Cybercriminals constantly refine and update their tactics, techniques and procedures (TTPs), but many of the attack vectors – the paths that attackers take – are recurring themes in cybersecurity incidents.
Each attack vector requires specific countermeasures, but best practices across the board entail a mix of technology, people and procedures. Here are some of the most common vectors and strategies for getting ahead of attackers.
What Are The Top Five Attack Vectors?
Malware is not only a commonly used attack vector, but also one of the most expensive cyberthreats to remediate. That's a big reason why organisations consider this long-standing threat one of their top cybersecurity concerns.
Researchers discover millions of new malware samples every month, according to the independent IT security institute AV-TEST. Since this threat vector is always evolving, staying secure from these attacks demands constant vigilance.
Attackers deploy malware through various means, such as malicious email attachments and hijacked network communications protocols (e.g., Server Message Block in the case of WannaCry).
Defending against malware requires a combination of user training and advanced detection and response techniques. Many cases require human interaction for the malware infection or execution to take place. Since email is the most common distribution method for malware, cybersecurity training will help your employees to spot suspicious files and requests.
Beyond that, the best way to prevent malware threats is through endpoint detection and response (EDR). The key is to implement 24x7 monitoring and have a response team ready to follow refined processes to hunt down threats that bypass your perimeter.
If your organisation runs a lean IT or security team, a managed detection and response (MDR) service from a third-party provider is a cost-effective alternative to a solution deployed in-house.
Like all social engineering techniques, phishing relies on human interaction. In many cybersecurity incidents, phishing is the first step. Cybercriminals use this attack vector for a variety of schemes that range from stealing money to deploying malware.
A phishing attempt most frequently occurs over email with instructions for the recipient to click a link, open an attachment, send money to a bank account or supply sensitive information such as a username-password combo.
To combat these attacks, you can implement phishing prevention at different stages of an attack: before, during and after a user's engagement.
Before: At the exploit stage of the kill chain, use an anti-spam or other email security solution to check for suspicious URLs and block messages containing malware or spam.
During: Educate employees on how to identify suspicious emails based on cues such as typos, unusual email addresses and long URLs. Train users on how to handle potential phishing attacks and put in place procedures for forwarding these emails to your IT team.
After: Additional protections such as two-factor authentication can guard accounts with stolen passwords. Network sensors can also detect attempts to connect to command-and-control sites, which are often involved in multi-stage malware attacks.
3. Compromised Credentials
About a third of data breaches involve stolen user credentials, according to Verizon's 2019 Data Breach Investigations Report.
Several other reports have estimated that billions of stolen credentials are available on the dark web – the result of both unprotected databases and cyberattacks. The website HaveIBeenPwnd, which enables people to check if their email/password logins are compromised, contains more than 500 million passwords that were exposed as a result data breaches.
Cybercriminals use this attack vector, not only because it's much easier to gain access to sensitive and valuable information once inside an organisation, but also because they can wreak a great deal of havoc before they are detected.
One method is credential stuffing – a type of brute-force attack that uses raw computing power and automation to repeatedly attempt password combinations until finding the right login. This tactic has been on the rise since 2018, and last year, saw several major attacks involving credential stuffing.
As with other threat vectors, you need to use multiple defensive layers to protect against compromised credentials. To follow best practices, companies should:
- Enforce strong password requirements
- Adopt multi-factor authentication
- Limit user privileges based on roles
- Monitor user behaviour to spot unusual activity
- Implement strict controls for admin accounts
Additionally, countermeasures specifically against brute-force attacks include setting a low number of consecutive login attempts before lockout, and requiring manual CAPTCHA input.
4. Outdated and unpatched systems
Software that's not up to date is a magnet for exploitation. Just ask Equifax. An unpatched vulnerability in its Apache Struts web framework led to the breach of 145 million social security numbers, addresses, driving licence numbers and credit card numbers.
Researchers identify new vulnerabilities daily, not only in software, but also in hardware and firmware. It's critical to stay on top of these discoveries so threats don't greet you unexpectedly.
Vulnerability scans help to identify systems in need of patches. And the NIST Cybersecurity Framework recommends using risk-management processes to remediate vulnerabilities based on priorities.
However, patching all vulnerabilities in a timely manner is a tall order and not feasible for most organisations.
To address this, implement a risk assessment process to figure out which software and systems pose the biggest risks to your organisation. This process involves conducting a complete inventory of your IT infrastructure so you know what you're trying to protect and what you should scan for vulnerabilities.
Bear in mind that vulnerability scanning and patching is a continuous process, not something you should do simply on a ‘schedule’.
5. Supply chain suppliers
In today's interconnected, digital world, third-party risk is growing exponentially. Numerous high-profile data breaches in recent years have highlighted the implications of a supplier breach, as well as demonstrated that cybercriminals target suppliers with weak security posture as an entry point into another organisation.
No matter how strong your own cybersecurity measures are, you're really only as strong as your weakest partner or supplier. Third-party infrastructure is outside of your control, but mitigating third-party risk is not. You can minimise your exposure through proactive measures:
- Require suppliers to maintain certain cybersecurity standards through your service agreements.
- Validate the suppliers' security posture through audits, metrics and other tools.
- Implement policies that require scanning and monitoring your suppliers' devices once they're connected to your network.
- Use a threat detection and response solution to monitor your environment for anomalies.
MDR Protects Against All Attack Vectors
Many organisations struggle with threat mitigation. Detection itself can take months, and a strong response may require additional weeks of coordination. And the window of opportunity is growing – in 2019, the average time to identify a breach in 2019 (206 days) and contain it (73 days) increased by 5%.
That gives attackers ample time to exploit these various attack vectors and compromise your assets and environment.
For teams that don't have sufficient in-house resources or simply want to outsource part of their security and focus on more strategic priorities, managed detection and response (MDR) providers offer a start-to-finish solution for identifying, detecting, responding to and recovering from cyberattacks. MDR provides you 24x7 protection and a team of experienced analysts, enabling you to scale your security based on your needs.
Learn more about Arctic Wolf's MDR solution to find an effective way to start improving your security posture and defend against attack vectors.