Loading learning content...
An attack vector is the pathway or method an attacker uses to access a target system or network. If threat categories describe who attacks and malware describes what tools they use, attack vectors describe how they gain entry. Understanding attack vectors is crucial because security controls are designed to block or detect specific vectors—without knowing the paths of attack, defenses remain incomplete.
Every security breach begins with initial access. Whether through a phishing email, an unpatched server, or a compromised vendor, the attack vector is the critical first step that makes all subsequent malicious activity possible. Blocking or detecting initial access stops attacks before damage occurs.
By the end of this page, you will understand the major attack vector categories including network-based, social engineering, physical, supply chain, and insider vectors. You'll learn how attackers combine vectors, how to analyze vector risk, and how modern attack surfaces have evolved.
Before examining specific vectors, we need to understand how vectors relate to the broader attack lifecycle and how they're analyzed.
Attack Vector vs. Attack Surface:
These terms are related but distinct:
Attack Surface — The total set of points where an attacker could potentially interact with a system. This includes all exposed services, interfaces, and potential entry points.
Attack Vector — A specific method of exploiting the attack surface to achieve unauthorized access. Multiple vectors may exist for a single surface element.
Example: A web application has an attack surface that includes its login page, API endpoints, and upload functionality. Attack vectors against this surface might include SQL injection, credential stuffing, and file upload exploits.
The Kill Chain Perspective:
The Lockheed Martin Cyber Kill Chain positions initial access (attack vectors) as the first active phase of an intrusion:
The earlier in the kill chain you detect or block an attack, the less damage occurs. Blocking the attack vector (delivery phase) prevents all subsequent phases.
| Category | Requires | Technical Skill Needed | Primary Defense |
|---|---|---|---|
| Network-based | Network access to target | Medium to High | Firewalls, IDS/IPS, patching, network segmentation |
| Social Engineering | Human interaction | Low to Medium | Security awareness training, verification procedures |
| Physical | Physical proximity/access | Low to Medium | Physical security controls, access management |
| Supply Chain | Access to upstream provider | High | Vendor risk management, integrity verification |
| Insider | Legitimate access already | Low to High | Least privilege, monitoring, access reviews |
| Application | Access to application interface | Medium to High | Secure development, input validation, WAF |
Sophisticated attacks typically combine multiple vectors. An attacker might use social engineering (phishing) to gain initial access, then leverage network-based exploitation for lateral movement, and abuse insider-level access after obtaining credentials. Defense must address all vectors, not just the most obvious ones.
Network-based attack vectors exploit vulnerabilities in network-accessible services, protocols, and infrastructure. These attacks don't require physical presence or extensive social engineering—they target systems that are reachable over networks.
Major network attack vectors:
| Vector | Description | Examples | Mitigation |
|---|---|---|---|
| Exploiting Vulnerabilities | Attacking unpatched software flaws in network services | EternalBlue (SMB), Log4Shell (Log4j), ProxyShell (Exchange) | Timely patching, vulnerability scanning, virtual patching |
| Exposed Services | Attacking services unnecessarily exposed to networks | Open RDP, exposed databases, management interfaces | Network segmentation, firewalls, service minimization |
| Remote Access Abuse | Attacking VPN, RDP, or other remote access points | VPN credential stuffing, RDP brute force | MFA, access controls, monitoring |
| DNS Attacks | Manipulating DNS to redirect traffic or harvest credentials | DNS poisoning, DNS hijacking, typosquatting | DNSSEC, DNS monitoring, registry locks |
| Man-in-the-Middle | Intercepting network communications | ARP spoofing, SSL stripping, rogue WiFi | Encryption, certificate pinning, network monitoring |
| Protocol Weaknesses | Exploiting design flaws in network protocols | BGP hijacking, NTP amplification | Protocol hardening, traffic filtering |
Remote Access Attack Vectors:
Remote access mechanisms have become primary attack targets, especially post-pandemic:
VPN Vulnerabilities: VPN appliances protect organizations by filtering external access, but vulnerabilities in VPN software create critical attack vectors:
RDP Exposure: Remote Desktop Protocol, if exposed to the internet, faces constant attack:
Cloud Management Interfaces: Misconfigured cloud consoles and APIs create network attack vectors:
Shodan, Censys, and similar services continuously scan the internet, cataloging exposed services. Attackers use these same tools. Within hours of a new vulnerability disclosure, mass exploitation against exposed vulnerable services begins. Organizations cannot assume obscurity provides protection—if a service is accessible, attackers will find it.
Social engineering attacks target the human element—manipulating people into taking actions that compromise security. These vectors bypass technical controls by exploiting human psychology: trust, fear, greed, curiosity, helpfulness, and urgency.
The human vulnerability:
No matter how robust technical defenses become, humans remain susceptible to manipulation. Verizon's Data Breach Investigations Report consistently shows that 74%+ of breaches involve human elements. Social engineering is often the path of least resistance for attackers—why develop a sophisticated exploit when you can just ask for credentials?
| Vector | Mechanism | Example | Success Rate |
|---|---|---|---|
| Phishing | Fraudulent emails requesting action (click, login, transfer) | Fake Office 365 login pages, malicious attachments | Average 30% click rate; varies by sophistication |
| Spear Phishing | Targeted phishing with personalized content | CEO impersonation, vendor invoice fraud | Higher success due to personalization |
| Vishing | Voice phishing via phone calls | Tech support scams, IRS impersonation | Effective against elderly, time-pressed individuals |
| Smishing | SMS-based phishing | Package delivery scams, bank alerts | Growing rapidly; less user awareness than email |
| Pretexting | Creating fabricated scenario to extract information | Calling IT as 'new employee' needing access | Highly effective when scenario is believable |
| Baiting | Offering something enticing to trigger action | USB drives in parking lots, free software | Curiosity drives action despite training |
| Quid Pro Quo | Offering service in exchange for information | Fake IT helpdesk offering to 'fix' computers | Exploits reciprocity instinct |
| Tailgating | Following authorized person through secured door | Carrying boxes and asking someone to hold door | Exploits helpfulness; hard to refuse |
Phishing Evolution:
Phishing has evolved from obvious 'Nigerian prince' emails to sophisticated, targeted campaigns:
First Generation: Mass-mailed, obvious spelling errors, generic greetings, absurd claims
Second Generation: Better design, mimicking legitimate brands, creating urgency ('Account suspended!')
Third Generation (Current): Highly targeted, researched, context-aware, sometimes using compromised accounts for legitimacy
Emerging Techniques:
Business Email Compromise (BEC):
BEC is particularly devastating—rather than delivering malware, attackers impersonate executives or vendors to authorize fraudulent transactions. FBI reports BEC losses exceeded $50 billion globally (2013-2022). A single successful BEC can cost millions without any malware involvement.
Technical controls can reduce but not eliminate social engineering risk. Effective defense combines: (1) Technical filtering (email security, URL inspection), (2) Security awareness training with simulated attacks, (3) Verification procedures for sensitive actions (callback for wire transfers), (4) Culture that rewards reporting suspicious activity rather than punishing 'falling for' attacks.
Web applications present extensive attack surfaces because they're designed to be publicly accessible and accept user input. Application-layer attacks exploit vulnerabilities in application logic, code, and configuration rather than network infrastructure.
The OWASP Top 10:
The Open Web Application Security Project (OWASP) maintains the definitive list of critical web application security risks. These represent the most common and impactful application attack vectors:
| Rank | Vulnerability | Description | Attack Vector |
|---|---|---|---|
| A01 | Broken Access Control | Users can act outside intended permissions | Horizontal/vertical privilege escalation, IDOR, forced browsing |
| A02 | Cryptographic Failures | Weak or missing encryption for sensitive data | Data exposure, transport layer weakness, key management failures |
| A03 | Injection | Untrusted data sent to interpreter as command/query | SQL injection, NoSQL injection, OS command injection, LDAP injection |
| A04 | Insecure Design | Flaws in application architecture rather than implementation | Missing security controls, predictable patterns, business logic flaws |
| A05 | Security Misconfiguration | Missing security hardening or improper settings | Default credentials, unnecessary features, verbose errors |
| A06 | Vulnerable Components | Using components with known vulnerabilities | Outdated libraries (Log4j, Struts), unpatched frameworks |
| A07 | Authentication Failures | Weak authentication implementation | Credential stuffing, weak passwords, session fixation |
| A08 | Software and Data Integrity | Failing to verify integrity of code and data | Insecure deserialization, CI/CD compromise, unsigned updates |
| A09 | Security Logging Failures | Insufficient logging for attack detection and response | Missing logs, no log monitoring, log injection |
| A10 | Server-Side Request Forgery | Application makes requests to attacker-controlled URLs | Internal network scanning, cloud metadata access, service interaction |
Injection Attacks in Detail:
Injection remains the most dangerous application vulnerability class. The fundamental problem: user input is treated as code rather than data.
SQL Injection Example:
Normal query: SELECT * FROM users WHERE id = '123'
Malicious input: 123' OR '1'='1
Resulting query: SELECT * FROM users WHERE id = '123' OR '1'='1'
Result: Returns ALL users because '1'='1' is always true
Prevention Principle: Never concatenate user input into queries or commands. Use parameterized queries, prepared statements, and input validation.
API Attack Vectors:
Modern applications rely heavily on APIs, creating new attack surfaces:
API traffic now exceeds traditional web traffic for many organizations. Akamai reports 83% of web traffic is API calls. Yet API security often lags behind traditional web security. APIs designed for mobile apps or internal use get exposed to the internet without appropriate security review. The 2021 Parler breach exploited unauthenticated API endpoints to scrape 70TB of user data.
Supply chain attacks compromise the software, hardware, or services that organizations depend on rather than attacking organizations directly. By compromising a trusted supplier, attackers can reach many downstream victims through a single operation.
Why supply chain attacks are devastating:
| Vector | Target | Mechanism | Notable Example |
|---|---|---|---|
| Build System Compromise | Developer build pipeline | Insert malware during software compilation | SolarWinds (Sunburst) — build system injected backdoor |
| Source Code Tampering | Source code repositories | Add malicious commits to repositories | Event-Stream npm package — maintainer added cryptocurrency stealer |
| Dependency Confusion | Package managers | Publish malicious package with internal name | Multiple organizations hit when public packages matched internal names |
| Typosquatting | Package managers | Publish malicious package with similar name (lodash → 1odash) | Thousands of typosquatted packages on npm, PyPI, RubyGems |
| Update Mechanism | Software update systems | Compromise update server to distribute malware | NotPetya spread through Ukrainian accounting software update |
| Hardware Implants | Physical supply chain | Insert malicious components during manufacturing | Alleged SuperMicro server implants (contested); documented NSA operations |
| MSP/Cloud Provider | Managed service providers | Compromise provider to access all clients | Kaseya ransomware attack reached 1,500+ organizations through MSP software |
Case Study: SolarWinds (2020)
The SolarWinds attack represents the most sophisticated public supply chain attack:
Lessons:
Defending Against Supply Chain Attacks:
Modern software development depends on trusting thousands of third-party components. A typical application may have hundreds of direct dependencies and thousands of transitive dependencies. Each represents potential supply chain risk. Yet eliminating dependencies would make software development impractically slow. Organizations must balance development velocity against supply chain risk through careful vendor selection, dependency scanning, and architectural isolation.
Physical attack vectors require the attacker to have physical access to systems, facilities, or people. While often overlooked in favor of network security, physical access can bypass many technical controls. As security professionals say: 'Physical access is total access.'
Categories of physical attack vectors:
The USB Drop Attack:
One of the simplest yet most effective physical attacks involves leaving USB drives in parking lots, lobbies, or common areas. Studies show 45-60% of found USB drives are plugged in by finders. Malicious USB devices can:
The attack exploits human curiosity and helpfulness—people find drives and either try to identify the owner or simply explore the contents.
Side-Channel Physical Attacks:
Sophisticated physical attacks can extract secrets without direct system access:
Physical security requires layered controls: (1) Perimeter security—fences, guards, barriers; (2) Building access—badges, biometrics, mantraps; (3) Room-level—locked server rooms, camera monitoring; (4) Device-level—cable locks, encrypted drives, USB port control; (5) Data-level—full disk encryption ensures stolen devices don't become data breaches. Each layer compensates for potential failures in others.
Insider threats originate from individuals with legitimate access—employees, contractors, partners, or anyone trusted within the organization. These threats are particularly dangerous because insiders already possess access that external attackers must work to obtain.
Insider threat categories:
| Type | Intent | Motivation | Detection Approach |
|---|---|---|---|
| Malicious Insider | Intentional harm | Financial gain, revenge, ideology, coercion | Behavioral monitoring, access anomaly detection |
| Negligent Insider | Unintentional harm | Carelessness, policy violation, convenience | Training, technical controls, error prevention |
| Compromised Insider | Action under attacker control | Credentials stolen, device compromised | Anomaly detection, impossible travel, UBA |
| Third-Party Insider | Contractor/vendor with access | Any of the above | Third-party risk management, access limiting |
Insider Threat Indicators:
Security teams monitor for behavioral patterns that correlate with insider threats:
Technical Indicators:
Behavioral Indicators:
The Privileged User Problem:
System administrators, database administrators, and other privileged users present special insider risk. They have:
Mitigating privileged insider risk requires: privileged access management (PAM), session recording, separation of duties, and robust logging to tamper-evident storage.
Insider threats are notoriously difficult to detect because insiders perform actions that look like normal work. Unlike external attackers who create clear anomalies, a database administrator querying customer records may be doing their job or stealing data—the actions look identical. Detection requires understanding context, baselines, and patterns that distinguish malicious from legitimate activity.
Cloud computing and modern architectures introduce attack vectors that didn't exist in traditional environments. These vectors exploit the unique characteristics of cloud infrastructure, containerization, serverless computing, and distributed systems.
Cloud-specific attack vectors:
| Vector | Description | Example | Mitigation |
|---|---|---|---|
| Misconfigured Storage | Public access to private data via improper IAM | Capital One breach via S3; countless open buckets | Automated configuration checking, least privilege |
| Instance Metadata Service | SSRF to access cloud credentials via 169.254.169.254 | Capital One attack gained credentials through SSRF to IMDS | IMDSv2, network controls, SSRF prevention |
| Container Escape | Breaking out of container isolation to host | CVE-2020-15257 (runC escape), CVE-2022-0185 | Container security, minimal capabilities, patching |
| Serverless Injection | Event data injection in Lambda/Functions | Malicious input in S3 filenames, API parameters | Input validation, least privilege function roles |
| Kubernetes API | Exposed or misconfigured K8s control plane | Cryptomining in exposed clusters | API server security, RBAC, network policies |
| Identity Federation Abuse | Exploiting SAML, OIDC, or identity provider trust | GoldenSAML attack in SolarWinds incident | Federation hardening, certificate monitoring |
The Instance Metadata Service Attack:
Cloud instances can query a metadata service for configuration information. This becomes an attack vector when:
The 2019 Capital One breach used this exact pattern to obtain AWS credentials and access 100+ million customer records.
Container Security Vectors:
Containerization introduces specific attack surfaces:
CI/CD Pipeline Attacks:
Modern software delivery pipelines are high-value targets:
Cloud security operates under shared responsibility: the provider secures the cloud infrastructure, but customers secure what they put in the cloud. Misconfiguration—the customer's responsibility—is the leading cause of cloud breaches. The most common cloud attack vector isn't sophisticated exploitation; it's finding resources that were accidentally left public.
Wireless networks and mobile devices extend the attack surface beyond physical network boundaries. These vectors exploit the nature of radio communication and the unique characteristics of mobile computing environments.
Wireless attack vectors:
Bluetooth Attack Vectors:
Mobile-Specific Attack Vectors:
Mobile devices face unique attack surfaces:
Application-Level:
Network-Level:
Physical-Level:
Mobile devices often have access to corporate email, cloud storage, and enterprise applications—yet they're carried into uncontrolled environments, connect to arbitrary networks, and may be lost or stolen. Enterprise mobile security requires device management (MDM), conditional access policies, and the ability to remotely wipe compromised devices.
We've surveyed the major pathways attackers use to reach their targets. Understanding these vectors is essential for comprehensive security—each vector requires specific defensive controls, and missing coverage leaves exploitable gaps.
What's Next:
With attack vectors understood, we'll examine Threat Modeling—the structured process for systematically identifying, analyzing, and prioritizing threats to specific systems. Threat modeling applies the concepts from this page to your specific environment and applications.
You now understand the major attack vector categories and how they're exploited. This knowledge informs both defensive architecture (blocking or detecting vectors) and security assessment (identifying which vectors your organization is vulnerable to). Next, we'll apply this knowledge through structured threat modeling.