Recent research by Arctic Wolf has revealed that, within the last 12 months, 48% of organizations identified evidence of a successful breach within their environment. As The State of Cybersecurity: 2024 Trends Report highlights, “To fully understand the gravity of this statistic, it is important to understand that, although 48% of these environments found evidence of a data breach, that does not inversely mean that 52% of organizations did not suffer a breach.” In fact, only 35% of surveyed organizations feel confident that they did not suffer a breach in the past 12 months.
The sheer volume of cyber attacks — ransomware, business email compromise (BEC), and others — has steadily ticked up year after year. Cybercrime is now the number one global business risk, rakes in trillions for cybercriminals, and has advanced far beyond simple “scam emails” and brute-force attacks.
As the landscape shifts, it’s important to look at the attack vectors threat actors are using to launch their attacks. But first, let’s clarify a few terms.
What Is an Attack Vector?
An attack vector is the way a threat actor gains access to a network, system, or endpoint. If ransomware is the kind of attack, the way the threat actor was able to deploy that ransomware would be the attack vector. An attack vector can also be called a root point of compromise, meaning the initial entry point method leveraged by a threat actor.
Attack Vector vs. Attack Surface
An attack surface is not the vector a threat actor utilizes, but the total avenues available to them in a system. If an organization uses email, the cloud, IoT devices, endpoints, and other digital devices, all those components would make up the attack surface.
Attack Vector vs. Threat Vector
Attack vector and threat vector are similar terms, but threat vector is more hypothetical. Phishing, generally, is a threat vector. If an organization is breached through a phishing attack, the investigation would state that phishing was the attack vector.
The Top Three Attack Vectors Used by Cybercriminals
While there’s certainly talk about (and evidence for) more complicated methods, it turns out threat actors are overwhelmingly sticking to tried-and-true methods. According to the Arctic Wolf Labs 2024 Threat Report, the three primary cyber attack vectors are external remote access, external exposure, and user action. If we break this data down further, we see that:
- 39% of incidents responded to by Arctic Wolf® Incident Response over the past 12 months were external remote access, in which the threat actor leveraged something like a brute-force attack, password spraying, or previously compromised credentials in a public-facing application, tool, or protocol to access the victim’s IT environment
- 25.6% were the exploitation of a known, unpatched vulnerability or zero-day
- 24.4% were user action, in which a user falls prey to phishing or other social engineering attacks, downloads malicious software on accident or on purpose (malicious insider), or exhibits poor credential security
It makes sense these attack vectors are coming out on top, as they represent three areas of the attack surface that are often left under defended by organizations — credentials, user behavior, and unpatched vulnerabilities. In addition, all three are interconnected. For example, a social engineering attack can lead to compromised credentials which can be used after a vulnerability is exploited. They are the three major strategies threat actors use as they make their way into and through an organization’s system.
External Remote Access: Compromised Credentials
Compromised credentials have a long history in cybercrime and have become a more popular attack vector as the world has digitized. Not only are passwords everywhere (email, applications, business folders, bank accounts, etc.) but most users tend to lack strong password hygiene and too often unknowingly give away their access through social engineering tactics.
The Arctic Wolf Labs 2024 Threat Report found that 46.3% of non-BEC attacks were driven by compromised credentials, with 7.3% of them being instances where historically compromised credentials were used to gain direct access to a victim’s environment.
In addition, BEC a cyber attack method that relies heavily on compromised credentials when used as part of a larger attack, skyrocketed in 2023, with 70% of organizations we surveyed revealing they were the targets of attempted BEC attacks in the last year, and BEC incidents accounting for nearly 30% of the total incidents investigated by Arctic Wolf Incident Response.
How to Prevent Credential Compromise
While prevalent, the compromising of user credentials can be prevented in a few different ways.
1. Enforce Multi-Factor Authentication (MFA)
If credentials are used by a threat actor during an attack, MFA can not only prevent a successful login but help alert an organization to an unusual or fraudulent login attempt, especially if the organization has identity monitoring solutions in place. However, in recent years, attackers have also developed methods — from simple MFA fatigue to intercepting one-time passcodes (OTPs) — of bypassing legacy MFA techniques. In the face of these threat actor innovations, it’s imperative for organizations to not just implement modern MFA, but to enforce it — particularly the proven and widely supported passwordless approaches based on the FIDO2 set of specifications .
2. Implement a Zero Trust Strategy
MFA is an access control that falls under the zero trust framework — which removes implicit trust and implicit access from all users and applications. Zero trust requires verification for access to any application or asset, regardless of the user, and can prevent lateral movement . An attack may gain initial access through stolen credentials but will be prevented from moving through the system by another login pop-up or other access control implemented by a a zero trust strategy.
3. Utilize Identity and Access Management Best Practices
People are a major part of any organization, and therefore a critical component of an organization’s security architecture and attack surface management. What these users have access to, what they do with that access, and how that access is or isn’t controlled can be the difference between a secured environment and one full of unlocked doors.
External Exposure: Vulnerability Exploitation
180%. That’s how much vulnerability exploitation increased year-over-year, according to Verizon’s 2024 Data Breach Investigations Report. Anyone who follows cybersecurity news will find this unsurprising, given the dominance of the MOVEit transfer vulnerability in 2023. Initially exploited as a single zero-day by the CI0p ransomware group, additional vulnerabilities in MOVEit were later discovered and leveraged by threat actors around the world, demonstrating the importance of robust cybersecurity practices for businesses relying on file transfer software.
But zero-day vulnerabilities like those found in MOVEit are quickly becoming the exception. They may grab headlines and star in IT and security teams’ worst nightmares; however, recent research reveals that only 3.4% of incidents investigated by Arctic Wolf leveraged a zero-day exploit.
The real vulnerability danger lies in known, existing vulnerabilities. Arctic Wolf noted that 29% of all incidents they responded to in 2023 exploited a vulnerability, with 60% of those having first been identified in 2022 or earlier , meaning organizations had anywhere from months to years to patch the affected system or remove its external access. These vulnerabilities lay dormant, waiting for savvy hackers to strike.
How to Prevent Vulnerability Exploits
There are multiple ways organizations can put themselves in a better position when it comes to vulnerabilities, including:
- Perform host-based vulnerability scanning to patch and remediate severe risks
- Regularly update software and patch software when patches become available
- Focus on risk-based vulnerability remediation and mitigation
What all these methods have in common is they are part of a robust vulnerability management program.
Because every organization has different and variable security and business needs , the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that reduces risk over time. One way to do that is to look for the five riskiest kinds of vulnerabilities that can appear. They are:
1. Remote Code Execution
2. Hardcoded Credentials
3. Denial of Service
4. Directory Traversal
5. Privilege Escalation
However, vulnerability management can be overwhelming for organizations to achieve solely in-house, especially as vulnerabilities grow in volume and organizations move toward a digital and cloud-first environment. This is where partnering with a third-party solutions provider can ease the burden on a taxed team while providing fully managed vulnerability management.
User Action: Insider Threats
Arctic Wolf’s The State of Cybersecurity: 2024 Trends Report revealed that 61% of surveyed organizations identified an insider threat in the past 12 months, whether malicious or accidental. However, while the protection efforts are similar for both types — proper identity and access management (IAM) and robust security awareness training — there is a major difference between malicious and accidental insider threats when it comes to user action.
Malicious Insider
There can be many motivations behind a malicious insider threat, such as espionage, theft, or revenge, but the actions are always the same. A known user within an organization’s network uses their access to steal data, steal credentials, or launch a cyber attack.
Accidental Insider
This type of insider threat is an uneducated user who executes an action that could result in a security incident, such as downloading potential malware, clicking on phishing links, leaving their laptop unattended in a public space, and more. These types of insider threats can often be deterred when an organization makes use of a successful security awareness program. But, before we get into solutions, let’s examine the potential cyber threats an organization may be susceptible via an accidental insider:
Phishing Attacks
Phishing can come in multiple forms. From spam phishing to spear phishing to even smishing (SMS or text phishing), it all refers to a fraudulent message from a threat actor with the intention of gaining access or stealing information from a user. While the concept may be well known, that hasn’t stopped users from falling prey.
In 2023, Arctic Wolf saw that 38.9% of insider threat incidents (non-BEC) were caused by phishing. According to a recent Arctic Wolf survey, 89% of respondents have been targeted by malicious messages in the last twelve months. Phishing has also become more sophisticated, and therefore harder to spot. Current common techniques include:
- Spoofing email addresses from known individuals
- Sending well-crafted messages
- Impersonating well-known brands or individuals
- Creating authentic-looking spoofed websites
Business Email Compromise (BEC)
Only a portion of BEC scams involve an actual account compromise (also known as an account takeover, or ATO), and only a subset of these will have been preceded by malware, phishing, or other malicious activities with an associated indicator of compromise (IoC). The simplest, most common BEC attack amounts to nothing more than an attacker emailing a target and asking them to send money, data, or product. For these reasons, BEC scams are very difficult to detect, with IBM’s Cost of a Data Breach Report 2023 showing that the mean time to identify and contain (where applicable) a BEC incident is a staggering 266 days — nearly nine months.
Malicious Documents
As the pandemic caused a rise in remote work, this type of attack vector surged in use. It can take the form of a locked PDF which requires your account password to “open”— effectively harvesting your credentials — or a malicious macro embedded in a Microsoft Office document. These documents are commonly used in phishing scams.
How to Prevent Insider Threats
While malicious insiders will only be deterred by the limits of their system access, they make up a very small percentage of overall attacks; comprising just 2.1% of the incidents responded to by Arctic Wolf in the past year.
Thankfully, there’s an available solution that IT and security teams can use to reduce or outright eliminate the chances of their users falling victim to social engineering and becoming an accidental insider.
Security Awareness Training
Because social engineering attacks like phishing and BEC rely so much on psychology, training users to spot suspicious messages can prevent a small error from turning into a large breach. A strong security awareness program — one focused on human behavior, organizational culture, and the employment of both content and data that actively reduces the risk of an accidental insider — can help users make decisions that will protect their assets, prevent their credentials from ending up for sale on the dark web, and help them spot social engineering tactics that could lead to them becoming an insider threat and giving away the keys to the kingdom.
Get a comprehensive analyst overview of managed detection and response (MDR) solutions and learn how they can protect you from top attack vectors.
Get exclusive insights from 1,000 global IT and security leaders into how they are responding to these attack vectors in The State of Cybersecurity: 2024 Trends Report.
