Module 5: Threat Vectors & Attack Surfaces

The Fortress Analogy

Imagine your computer system is a fortress holding valuable assets. [cite: 4236] An attacker wants to get inside.

• A Threat Vector is the **path or method** the attacker uses to breach the fortress walls. It's the "how" of the attack—like using a grappling hook, a battering ram, or a secret tunnel.
• The Attack Surface is the **sum of all possible entry points and weaknesses** in the fortress. It's every door, window, weak spot in the wall, and unguarded gate combined.

The relationship is dynamic: a threat vector is used to exploit a vulnerability within the attack surface. [cite: 4481] The goal of a defender is to understand the potential vectors and minimize the attack surface as much as possible.

Threat Actor Motivations

The type of threat vector used often depends on the attacker's motivation. [cite: 4232] The cyber threat spectrum includes:

• Hacktivism: Using cyberattacks to advance a political or social cause. [cite: 4245]
• Crime: Stealing personal information or extorting victims for financial gain. [cite: 4247]
• Insider Threats: Misusing legitimate access for personal, financial, or ideological reasons. [cite: 4248, 4278]
• Espionage: Nation-state actors stealing sensitive state secrets or intellectual property. [cite: 4250]
• Terrorism & Warfare: Sabotaging critical infrastructure or military systems. [cite: 4251, 4252]

Message-Based Vectors

Messages are a primary way attackers deliver malicious content because they exploit a user's trust and curiosity. [cite: 4294]

• Email: This is one of the most common vectors. Attackers use phishing emails designed to look legitimate to trick users into clicking malicious links or downloading infected attachments. [cite: 4295, 4296]
  Case Study: The DNC email hack, a sophisticated attack, still relied on the cost-effectiveness and high success rate of phishing emails to gain initial access. [cite: 4301]
• SMS (Smishing): Attackers send text messages with malicious links, pretending to be from a reputable source like a bank or delivery service. [cite: 4302]
  Case Study: The threat group "Scattered Spider" used smishing as part of their strategy to carry out data breaches against companies like MGM and Okta. [cite: 4306, 4307]
• Instant Messaging (IM): Platforms like WhatsApp, Signal, and social media DMs are now common vectors for delivering phishing links or impersonating contacts to steal information. [cite: 4309, 4312]

File, Image, and Voice Vectors

• File-Based: Malicious code is hidden within seemingly harmless files like PDFs, Word documents (using macros), or executables disguised as legitimate software. [cite: 4325, 4327, 4328]
• Image-Based (Steganography): Malicious code is embedded within an image file in a way that is invisible to the naked eye. [cite: 4318] The code is executed when the image is opened by vulnerable software. [cite: 4319]
• Voice-Based (Vishing): Attackers use phone calls to socially engineer victims into revealing sensitive information. [cite: 4334] They may also exploit vulnerabilities in Voice over IP (VoIP) systems to eavesdrop on calls. [cite: 4335]
• Removable Media: A classic vector where malware is spread through infected USB drives or external hard drives. The malware can be programmed to run automatically when the device is plugged in. [cite: 4338, 4340]

Software & System Vulnerabilities

Attackers exploit flaws in the software and systems that organizations rely on.

• Unpatched Vulnerabilities: Even when a security patch is available, many systems remain unpatched, leaving them open to known exploits. [cite: 4348]
• Zero-Day Vulnerabilities: These are flaws unknown to the software vendor, meaning no patch exists. [cite: 4346] They are particularly dangerous because defenders have no direct way to fix them. [cite: 4347]
• Unsupported Systems: Legacy systems and applications that no longer receive security updates from the vendor are permanently vulnerable to any new threats discovered. [cite: 4350]
• Default Credentials: Many devices and applications ship with default usernames and passwords (like `admin`/`password`). [cite: 4371] Attackers often scan for these as an easy way to gain access. [cite: 4373]

Unsecure Networks & Open Ports

• Unsecured Wireless Networks: Public Wi-Fi is notoriously insecure, allowing attackers to intercept data using on-path attacks or packet sniffing. [cite: 4354, 4356]
• Bluetooth: Leaving Bluetooth enabled when not in use can allow attackers to connect to your device and steal data through techniques like Bluesnarfing. [cite: 4359, 4360]
• Open Service Ports: Every open port on a server is a potential door for an attacker. [cite: 4362] Services that use unencrypted protocols are especially risky:
  • Telnet (Port 23): Unencrypted remote access. Should be replaced with SSH. [cite: 4364]
  • FTP (Port 21): Transmits data and credentials in clear text. Should be replaced with SFTP or FTPS. [cite: 4366]
  • HTTP (Port 80): Unencrypted web traffic. Should always be redirected to HTTPS. [cite: 4368]

The Art of Deception

Social engineering is the use of psychological manipulation to trick people into making security mistakes or giving away sensitive information. It preys on human vulnerabilities like trust, urgency, and fear.

Phishing in its Many Forms

Phishing is the most common form of social engineering. While standard phishing casts a wide net, there are more targeted and sophisticated variants:

• Spear Phishing: A targeted attack against a specific individual or group. The attacker uses personal information (gathered from social media or data breaches) to craft a highly convincing and personalized message.
• Whaling: A type of spear phishing aimed at high-profile targets like CEOs and CFOs. The goal is often to trick them into authorizing large fraudulent wire transfers.
  Case Study: The Bangladesh Bank heist involved threat actors using social engineering to attempt the fraudulent transfer of nearly \$1 billion, successfully stealing \$81 million.
• Business Email Compromise (BEC): An attack where a criminal compromises or impersonates a business email account to trick employees or partners into making unauthorized financial transactions.
• Impersonation & Misinformation: Attackers may pretend to be someone else (like a support technician) or spread false information to manipulate a target's actions.

What Makes Up the Attack Surface?

An attack surface is the sum of all points where an attacker could potentially exploit vulnerabilities. The goal for defenders is to reduce this surface as much as possible. Examples include:

• Network Interfaces: Every connection point, like Wi-Fi, Ethernet, and Bluetooth.
• Software Interfaces: APIs, libraries, and any other channels that allow software to interact.
• User Inputs: Web forms, login screens, and file upload fields.
• Physical Access: Unlocked server rooms or unprotected hardware.

The Supply Chain Attack Surface

The supply chain includes all third-party vendors, suppliers, and software that an organization uses. A supply chain attack occurs when an attacker compromises a trusted third party to gain access to the final target. [cite: 4281] This is a particularly dangerous attack surface because it bypasses the target's direct defenses.