What Do Attackers Look for in an Attack Vector?

During the holiday season of 2013, high-level managers at Target were horrified to learn that attackers had succeeded in compromising 40 million credit cards, and customers were already seeing fraudulent charges from their cards. Now, almost a decade later, the infamous Target breach still offers critical insights into the attacker’s mindset and the exploitative use of attack vectors, particularly in third-party security vulnerabilities. The incident underscores the critical importance of understanding potential vulnerabilities and the necessity of comprehensive security measures in today’s cybersecurity landscape.

 When the breach dust had settled, the company paid an $18.5 million settlement on top of $200 million in costs from the data breach itself. Many top-level executives, including the CEO, were fired. Company profits for Q4 of 2013 – the holiday season in which retailers make most of their sales – plummeted by 46%.

So, how did attackers succeed in executing one of the largest data breaches in history at a company that had invested in multiple, state-of-the-art cybersecurity solutions? Although these solutions were meant to defend against sophisticated attacks, the attack on Target was quite simple. Attackers were able to gain access to credit card data through the compromised credentials of a third party. This created an entry point, or attack vector, for attackers to execute their attack. 

What is an Attack Vector?

Attack vectors are entry points, or windows left open that enable attackers to gain unauthorized access to your system or network. Attackers exploit attack vectors to gain unauthorized access to an organization’s system and networks, enabling them to then access encrypted data, steal data, and cause data breaches.

For example, internet ports have numbers that are used to identify connection endpoints. Some ports, such as Port 80 or SMTP Port 25, are recommended to keep open, while others should be kept closed. When these ports are accidentally kept open, it signals to attackers that they are available to receive information.

In the case of Target, attackers were able to enter the network through a phishing attack that compromised the login credentials(source) set by their third-party HVAC contractor. This compromised password gave the attackers direct access to Target’s payment system. Using a malware program, the cybercriminals then gathered the credit card information of millions of customers.

How Do Attackers Gain Unauthorized Access to Sensitive Data?

Although attackers prefer to use the easiest entry point to launch an attack, they often use combinations of multiple attack vectors and methods to exploit system vulnerabilities. For example, the Target attack used a combination of malware and compromised credentials (e.g. the attack vector) from a third party (e.g. method) to launch attacks.

To simplify things, however, we can generally split vector attacks into two main categories:

• Active attacks – These attacks involve the attacker changing or disrupting an organization’s system or operations. An active attack could include malware, ransomware, domain hijacking, email spoofing, brute force attacks that target weak passwords, exploiting unpatched vulnerabilities and DDoS attacks.
• Passive attacks – These attacks involve monitoring your system and network to wait for you to accidentally “leave the window open”, so to speak. Since passive attacks do not involve an attacker making any changes to your system, they can be difficult to detect. A passive attack could include phishing, social engineering, and typosquatting.

Attackers can be from both internal sources, such as disgruntled employees, or external sources, such as hacktivists or state actor groups. They can be motivated by money, political ideology, the need to damage the competition, or the desire to launch cyber warfare against an enemy state.

9 of the Most Common Attack Vectors

Although the most common cyber attack vectors include phishing, malware and unpatched vulnerabilities, attackers often combine different cyber attack vectors and methods to increase their chance of successful attacks.

To make it more straightforward, however, we’ve listed a few of the main attack vectors and methods below.

1) Phishing attacks

Phishing attacks are social engineering attacks launched via emails, texts, or phone calls in which attackers pose as trusted members of a known brand, entity, or even your own organization. The goal of these attacks is to entice the victim into giving the attacker sensitive information, personally identifiable information (PII) or login credentials. In the case of the Target attack, the HVAC login credential was compromised after a successful phishing attack.

2) Malware

Malware, short for malicious software, includes the use of trojans, viruses, worms or any other type of software system to gain access to an organization’s computer system, or network. Malware can inflict serious damage at scale if they gain access to a command and control server, which they could use to install the malware on thousands of computer systems to launch other types of cyberattacks. Although Target had previously installed anti-malware software on their systems, the malware ran undetected long enough to gather the credit card details of millions of customers.

3) Unpatched vulnerabilities

In the era of IoT, cloud migration and digital transformation, there are increasing numbers of devices, software systems and applications with vulnerabilities. Although patches are available, 66% of security leaders report that they have a backlog of more than 100,000 vulnerabilities. The highest-risk vulnerabilities can take three to five weeks to patch on average. In the meantime, however, your organization’s system and network are exposed.

4) Missing or weak encryption

Data encryption methods such as SSL certificates and Rivest-Shamir-Adleman (RSA) encryption ensure that data is converted to a code or ciphertext and cannot be read by unauthorized parties. Unencrypted data, as in the case of Target, makes it easier for attackers to steal data. As part of the settlement after the breach, Target was ordered to use third-party encryption for its credit card data, so that if an attacker gained access again, the data would be unreadable.

5) Compromised and stolen credentials

Weak passwords are an easy entry point for attackers since they can target them in your organization as well as your third and fourth parties. According to data from NordPass, the most common password in 2022 was “password” followed by “123456”. With so many additional common attack vectors available for attackers to gain access to sensitive data, it shouldn’t be surprising that nearly half of all data breaches involve stolen credentials.

The Target attack successfully entered Target’s payment systems through one of the most common attack vectors: the compromised credentials of a third party.

6) Misconfigurations

Misconfigurations occur when there are errors in the configuration of a device, application or system. For example, when a server is configured incorrectly, it can expose user config files, allowing access to additional files on the server and even admin access. Using default credentials is another common error that leads to attacks. According to CheckPoint, nearly a quarter of cybersecurity attacks in the cloud alone are a result of misconfigurations.

7) Insider threats

Disgruntled employees, as well as former employees, are potential insider threats to be considered. Since they are authorized users, they have had access to your network and can handle sensitive information which they can potentially use to facilitate an attack. Due to their familiarity with the inner workings of the system, these individuals understand exactly what type of information would be valuable to competitors, or which could place your organization in a negative light.

8)Third parties

Today’s increase in the use of third-party vendors and services gives attackers even more opportunity to execute cyberattacks. Since these organizations often have access to your network and services and sensitive data, they pose a risk to your organization. Many mistakenly limit third parties to vendors, but they include your software providers, partners, suppliers, and consultants. Commonly used software vendors such as Asana, Salesforce and Zoom, for example, are attractive third-party targets for cybercriminals because they enable them to attack a large number of targets at once. 

9) Cross-site scripting attacks

In cross-site scripting attacks, cybercriminals cunningly inject malicious code into a web application, specifically targeting users through harmful JavaScript code. Effectively impersonating these users, attackers carry out tasks and access private data. The threat becomes particularly severe when the targeted user has privileged access, as this could allow the attacker to obtain full control over the application, magnifying the potential risk and harm.

3 of the Most Common Attack Methods

Whereas attack vectors refer to the entry point that attackers use to access your system, attack methods are the techniques attackers use to access your system. 

For example:

1. DDoS Attacks

DDoS attacks, or distributed denial of service attacks, attempt to disrupt or halt your organization’s site, services or resources by overloading it with network traffic. Attackers employ botnets, or multiple computer systems, to generate the amount of traffic required for this type of attack.

2. Brute Force Attacks

A brute force attack attempts to crack a login or another entry point by trying all combinations of passwords or session IDs to access encrypted data until it is successful. Generally, these attacks are executed using automated tools. Once a brute force attack is successful, the next step for attacks is to gain privileged access to reach additional parts of your network.

3. Zero-Day Attacks

These are attacks that occur before the vulnerability is made public as a CVE (Common Vulnerabilities and Exposures) and a patch has not yet been released. According to reports by Mandiant, zero-day vulnerabilities nearly doubled between 2020 and 2022, with the vast majority targeting products such as operating systems and browsers from Google, Microsoft and Apple.

What are the Best Practices for Defending Your Attack Vectors?

Security teams need to be several steps ahead to guard against attackers and protect their computer systems and network. Although attackers’ methods are constantly evolving, there are still many classic methods organizations can employ to defend themselves.

These include:

• Make sure your login credentials are strong. Password managers can help you create passwords that are long, strong and unique. Ensure you change all factory default login settings.
• Deploy multi-factor authentication (MFA). This provides an additional layer of protection for any system requiring a username and password. MFA is also a requirement for meeting PCI DSS compliance and security frameworks such as NIST.
• Employ network separation. Network separation entails having different controls for different zones of your network so that they can only be accessed to users who need them. In the case of Target, the IT department had decided to combine Target’s operational system and payment system, which enabled attackers easy access to credit card information.
• Update software and devices regularly. Updating ensures you have the latest patches and security features available. This includes your antivirus and firewall, which can help defend against zero-day attacks.
• Monitor your third parties regularly. Attackers can infiltrate your network due to weak passwords, poor security controls, and old versions of software of your third parties. 

How Panorays Can Help

Panorays helps you defend against your extended attack surface by automating, accelerating and scaling your third-party security evaluation and management process. This allows you to quickly and easily manage, mitigate and remediate risk and reduce breaches.

Want to learn more about how you can manage your third-party risk with Panorays? Get started with a Free Account today.

FAQs