Prominent cyberattacks in recent years have run the gamut from the secretive surveillance of Superfish spyware
to the upfront disruption of the WannaCry
Cybercriminals constantly refine and update their tactics, techniques, and procedures (TTPs), but many of the attack vectors (the paths that attackers take) are recurring themes in cybersecurity incidents.
Each attack vector requires specific countermeasures, but best practices across the board entail a mix of technology, people, and procedures. Here are some of the most common vectors and strategies for getting ahead of attackers.
The Top Five Cyberattack Vectors
Researchers discover millions of new malware samples every month, according to the independent IT security institute AV-TEST. Since this threat vector is always evolving, staying secure from these attacks demands constant vigilance.
Attackers deploy malware through various means, such as malicious email attachments and hijacked network communications protocols (e.g., Server Message Block in the case of WannaCry).
Defending against malware requires a combination of user training and advanced detection and response techniques. Many cases require human interaction for the malware infection or execution to take place. Since email is the most common distribution method for malware
, cybersecurity training will help your employees spot suspicious files and requests.
Beyond that, the best way to prevent malware threats is through endpoint detection and response (EDR). The key is to implement 24/7 monitoring, and have a response team ready to follow refined processes to hunt down threats that bypass your perimeter.
If your organization runs a lean IT or security team, a managed detection and response (MDR) service from a third-party provider is a cost-effective alternative to a solution deployed in-house.
Like all social engineering techniques, phishing relies on human interaction. In many cybersecurity incidents, phishing is the first step. Cybercriminals use this attack vector for a variety of schemes that range from stealing money to deploying malware.
A phishing attempt most frequently occurs over email with instructions for the recipient to click a link, open an attachment, send money to a bank account, or supply sensitive information such as a username-password combo.
To combat these attacks, you can implement phishing prevention at different stages of an attack: before, during, and after a user's engagement.
Before: At the exploit stage of the kill chain, use an anti-spam or other email security solution to check for suspicious URLs and block messages containing malware or spam.
During: Educate employees on how to identify suspicious emails based on cues such as typos, unusual email addresses, and long URLs. Train users on how to handle potential phishing attacks and put in place procedures for forwarding these emails to your IT team.
After: Additional protections such as two-factor authentication can guard accounts with stolen passwords. Network sensors can also detect attempts to connect to command-and-control sites, which are often involved in multi-stage malware attacks.
3. Compromised credentials
Several other reports have estimated that billions of stolen credentials are available on the dark we—the result of both unprotected databases and cyberattacks. The website HaveIBeenPwnd
, which enables people to check if their email/password logins are compromised, contains more than 500 million passwords that were exposed as a result data breaches.
Cybercriminals use this attack vector not only because it's much easier to gain access to sensitive and valuable information once inside an organization, but also because they can wreak a great deal of havoc before they're detected.
One method is credential stuffing, a type of brute-force attack that uses raw computing power and automation to repeatedly attempt password combinations until finding the right login. This tactic has been on the rise since 2018, and last year saw several major attacks involving credential stuffing.
As with other threat vectors, you need to use multiple defensive layers to protect against compromised credentials. To follow best practices, companies should:
- Enforce strong password requirements
- Adopt multi-factor authentication
- Limit user privileges based on roles
- Monitor user behavior to spot unusual activity
- Implement strict controls for admin accounts
Additionally, countermeasures specifically against brute-force attacks include setting a low number of consecutive login attempts before lockout, and requiring manual CAPTCHA input.
4. Outdated and unpatched systems
Software that's not up to date is a magnet for exploitation. Just ask Equifax. An unpatched vulnerability in its Apache Struts web framework led to the breach of 145 million social security numbers, addresses, driver's license numbers, and credit card numbers.
Researchers identify new vulnerabilities daily, not only in software but also in hardware and firmware. It's critical to stay on top of these discoveries so threats don't greet you unexpectedly.
Vulnerability scans help identify systems in need of patches. And the NIST Cybersecurity Framework
recommends using risk-management processes to remediate vulnerabilities based on priorities.
However, patching all vulnerabilities in a timely manner is a tall order and not feasible for most organizations.
To address this, implement a risk assessment process to figure out which software and systems pose the biggest risks to your organization. This process involves conducting a complete inventory of your IT infrastructure so you know what you're trying to protect and what you should scan for vulnerabilities.
Keep in mind, vulnerability scanning
and patching is a continuous process, not something you should do simply “on a schedule."
5. Supply chain vendors
In today's interconnected, digital world, third-party risk is growing exponentially. Numerous high-profile data breaches in recent years have highlighted the implications of a vendor breach
, as well as demonstrated that cybercriminals target suppliers with weak security posture as an entry point into another organization.
No matter how strong your own cybersecurity measures are, you're really only as strong as your weakest partner, vendor, or supplier. Third-party infrastructure is outside of your control, but mitigating third-party risk is not. You can minimize your exposure through proactive measures:
- Require suppliers to maintain certain cybersecurity standards through your service agreements.
- Validate the suppliers' security posture through audits, metrics, and other tools.
- Implement policies that require scanning and monitoring your vendors' devices once they're connected to your network.
- Use a threat detection and response solution to monitor your environment for anomalies.
MDR protects against all attack vectors
Many organizations struggle with threat mitigation. Detection itself can take months, and a strong response may require additional weeks of coordination. And the window of opportunity is growing
—in 2019, the average time to identify a breach in 2019 (206 days) and contain it (73 days) increased 5%.
That gives attackers ample time to exploit these various attack vectors and compromise your assets and environment.
For teams that don't have sufficient in-house resources or simply want to outsource part of their security and focus on more strategic priorities, managed detection and response (MDR) providers offer a start-to-finish solution for identifying, detecting, responding to, and recovering from cyberattacks. MDR provides you 24/7 protection and a team of experienced analysts, enabling you to scale your security based on your needs.