How are attack vectors and attack surfaces related?

Compliance with threat intelligence isn’t sufficient to stay abreast of phishing, MITM, DDoS, and other cyber attacks. Security experts need reports of continuous asset discovery over a specific attack surface to mitigate cyber risks. Cybercriminals exploit vulnerable assets using attack vectors. This blog discusses the connection between these two terms that are mistakenly used interchangeably.

What is an attack surface?

An attack surface is the sum total of all the points in a technical architecture that a cybercriminal can break into to get unauthorized access. It encompasses all vulnerability sets or security loopholes at endpoints alongside all permutations and combinations of methods in which they can fool your system to bypass security protocols. An attack surface also includes users because cybercriminals manipulate them using social engineering tactics. 

Attack surface analytics is a risk assessment solution that gives insights into the size and nature of a company’s technical attack surface and vulnerability pouches.

Attack surface monitoring is another risk assessment solution that continuously gauges the size and composition of a surface and appraises the threat involved.

Types of attack surfaces

As per the vulnerability definition, these attack surfaces are broadly categorized under three types.

1. Physical attack surface

These include all physical digital entry points to your system, like secured and unsecured ports, wi-fi networks, computers, laptops, mobile devices, IoT devices, USBs, etc. Such points have vulnerabilities that are exploited to attempt phishing or malware-injection attacks to steal or intercept confidential data or source codes. 

You can guard your company’s physical attack surface by deploying robust measures, especially where sensitive data is stored. Also, establish policies to get rid of unused hardware and confidential paper files.

2. Digital attack surface

This encompasses all the internet-facing assets like dangling DNS, databases, HTTPS websites, cloud instances, remote machines, third-party vendors accessing sensitive files, etc. It’s complicated to minimize the vulnerability pouches of a digital attack surface due to remote locations and the involvement of cloud storage.

Understand the scope of an attack and devise a strategy for continuous asset discovery of known assets, unknown assets, third-party assets, and subsidiary assets. 

3. Human attack surface

Your human resource is the weakest link and the most vulnerable attack surface. The weaponization of human attack surfaces uses social engineering techniques like phishing, smishing, vishing, etc. 

Known and unknown risks can be managed proactively if your employees are well-aware and educated about these threats and the risks involved in dealing with them.  

What are attack vectors?

Attack vectors are particular methods used by cybercriminals to exploit vulnerabilities to break or infiltrate your network or devices. They use different forms of techniques like malware injection, ransomware, DDoS attacks, SQL injection attacks, compromised credentials, man-in-the-middle attacks, etc. Some attack vectors target loopholes in your security and overall technical structure, whereas others aim at exploiting human links to access a system.

For a mid or large-sized company, an attack surface can be widespread and include thousands of assets which should be monitored regularly. Read more about 5 email security basics for every type of business here. This also includes the use of email authentication protocols- SPF, DKIM, and DMARC. 

Common types of attack vectors

Some of the commonly used attack vectors are:

Compromised access credentials

Cybercriminals steal your passwords or take advantage of stolen passwords available on the dark web. People also tend to use the same passwords across accounts and devices which increases the risk of losing all at once. 

It’s suggested to train yourself and your employees about password hygiene practices which are about selecting, managing, and maintaining strong passwords. The use of two-factor authentication is also encouraged to stay abreast of cyber attacks.

Software vulnerabilities

Software vulnerabilities involve unpatched devices and systems with a zero-day vulnerability, uninstalled application updates, and hardcoded backdoor access. Cybercriminals are also capable of exploiting SQL codes to gain unauthorized access to confidential information.

Insider threats

You never know if your employees have malicious intentions and they expose sensitive details. You need to impose strict policies against such acts to avoid being a victim.

Phishing, Smishing, and Vishing

Phishing uses emails, smishing involves text messages or common messaging applications, and vishing uses voice calls or voice mails to manipulate targets into sharing sensitive details or making online transactions. 

Malware

Malware is short for malicious software and it includes computer viruses, spyware, adware, ransomware, Trojan horses, etc. Malware can compromise devices and networks to corrupt, leak, intercept, or surveil data. Using antivirus and antispyware software, installing a firewall, intrusion detection system (ISD) and intrusion prevention system (IPS) shield your company against all types of malware attacks. 

Denial of Service (DoS)

Denial of service is a cyber attack designed to flood a network with malicious traffic which causes websites or other online services to shut down temporarily or permanently. It’s attempted by sending inputs that take advantage of bugs in the target that ultimately crashes or severely disable the system so that no one can access it.

Man-in-the-Middle (MITM) Attack

It’s an eavesdropping attack where cybercriminals position themselves between two legitimate participants to intercept, modify, and manipulate their conversation, transaction, or data transfer. An MITM attack is attempted between people, servers, and devices by exploiting vulnerabilities in public wifi, SSL/TLS connections, routers, and default security settings.

Poor system configuration or encryption

Improper or mediocre configuration of software, applications, protocols, cloud services and other resources causes data breaches, data leaks, malware injections, and system loopholes. Methods like SSL certificates and DNSSEC (Domain Name System Security Extensions) reduce the risk of man-in-the-middle attacks and prevent phishing.

Relationship between attack vectors and attack surfaces

There won’t be an attack surface if there isn’t an attack vector that encompasses all your company’s devices, networks, non-SSL websites, etc. Lesser attack vectors mean a smaller attack surface and vice-versa. A comprehensive and well-devised cybersecurity strategy mitigates the attack vectors a threat actor can use to manage the risk to their company’s attack surface. By having proper insight and reports of asset discovery drills and knowing what’s out there on your network, you can get an expanded overview of the entire threat landscape. 

Stay ahead of cybercriminals

Companies should adopt the ‘three-legged stool’ approach by investing in security, legal, and finance to ensure robust threat intelligence and management across systems and offices. Red SIft’s Hardenize continuously performs asset discovery round-ups and helps with certificate inventory with support for Certificate Transparency Log analysis. 

Our phishing takedown service reduces brand damage by being at the forefront of detecting and acting spontaneously if your business is under cyber risk. Talk to our experts to get a free analysis of your attack surface today.

*Subject to availability

PUBLISHED BY

Red Sift

13 Jun. 2023

SHARE ARTICLE:

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more
Certificates

How to build an inventory of certificates for PCI DSS 4.0 Requirement…

Rebecca Warren

We talk to organizations daily that are preparing for PCI DSS 4.0 requirements. March 31, 2025 marks the end of the transition period, and on this date, businesses must be fully compliant with PCI DSS v4.0.1.  One of the ways PCI 4.0.1 varies from PCI 3.2 is an updated Requirement 4, which covers encrypting…

Read more
DMARC

Getting started with the OnDMARC API

Nadim Lahoud

The OnDMARC API is great for performing bulk or repetitive tasks that need to be performed quickly, often and without error – and you don’t need to be a developer or even know how to code to use it. Here, I will walk you through how to perform the common task of updating the…

Read more