Attack Vectors and Attack Surfaces explained

In IT Security, two industry terms deserve a bit of explaining. They are:

1. Attack Vector
2. Attack Surface

What is an Attack Vector?

An “Attack Vector” is the IT industry’s term for describing the path that a hacker or a malware application might follow to infiltrate your IT network and compromise your data.  Attack Vectors exploit systemic vulnerabilities and human flaws to enable an attacking entity to access, monitor, ransom, corrupt, or steal sensitive information.

There are many paths cyber criminals might take to breach an IT network. In May 2021, the Conti ransomware gang (also known as Wizard Spider) attacked the Irish Health Service Executive (HSE). This incursion disrupted patient services for weeks across the country and is expected to cost Ireland more than US$100 (AU$139) million to recover. Following the government’s refusal to pay the US$20 (AU$28)-million ransom, the data breach caused dozens of outpatient services to be cancelled and a COVID-19 vaccine portal to be closed.

Cyber security teams were compelled to turn off around 85,000 computers after detecting the attack and spent many weeks trying to bring Ireland’s public healthcare IT system back online. In the meantime, access was cut off to patient information, laboratory, clinical care, payroll, and procurement systems. With normal communication channels such as email and networked phone lines also temporarily suspended, health workers and admin staff were forced to switch to pen and paper, mobile phones, fax, analogue phones, and face-to-face meetings to keep services running.

Ransomware, such as the one that impacted Ireland’s health services system, follows an Attack Vector that exploits email networks and human fallibility. Successful deployment of ransomware typically requires the targeted user(s) to be convinced enough into taking actions they would normally avoid. These actions include bypassing existing security protocols that are designed to limit their organisation’s risk and exposure.

In the case of the HSE breach, the attack targeted a workstation via a phishing email that contained a link to a malicious Microsoft Excel file. The user of the workstation made the error of clicking links to what seemed to be safe and legitimate content. The mistake allowed cyber criminals to access HSE’s IT environment and detonate the Conti ransomware around two months later.

Attack Vectors can also be chained in sequence, such as when compromised access credentials and phishing are used together. Compromised access credentials include weak passwords, shared passwords, and passwords exposed to unauthorised entities. Meanwhile, phishing refers to a hacking/cybercrime tactic where a malicious entity pretending to be safe and/or legitimate lures people into sharing sensitive personal data such as passwords, credit card details, and Personal Identification Numbers (PINs). Phishing can be orchestrated over email, text messages, and even voice calls.

In the massive 2020 SolarWinds breach, the attack vectors included compromised credentials and security vulnerabilities that can be exploited in software solutions like SolarWinds Orion. Having accessed the SolarWinds infrastructure – possibly via a compromised Microsoft Office 365 account – the hackers were able to inject malicious code into Orion updates. The malicious code created a backdoor to a customer’s IT system that allowed hackers to steal data, conduct espionage operations, and install even more malware.  

Once SolarWinds customers (which include international government agencies and Fortune 500 companies) updated their Orion software, the malicious code also infected their IT networks. Considered the largest and most sophisticated cyber-attack in history, the SolarWinds data breach affected more than 200 organisations such as Microsoft, VMWare, NATO, the European Parliament, and a large swathe of the U.S. federal government.

Note that the SolarWinds hack was orchestrated within a highly secure environment used by tech giants, financial institutions, and even security agencies. In contrast, many attack vectors consist of far less protected and crime-susceptible routes.

Many apps, for example, that are downloaded from unofficial (and sometimes official) app stores can contain malware, just like the malicious code injected in the Orion update.  Malware packaged within an app shares all the permissions granted to the app at point of installation. Developers of these infected apps target lazy, greedy, pirating or broke users who rarely verify the quality and source of the apps. You can informally call this Attack Vector “Vulnerable users by choice”.

Common Types of Attack Vectors          

Attack Vectors come in many shapes, forms, and sizes. While a standard way of naming and classifying them has yet to be established, here are some of the most common types:

1. Compromised Access Credentials

The simplest example of access credentials are your typical username and password. These credentials often get lost, stolen, or exposed due to various causes such as phishing and data leaks of third-party sites.  Because many users tend to reuse their company password when signing up to personal services, you can find your corporate network becomes a target when a third-party’s user database is compromised, and the username/password data is stolen.

2. Weak, Reused, or Shared Passwords

Weak passwords, without multi-factor authentication enabled, permit determined hackers to easily access and compromise a user account through what is known as a Brute Force attack (see later definition in this article).  Once inside your network, an attacker will try to move sideways to identify resources they can compromise in other ways.

3. Software Vulnerabilities

Software vulnerabilities include unpatched devices and systems with freshly-discovered vulnerabilities (a.k.a. zero-day vulnerability), uninstalled application updates, and hardcoded backdoor access. Some computer languages such as SQL – which is used in querying and managing databases – can also be exploited to gain unauthorized access to sensitive information such as customer credentials.

4. Insider Threats

Bad actors such as employees with malicious intent might wilfully expose their organisation to cyber attacks by sharing access credentials, compromising security controls, or instigating the attack themselves. 

5. Phishing via Email, Phone, or SMS Texting

Phishing is a tactic used in tricking people to share sensitive personal information such as bank account numbers, credit card details, PINs, and passwords. Aside from emails, phones, and text messages, phishers also use social networks, forums, and comments sections on blogs to deploy malicious links that lure victims into sharing sensitive data.

6. Ransomware & other Malware

Malware refers to any piece of software that is intentionally designed for malicious purposes. They include computer viruses, ransomware, spyware, wiper, adware, and Trojan horses.  Malware can compromise an individual or an entire network of computers, files, servers, and databases. It can be used to access, surveil, leak, corrupt, destroy, steal, or lock/hijack sensitive data.

7. Denial of Service (DoS)

Denial of Service refers to a cyber attack designed to overwhelm, slow down, restrict access to, or crash networked systems such as websites, online services, servers, and data centres. Perpetrators of DoS attacks use synthetically generated traffic to flood and disrupt access to a web property. A Distributed Denial of Service (DDoS) occurs when multiple devices or systems are used to execute a more powerful and coordinated attack against a targeted web service. As its name implies, a successful denial-of-service is where an Internet-based or networked resource has become virtually inaccessible to its intended users because of the volume of traffic it is receiving.

8. Poor System Configuration/Poor Encryption Methods

Improper or mediocre configuration of applications, cloud services, and other networked resources means data breaches, data leaks, and malware infection become easier for cyber criminals. Bad practices such as using default access credentials and failing to add additional security measures like multi-factor authentication worsen your organisation’s exposure to malicious hacking. Meanwhile, implementing best encryption practices goes a long way. Methods such as SSL certificates and DNSSEC (Domain Name System Security Extensions) help protect data confidentiality and significantly reduce the risk of Man-in-the-Middle attacks. Missing or poor encryption protocols expose sensitive data to bad actors.

9. Man-in-the-Middle (MITM) Attack

Man-in-the-Middle attacks are the cyber version of eavesdropping, where the malicious entity positions itself between two legitimate participants to intercept, influence, and manipulate their conversation, transaction, or data transfer. MITM attacks occur between people, servers, and client devices with the aim of extracting sensitive information and/or dealing damage to one or both of the legitimate participants.  MITM attacks exploit vulnerabilities in public WiFi connections, SSL/TLS connections, local area networks (LAN), HTTPS connections to websites, routers with unchanged default security settings or vulnerable firmware, and even your own computer infected with an eavesdropping malware/spyware. 

10. Brute Force

A brute force attack uses a trial-and-error approach to discover passwords, encryption keys, login information, and other access credentials by crunching all possible combinations. In a brute force attack, the malicious entity aims to gain unauthorized access to a system or an account through relentlessly repeated attempts. The method sounds simple and crazy but it has a high success rate and much of the attempts now use automated programs, scripts, and bots. While success depends on the attacker’s tools and determination, it also depends on the strength/weakness of the intended victim’s passwords, data encryption, security/authentication protocols, and other access points.

What is an Attack Surface?

Your Attack Surface is a shorthand way of describing the possibility of compromise surrounding all the physical and virtual devices (servers, switches, wireless points, computers and even IoT devices like a networked thermostat), both within and outside your network, that handle some or all of your data, plus your websites, your software and your users.  Now, imagine all the attack vectors that each of those components is exposed to… that’s your Attack Surface.  It is unique to every entity.

It’s very important to periodically map your Attack Surface to be sure you have locked down as many attack vectors as you can.  Here are some key elements that will help you do that:

1. Know where all the valuable data created or used by your company resides and how it is transacted by your users and automatically behind the scenes of your network.  This kind of data includes patents and other intellectual property, trade secrets, market data, product specifications, personal information, access keys, passwords, corporate organisation and networks, PINs, financial information, bank/credit card details, etc.)
2. Review the security controls and tools that protect the valuable data – including encryption type, data validation and integrity checking and access auditing.
3. Conduct an audit of data-heavy enterprise applications such as personnel, customer, financial and vendor management systems and databases.  If your data is in the cloud, how does your provider protect it?  Where do they store it?  Is the data encrypted at rest, so that even if it was stolen, it would be unusable?
4. Review the security measures and tools that protect the above routes and methods — including user authorisations and access restrictions.  Are you following industry best practice in allowing only qualified users access to your data?
5. Examine physical security controls such as guards, locks, biometric devices, IDs and security cameras.
6. Patch technical security controls such as firewalls, routers, network access devices, and proxy servers.
7. Examine if the use of signatureless malware detection software would be beneficial.  This type of software, such as CrowdStrike Falcon, can detect anomalous behaviour on your network and stop it soon after it starts.
8. Review operational/administrative security controls such as IT security awareness training among personnel, BOYD (especially mobile devices) policy, browsing restrictions in networked devices, policy on portable drives and other storage devices, incident management protocols, etc.
9. Conduct an audit of in-house staff, temporary hires and interns, contractual personnel, and walk-in guests/vendor representatives, and all other normal human traffic in your organisation.

Obviously, there’s a lot of areas to cover. The smaller you can make your Attack Surface, the harder it will be for a malicious actor to compromise it.  Consider talking to a trusted information security consultant on how you can identify and strengthen the weakest points in your Attack Surface to make your company a less appealing/more difficult target for cyber criminals.   

Regularly defining and mapping out your Attack Surface is good practice. Doing so ensures that relevant changes such as software updates, personnel turnovers and onboarding, new industry regulations, hardware upgrades, and data migration events are all accounted for. Mapping out your Attack Surface periodically will also allow you to take proactive steps in preventing breaches or minimising losses if a breach does happen.

Prevention is better than disclosure…

If you don’t have a full picture of your points of vulnerability, you may end up losing weeks and many thousands of dollars trying to get your data back after a ransomware attack. Worse, you may lose the trust and future business of your customers if your data breach is made public (which is required by the Australian government in certain cases).

In accordance with the Notifiable Data Breach (NDB) scheme, organisations regulated by the Privacy Act 1988 must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving personal information is likely to result in serious harm. Failure to comply with the scheme can incur fines of up to $2.1 million.

The Notifiable Data Breach scheme can create certain difficulties for those organisations that are negligent about their cyber security. But for conscientious businesses, the NDB scheme is invaluable — thanks to its semi-annual cybercrime reports that help you make your network security more robust.

The NDB’s Report for July to December 2021 revealed a 6% increase in breach notifications, from 438 in the prior six-month period to 464.

Here are some key takeaways from the report:

1. Malicious attacks accounted for 55% (256) of the reported data breaches.
2. Breaches due to human error saw a significant rise (43%) from 133 incidents to 190.
3. The health sector remains the highest reporting sector (accounting for 18% of reported breaches), followed by finance (12%)
4. A significant share (11%) of organisations that experienced a breach were not aware of the threat until more than a year later.

Conclusion

Cyber criminals are getting bolder and better at what they do. While some get caught, the rest just continue doing what they do best: wreaking havoc on IT networks for profit or the simple “joy” of disruption.

In the same year Ireland’s public health system was paralyzed by ransomware, state-sanctioned hackers attempted to disrupt the roll-out of COVID-19 vaccines by breaching the IT systems of the European Medicines Agency, then leaking sensitive data. On the other side of the Atlantic, the DarkSide ransomware attack succeeded in paralyzing the Colonial Pipeline, an 8,800-km fuel line that supplies 45% of the US East Coast. Facing pressure from all fronts, Colonial Pipeline paid DarkSide the AU$ 6.1-million ransom it demanded.

In Australia, organisations such as Canva and the Australian National University have endured significant and troubling breaches in the past few years.

If you are determined to ensure your business does not end up on the wrong side of the statistics, start by mapping your vulnerabilities with an Information Security Audit from a trusted Managed Network Security provider like Computer One.  We will help you design the best mix of data protection tools and security controls to keep you out of a cyber criminal’s grasp.