It’s no surprise that cyber attacks are on the rise. The sheer volume of attacks — along with the increase in ransomware, business email compromise, and other kinds of attacks — has steadily ticked up year after year. Cybercrime is now the number one global business risk, rakes in trillions for cybercriminals, and has advanced far beyond simple “scam emails” and brute-force attacks.
As the landscape shifts, it’s important to look at how threat actors are launching these sophisticated attacks, and while there’s certainly talk about (and evidence for) more complicated methods, it turns out hackers are overwhelmingly sticking to tried-and-true methods.
According to the Verizon 2023 Data Breach Investigations Report, the three primary methods of attack, also known as initial attack methods or root point of compromise, are breaches involving external actors, breaches involving the human element, and breaches involving credentials. If we break down those categories further, we get three major tactics: stolen credentials, phishing, and vulnerability exploits.
It makes sense these attack vectors are coming out on top, as they represent three areas of the attack surface that are often left unguarded by organisations — individual passwords, user behavior, and unpatched vulnerabilities combined with zero-day exploits. In addition, all three are interconnected. A social engineering attack can lead to stolen credentials which can be used after a vulnerability is exploited. They are three tools in the toolbox threat actors can use as they make their way into and through an organisation’s system.
Before we look at the specifics, it’s important to look at the terms themselves.
What Is an Attack Vector?
An attack vector is the way a threat actor gains access to a network, system, or endpoint. If ransomware is the kind of attack, the way the threat actor was able to deploy that ransomware would be the attack vector. An attack vector can also be called a root point of compromise, meaning the initial entry point method leveraged by a threat actor.
Attack Vector vs. Attack Surface
An attack surface is not the vector a threat actor utilises, but the total avenues available to them in a system. If an organisation uses email, the cloud, IoT devices, internet-connected endpoints, and other digital devices, all those components would make up the attack surface.
Attack Vector vs. Threat Vector
Attack vector and threat vector are similar terms, but threat vector is more hypothetical. Phishing, generally, is a threat vector. If an organisation is breached through a phishing attack, the investigation would state that phishing was the attack vector.
Three Common Attack Vectors Used by Cybercriminals
The Continued Use of Credential Theft
Credential theft has a long history in cybercrime and has become a more popular initial access method as the world has digitised. Not only are passwords everywhere (email, applications, business folders, bank accounts, etc.) but most users tend to lack password hygiene or can unknowingly give away access through social engineering.
Arctic Wolf has seen similar trends in our incident investigations, with our 2023 Arctic Wolf Labs Threat Report listing “historic compromise” as the root point of compromise for 7% of all incidents. In addition, business email compromise (BEC), a cyber attack method that relies on compromised credentials, skyrocketed in 2022, accounting for 29% of Arctic Wolf Incident Response cases.
Methods to Prevent Credential Theft
While prevalent, credential theft can be prevented in a few different ways.
1. Enable Multi-Factor Authentication (MFA)
If credentials are used by a threat actor during an attack, MFA can not only prevent a successful login but help alert an organisation to an unusual or fraudulent login attempt, especially if the organisation has monitoring solutions in place. Arctic Wolf saw that over half of BEC cases last year did not have MFA in place, highlighting how important this simple access control can be.
2. Implement a Zero Trust Strategy
A step above MFA is zero trust — often referred to as zero trust network access (ZTNA) — which removes implicit trust and implicit access from all users and applications. It requires verification for access to any application or asset, regardless of the user, and can prevent lateral movement. An attack may gain initial access through stolen credentials but will be prevented from moving through the system by another login pop-up or other access control put in through a zero trust strategy.
3. Utilise Security Training for Users
Strong password hygiene isn’t automatic, it’s a skill users need to learn. A strong security awareness training program can help them make decisions that will protect their assets, prevent their credentials from ending up for sale on the dark web, and help them spot social engineering tactics that could lead to them giving away the keys to the kingdom.
4. Phishing Attacks
Phishing can come in multiple forms. From spam phishing to spear phishing to even smishing, it all refers to a fraudulent message from a threat actor with the intention of gaining access or stealing information from a user. While the concept may be well known, that hasn’t stopped users from falling prey.
In 2022, Arctic Wolf saw that 12% of investigated incidents (non-BEC) were caused by phishing. According to a recent Arctic Wolf survey, 89% of respondents have been targeted by malicious messages in the last twelve months. Phishing has also become more sophisticated, and therefore harder to spot. Current common techniques include:
- Spoofing email addresses from known individuals
- Sending well-crafted messages
- Impersonating well-known brands or individuals
- Creating authentic-looking spoofed websites
Hackers continue to use this tactic for two reasons: it’s simple and it works.
How to Defend Against Phishing Attacks
1. Security Awareness Training
Because phishing relies so much on psychology, training users to spot suspicious messages can prevent a small error that turns into a large breach. Education is the main defense for this kind of tactic.
2. Subsequent defenses including MFA and email filters
Again, only users can stop a phishing attack from being initiated, but technical tools like email filters and MFA can prevent further escalation.
The Verizon DBIR saw that 83% of breaches involved external actors, with vulnerability exploit as the top vector. Vulnerabilities are growing in sheer volume year after year, and vulnerability exploits are, by far, the biggest attack vector threat actors use.
Arctic Wolf saw 45% of all their 2022 incidents stem from software exploits, and four of the five top exploited vulnerabilities weren’t even from 2022. These vulnerabilities lay dormant, waiting for savvy hackers to strike, and if an organisation isn’t staying on top of vulnerability scans and patching, it’s like swimming in waters you know are filled with sharks.
How to Prevent Vulnerability Exploits
Vulnerability management is the ongoing process of identifying, assessing, and remediating vulnerabilities within your network or systems. It’s an ongoing process, and can include specific techniques like scanning, patching, remediating, and more.
Other Attack Vectors Hackers Use
Just because they aren’t making headlines doesn’t mean threat actors aren’t utilising these other, less common attack vectors. All organisations should be on the lookout for, and protect against, the following:
As the pandemic caused a rise in remote work, this type of attack vector surged in use. It can take the form of a locked PDF which requires your account password to “open”— effectively harvesting your credentials — or a malicious macro embedded in a Microsoft Office document. These documents are commonly used in phishing scams.
Supply Chain Attacks
No matter how strong your own cybersecurity measures are, you’re only as strong as your weakest partner, vendor, or supplier. In today’s interconnected digital world, third-party risk is growing fast. Numerous high-profile data breaches in recent years have highlighted the implications of a vendor breach, as well as demonstrated that cybercriminals target suppliers with weak security postures as entry points into other organisations.
Watering Hole Attacks
This is where a threat actor chooses a website regularly visited by users of the targeted organisation and installs malware on it. Then they wait — like an alligator in a watering hole — for a user to visit the infected site.
This high-tech form of eavesdropping involves a cybercriminal getting between you and the party to which you’re attempting to send your data or information. This is typically done via Wi-Fi that is either poorly protected or totally unprotected. Once on the network, cybercriminals can deploy tools to capture credentials, launch malware, or destroy data. These attacks have risen as remote work has increased and users are more often turning to coffee shops and other public locales to get their work done.
There can be many motivations behind an insider threat, such as espionage, theft, or just revenge, but the actions are always the same. A known user within an organisation’s network uses their access to steal data, steal credentials, or launch a cyber attack.
Lack of Encryption
If assets are highly sensitive, not only should access to them be restricted, but the files themselves should be encrypted — even with a simple password requirement — to prevent them falling into the wrong hands. Hackers are looking for data to steal, sell, or hold ransom, so keeping that data locked away in the digital safe should be a best practice.
Distributed Denial of Service (DDoS) Attack
This attack, conducted from the outside, allows a threat actor to overload a server with traffic, crashing the server. This kind of attack is often carried out by bots.
The Benefits of a Proactive Cybersecurity Strategy
As mentioned above, all three of these attack vectors are interconnected. But they have another commonality — they can be mitigated utilising proactive cybersecurity measures. Organisations often find themselves stuck in a cycle of reaction, where threats are dealt with whack-a-mole style, leaving IT departments without the time or resources to prevent the threats from ever entering the system.
By taking a step back and looking at your security environment as an interconnected whole, your organisation can start to understand where gaps lie and what needs to be done to be proactive and prevent future threats. This will increase your organisation’s security posture, further it along a personalised security journey, and create a better cybersecurity architecture.
Learn more about proactive security with the Arctic Wolf guide.
Explore attack vectors, and their prevention measures, in-depth with the Arctic Wolf Lab’s 2023 Threat Report.
Understand how Arctic Wolf takes an operational approach to cybersecurity.