Loading learning content...
An attack vector is the path or means by which an attacker gains access to a target system to deliver a malicious payload or exploit a vulnerability. While previous pages examined threat types, attackers, and vulnerabilities, this page focuses on the mechanisms attackers use to reach their targets.
Think of attack vectors as the "how" that connects attacker capability to exploitable weakness. A vulnerability may exist, but if attackers cannot reach it through any vector, it poses no immediate risk. Conversely, multiple attack vectors may exist to exploit a single vulnerability, each with different likelihood, detectability, and defensive implications.
Understanding attack vectors enables security architects to:
By the end of this page, you will be able to: (1) Define attack vectors and distinguish from vulnerabilities and threats, (2) Categorize attack vectors by delivery mechanism and target layer, (3) Understand the major attack vector categories used in real-world attacks, (4) Analyze multi-stage attack chains that combine multiple vectors, and (5) Apply vector analysis to defensive planning and architecture.
Attack vectors can be classified along multiple dimensions. Understanding these classification schemes helps security professionals systematically analyze and address potential attack paths.
By Proximity to Target:
Remote Vectors: Attacks that can be conducted over a network without physical proximity. Most common in modern attacks. Includes network-based exploitation, web application attacks, and social engineering via electronic channels.
Local Vectors: Attacks requiring some access to the target system or network—physical presence, local network access, or existing (limited) system access. Includes privilege escalation, lateral movement, and insider attacks.
Physical Vectors: Attacks requiring physical access to hardware, facilities, or humans. Includes device theft, hardware implants, dumpster diving, and in-person social engineering.
| Dimension | Categories | Security Implications |
|---|---|---|
| Proximity | Remote / Local / Physical | Determines perimeter vs. internal defense priority |
| Target Layer | Network / System / Application / Human | Indicates appropriate control types |
| Interactivity | Active exploitation / Passive collection | Affects detection approaches |
| Automation | Automated / Manual / Hybrid | Indicates attack scale and customization |
| Detection Difficulty | Obvious / Subtle / Stealthy | Drives monitoring and hunting strategies |
Attack Surface Concept:
The attack surface is the sum of all points (vectors) where an unauthorized user can try to enter or extract data from an environment. Larger attack surfaces mean more potential vectors for attackers to exploit.
Attack surface components include:
Attack Surface Management:
Reducing attack surface is a fundamental security principle. For each component, ask:
Effective security maps defenses to attack vectors. Rather than asking 'What security products should we buy?', ask 'What vectors do attackers use against organizations like ours, and what controls address each?' This approach ensures comprehensive coverage without gaps or unnecessary overlap.
Network attack vectors involve exploiting network protocols, services, or infrastructure to gain access or disrupt operations. These vectors operate at the network and transport layers, targeting connectivity and network services.
Categories of network vectors:
Remote exploitation vectors involve directly attacking network-accessible services to gain unauthorized access.
Service Exploitation: Exploiting vulnerabilities in network services (web servers, mail servers, databases, custom applications). Attackers scan for exposed services, identify vulnerable versions, and deploy exploits.
Authentication Attacks: Targeting login mechanisms through brute force, credential stuffing (using leaked passwords), password spraying (common passwords against many accounts), or exploiting authentication vulnerabilities.
Protocol Exploitation: Abusing network protocol weaknesses—TCP/IP stack vulnerabilities, DNS attacks, DHCP exploitation, or protocol-specific flaws.
Defense:
Application attack vectors target software at the application layer—web applications, APIs, mobile apps, and desktop software. These vectors exploit logic flaws, input handling errors, and authentication weaknesses in application code.
Web Application Vectors:
API Attack Vectors:
APIs present unique attack surfaces increasingly targeted by attackers:
Broken Object Level Authorization (BOLA): APIs exposing endpoints that handle object identifiers, enabling access to other users' data by manipulating IDs.
Mass Assignment:
APIs automatically binding request data to internal objects, allowing attackers to modify unintended fields (e.g., setting isAdmin=true).
Rate Limiting Failures: APIs without throttling enabling brute force, enumeration, or resource exhaustion attacks.
Security Misconfiguration: Verbose errors exposing internals, debug endpoints in production, overly permissive CORS, missing security headers.
Insufficient Logging: APIs lacking audit trails for security-relevant operations, hindering breach detection and investigation.
Mobile Application Vectors:
Mobile apps introduce additional attack surface:
The OWASP Top 10 (Web), OWASP API Security Top 10, and OWASP Mobile Top 10 provide authoritative catalogs of application attack vectors. These should inform application security testing and secure development practices. Update security awareness as these lists evolve.
Email and social engineering vectors target humans rather than systems. They exploit trust, authority, fear, urgency, and other psychological factors to manipulate users into taking harmful actions. These vectors remain the most common initial access method for both targeted and mass attacks.
Email-Based Vectors:
Social Engineering Techniques:
Beyond email, social engineering uses multiple channels and psychological techniques:
Pretexting: Creating a fabricated scenario (pretext) to engage victims. Attacker poses as IT support, vendor, job recruiter, or researcher—any role establishing legitimacy for requests.
Vishing (Voice Phishing): Phone-based social engineering. Caller ID can be spoofed to appear legitimate. Technical support scams, IRS impersonation, and bank fraud calls are common examples.
Smishing (SMS Phishing): Text message-based phishing. Often includes shortened URLs hiding malicious destinations. Package delivery scams, bank alerts, and verification requests are common themes.
Baiting: Offering something enticing (free software, USB drive in parking lot, movie download) that contains malware or leads to credential harvesting.
Quid Pro Quo: Offering a service in exchange for information or access. "Help desk" calls offering to fix problems if users provide credentials.
Tailgating/Piggybacking: Following authorized personnel through physical access controls without proper authentication.
| Principle | How Attackers Use It | Defense Strategy |
|---|---|---|
| Authority | Impersonate executives, IT, law enforcement | Verification procedures for sensitive requests |
| Urgency | Create artificial time pressure | Policies allowing time for verification |
| Fear | Threaten negative consequences | Culture where employees feel safe to verify |
| Reciprocity | Small favors before big requests | Awareness of manipulation techniques |
| Social Proof | "Everyone else is doing it" | Clear policies on acceptable practices |
| Scarcity | Limited time offers, exclusive access | Skepticism of too-good-to-be-true offers |
Technical controls (email filtering, link analysis, attachment sandboxing) are essential but insufficient against social engineering. Well-crafted attacks bypass filters. Building effective 'human firewalls' requires ongoing awareness training, simulated phishing exercises with educational follow-up, and organizational culture that makes verification normal rather than suspicious.
Supply chain attack vectors compromise organizations through their suppliers, partners, software dependencies, or service providers. Rather than attacking the target directly, attackers compromise a trusted third party whose products or access flow to the ultimate target.
Supply chain attacks are particularly dangerous because they:
Categories of supply chain vectors:
Case Study: SolarWinds (SUNBURST)
Attack Flow:
Why It Succeeded:
Lessons:
Defense includes: vendor security assessments before onboarding, contractual security requirements, limiting vendor access to minimum necessary, monitoring vendor activity, software composition analysis for dependencies, code signing verification, and incident response plans for supply chain compromises. Perfect protection is impossible—focus on detection and limiting blast radius.
Physical attack vectors require attacker presence at or near facilities, devices, or people. While remote attacks dominate headlines, physical vectors can bypass sophisticated technical controls and often receive insufficient security attention.
Categories of physical vectors:
Physical Pen Test Scenarios:
Professional security assessments commonly test physical vectors:
Scenario 1: Delivery Impersonation Testers pose as delivery personnel with a package addressed to a specific employee. Goal: get inside the building, observe security practices, plant a device.
Scenario 2: USB Drop Test Branded USB drives left in parking areas and common spaces. Drives phone home when inserted, measuring human vulnerability without actual malware.
Scenario 3: After-Hours Testing Attempting building access during non-business hours when security staffing is reduced. Testing perimeter controls, cleaning crew access, and alarm response.
Scenario 4: New Employee Tester arrives claiming to be a new employee whose access hasn't been set up yet. Tests helpfulness exploitation and visitor management.
Physical Security Layers:
Physical and cyber security must be integrated. Physical compromise enables cyber attacks (installing keyloggers, accessing consoles, planting rogue devices). Cyber compromise can enable physical attacks (disabling alarms, bypassing access control). Security operations should span both domains.
Real-world attacks rarely use a single vector in isolation. Sophisticated attackers chain multiple vectors and techniques through progressive attack stages. Understanding attack chains helps defenders identify multiple intervention opportunities.
The Cyber Kill Chain Model:
Lockheed Martin's Cyber Kill Chain provides a framework for understanding attack progression:
Attack Chain Example: Enterprise Ransomware
Defensive Implication:
Each stage presents detection and prevention opportunities. Defense-in-depth means even if one control fails, subsequent stages can be blocked or detected. The goal is breaking the chain before objectives are achieved.
| Phase | Detection Opportunities | Prevention Controls |
|---|---|---|
| Reconnaissance | Honeypots, login monitoring, OSINT awareness | Information control, attack surface reduction |
| Delivery | Email filtering, web filtering, EDR | Sandboxing, content inspection, MFA |
| Exploitation | EDR, application logging, behavior analysis | Patching, application whitelisting, isolation |
| Installation | EDR, integrity monitoring, autoruns review | Application control, least privilege |
| C2 | Network monitoring, DNS analysis, proxy logs | Egress filtering, DNS filtering, network segmentation |
| Objectives | DLP, behavior analytics, SIEM correlation | Encryption, access controls, backups |
The MITRE ATT&CK framework extends kill chain thinking with detailed matrices of adversary tactics and techniques. It maps observed attack behaviors to detection and mitigation strategies. Using ATT&CK for security gap analysis identifies which techniques you can—and cannot—currently detect or prevent.
This page has examined the pathways attackers use to reach and exploit vulnerabilities. From remote network exploitation to in-person social engineering, attack vectors span every layer of the technology stack and organizational boundary.
With threat types, attackers, vulnerabilities, and attack vectors now understood, we have a comprehensive view of the threat landscape. The final page of this module addresses risk assessment—the structured methodology for evaluating and prioritizing security concerns based on threat, vulnerability, and impact analysis.