The method that an attacker uses is called a threat vector. It is important to always update your information about the newest threat vectors because attackers are finding new ways every day!

Let's break down the most common threat vectors attackers use to compromise systems today.

Message-Based Vectors

None

Message-based threat vectors are one of the most common, easy, and successful ways attackers compromise a system. They don't have to crack any passwords. They just send a malicious message via IM service, email, or SMS, and wait until someone clicks it.

One of the most common message-based attacks is phishing. Attackers attach malicious files directly to emails. It is crucial to scan all attachments and never launch untrusted links.

Social engineering is also important in this case. Watch out for invoice scams! Scammers act as a real business. They send fake invoices with changed payment details, so your money ends up with the scammer. They do this by copying a real business's logo.

Image-Based Vectors

These threat vectors are much harder to identify! They are hidden in an image (Steganography).

For example, SVG (Scalable Vector Graphics) files are insecure because they are XML-based text documents and they can contain <script> tags, making them programmable documents that execute code in the browser when rendered. This creates a very good opportunity for cross-site scripting (XSS) attacks.

Injection attacks can be performed with images too. attackers can hide malicious code in images and inject it into a website!

File-Based Vectors

We are all afraid of .exe files. But malicious code doesn't just live in executable files; it can hide in formats we use every day.

  • Adobe PDF: A highly complex file format that can contain other embedded objects.
  • ZIP/RAR files: Compressed archives that can contain many different nested files, making scanning difficult.
  • Microsoft Office: Documents (Word, Excel) loaded with malicious macros or add-in files.

Voice Call Vectors

Our mobile phones make another threat vector for attackers.

  • Vishing (Voice phishing): Voice phishing over the phone to extract sensitive information.
  • Spam over IP: Launching large-scale, automated phone calls.
  • War Dialing: War dialing is a technique that involves automatically dialing phone numbers to find unsecured modems. This technique is useful for legacy systems and can still be used.
  • Call tampering: Call tampering involves interfering with an active voice call, disrupting audio quality, dropping the call, or intercepting its content.

Removable Device Vectors

None

Sometimes the threat bypasses the firewall entirely and walks right through the front door via a USB interface. The USB drive you found on the ground outside could indeed have been placed there intentionally by a hacker. Never plug an unknown USB drive into your computer.

This is very useful when an attacker wants to gain access to an air-gapped system.

Attackers can also use this USB drive to inject commands into your system because USB drives can act as a keyboard (Rubber Ducky)!

Data exfiltration is also possible with USB drives! Imagine you have an air-gapped system. Someone walks in, plugs a USB drive, gets the data, and walks out the door.

Vulnerable Software Vectors

Software flaws are open invitations for attackers.

  • Client-based: Infected executables on a user's machine, exploiting known (or unknown) vulnerabilities, requiring constant patching.
  • Agentless (Server-side): Compromised software on a server (like web-based applications). This is highly dangerous because a single compromised server affects all connected users.

Unsupported Systems Vectors

Patching is the most important action you have to take! An unsupported, unpatched PC is a threat vector for us.

Outdated Operating Systems are very dangerous and can be an open entry for an attacker to intrude on the company's network. When a system reaches end-of-life, the manufacturer won't release security fixes anymore.

Unsecure Network Vectors

The network connects everything, making it a prime target for reconnaissance and access.

  • Wireless: Outdated security protocols (WEP, WPA) or open/rogue Wi-Fi networks.
  • Wired: Unsecure physical interfaces. Without protocols like 802.1X, an attacker can simply plug a cable into a wall jack and access the network without any form of authentication.
  • Bluetooth: Frequently used by attackers for reconnaissance and exploiting implementation vulnerabilities.

Open Service Ports

Every open port is a potential vulnerability for us.

  • TCP/UDP ports: Most network-based services connect over an "open" port.
  • Expanding the attack surface: Every new application has its own open port. Firewall rules must be strictly configured to allow traffic only to the necessary open ports.

Default Credentials

When we buy a device, it has a default username and password! These default usernames and passwords are known by attackers. They can easily look up default credentials for any router or access point on sites like routerpasswords.com. Always change the defaults immediately!

Supply Chain Vectors

If a target is too secure, attackers will target the underlying infrastructure or the target's vendors instead.

  • Managed Service Providers (MSPs): Compromising an MSP gives an attacker access to many different customer networks from one single location.
  • Vendor Access: The infamous 2013 Target credit card breach occurred because attackers gained access through the company's HVAC (heating and ventilation) vendor.
  • Counterfeit networking equipment: Suppliers might unknowingly sell hardware (like fake Cisco Catalyst switches) with installed backdoors or substandard performance.

Conclusion

Being up to date about attack vectors is very important for the Blue team! If you want to protect a system, you need to know how attackers are trying to get in and block them.

Note: This article is a summary of my personal study notes and research conducted while preparing for the CompTIA Security+ certification.