely different from that of a public web server Also, the choice of means often differs depending on the attack target and the possible attack vectors as well as their evaluation with regard to the chances of success, the effort as well as the risk of being discovered.

Cybercriminals earn money by illegally attacking IT systems or the software services running on them in order to steal banking information, personal data, customer lists and company secrets. The targets are often corporate IT systems, such as employees’ desktops. Attack vectors regularly include social engineering activities such as phishing.

However, some cybercriminals have developed other, more sophisticated, methods to monetise their attacks, such as compromising hundreds of thousands of IT systems to build a botnet to send spam, conduct covert cyberattacks, mine cryptocurrencies, or simply rent the botnet to other criminals for their purposes. With the large mass of IT systems, attack vectors that can be highly automated are interesting, such as scanning the internet for IoT devices with weak security configurations like default passwords that have not been changed. For example, the Mirai botnet has spread through IoT devices and default passwords accessible from the internet.

4.Typical attack vectors and examples.

Phishing for passwords

Username and password remain the most commonly used credentials. Compromised refers to these when they have become accessible to unauthorised persons. Phishing is a social engineering technique where an email/SMS/message has been sent to a person asking them to enter their login details on a fake website. The fake website then transmits the stolen access data to the attacker. Depending on the amount of preparation and “realism”, this approach is unfortunately still quite effective today.

A very effective countermeasure to this attack vector is the use of two-factor authentication (2FA) for logins.

Exploiting misconfigurations

System configuration errors can be, for example, setup pages that have not been deactivated or users set up with default usernames and passwords. This can also include insufficient hardening of accessible IT systems, system services that have not been deactivated or a faulty firewall configuration. These misconfigurations represent an easy entry point for attackers to exploit.

Recent malware attacks such as Mirai (use of default passwords via SSH on IoT devices) illustrate this threat.

Countermeasures include sensible hardening rules. Penetration testing can also help in checking for such attack vectors.

Exploiting vulnerabilities in unpatched software

If an IT system, network device or application has an unpatched vulnerability, an attacker can exploit this to gain unauthorised access.

Since true zero-day attacks are very rare, an effective countermeasure is to apply all software patches and updates promptly.

Exploiting insider knowledge

Malicious or disgruntled employees can use their privileges to connect into networks and systems to obtain sensitive information such as customer lists (PII) and intellectual property (IP).

Countermeasures here are admittedly not that easy. However, implementing the “need-to-know” principle for granting access rights helps here because it ensures that each employee really only has access to the information that is necessary for the current activities. In this respect, at least the damage can be limited in such cases. In principle, UBA (User Behaviour Analytics) could also help to identify such cases, but in practice a clean implementation is quite challenging.

DDoS attacks

In DDoS attacks, victims are flooded with fake requests, rendering their IT system or network unusable. As a result, the services available there are no longer available to the legitimate recipients. These types of attacks often target the web servers of financial, commercial and government organisations.

The most important DDoS countermeasures are the use of a bandwidth-strong cloud provider that pre-filters the network traffic (“scrubbing centre”), the use of regionally distributed data centres and also own filtering measures, for example via a web application firewall (WAF).

Intrusion into buildings

In targeted attacks, attackers often use physical threat vectors to bypass strong digital controls. Since criminals count on IT security professionals to have invested the most effort in the cyber domain, targeted attacks often like to switch to bypassing physical security barriers such as doors/windows. This also includes social engineering techniques, for example, to fool the security team at the entrance gate into thinking they are a service employee or tradesman. Or an attacker may pose as a new employee and rely on a real employee to politely hold the door open for them as they enter the company building together.

5. How do I reduce the risk of attack vectors being exploited?

Criminals use a wide range of methods to penetrate corporate IT systems. Clearly, these methods are constantly evolving. The job of IT security and operations teams is to implement policies, tools and techniques that most effectively protect against these attacks. The following list is intended to highlight some effective protection mechanisms in this regard:

• Implement effective password policies. Ensure that usernames and passwords meet the correct criteria for length and strength, and that the same credentials are not used to access multiple applications and systems. Use two-factor authentication (2FA) wherever possible, especially for VPN access to the internal network and for administrative permissions.
• Install all updates. Immediately. Not next month. Now. Whenever a firmware or software update is released, the IT department should install it immediately. Very often, security patches are “hidden” in such updates, which the manufacturers do not make a big fuss about. Most serious security incidents currently involve the exploitation of a vulnerability that was somehow not patched promptly enough.
• Installing powerful EDR (Edpoint Detection Response) software can increase visibility on end systems, detect unusual behaviour and quickly initiate incident response measures. While this software does not perform miracles, it nevertheless stops random regular and even targeted criminals in their freedom of movement significantly.
• Regular auditing and testing of IT systems for vulnerabilities. IT vulnerability audits should be conducted at least quarterly, and an external IT security auditing firm should conduct penetration testing of IT resources at least annually. The lessons learned should be implemented in a timely manner (regular improvement).
• Train users. All new staff should receive comprehensive training on IT security policies and practices, and existing staff should receive refresher training annually. IT staff, especially in security, should be up to date on security policies and practices.
• Collaborate with HR. At least every two to three years, an external security firm should be engaged to review social engineering vulnerabilities. However, in the event of security incidents, the IT department should also seek contact with HR to discuss further training or education needs.
• Encrypt mobile devices and mobile media Use vendor options for media encryption, such as Bitlocker for Windows. Think also about SD cards, USB sticks and smartphones with company data.
• Harden your IT. Validate the security configuration for operating systems, browsers, security software, firewalls and also edge devices such as sensors, smartphones and routers.
• Secure physical spaces. While most data breaches and security hacks target IT, physical spaces can also be breached. Data centres, servers in various corporate departments and remote offices, medical devices, on-site sensors and even physical filing cabinets in offices are all targets for hackers. They should be secured, protected and regularly audited.