November 28, 2022

What is a Threat Vector? – Examples and Mitigations

  • Cybersecurity

What is a Threat Vector? 

A threat vector, also known as attack vector, is a method cyber criminals use to gain unauthorized access to computer systems and networks. Hackers exploit threat vectors to gain access to user accounts or load malicious software (malware) onto systems to launch cyber-attacks, with the aim of stealing sensitive information and causing system failures. The total number of all possible entry points (threat vectors) for unauthorized access into a system is known as its attack surface.   

Common threat vectors include malicious emails in phishing attacks, weak or stolen passwords, drive-by download attacks, web applications, and trusted relationships. These will be discussed in greater depth below.  

Threat Vectors

The Importance Knowing Threat Vectors 

It is well-established that cyber-attacks are frequent and cause significant losses and disruption. Statista reports that the average total cost per data breach worldwide is $4.35M USD in 2022, the highest on record. Given that threat vectors are the entry points into computer systems and networks, closing them will go a long way in preventing devastating cyber-attacks. In fact, keeping the attack surface as small as possible is a basic security measure.  

However, you first have to know your risks in order to mitigate them. So let’s take a look at the most common threat vectors and understand how they are exploited and how they can be mitigated.  

Examples of Threat Vectors and How to Mitigate Them 

 

  1. Phishing Emails

Phishing emails are fraudulent emails sent by attackers posing as trusted senders. This is a form of social engineering where email recipients are manipulated into aiding attackers to gain access. Victims are often lured into clicking on a link that downloads malware or takes them to a fake login page where their passwords are stolen once entered. Attackers may also lure victims into opening email attachments that are themselves malware or legitimate files embedded with malicious code. In other cases, victims are tricked into disclosing their usernames and passwords, which are then used to gain direct access to their accounts.  

 Ways to mitigate this threat vector: 

  • Educate staff on how to recognize phishing emails and conduct phishing drills. 
  • Deploy a next generation firewall (NGFW) integrated with malware detection and threat intelligence to block connections with malicious IP address and downloads of malware. 
  • Install endpoint security software with advanced threat detection capabilities such as Endpoint Detection and Response (EDR) solutions to detect unknown malware and suspicious behavior on endpoint devices.  
    Phishing emails threat
  1. Weak and Compromised Credentials

An effective way hackers launch cyber-attacks is by gaining access to valid accounts. This provides attackers with the user privileges and trust to evade security detection and operate with less scrutiny. Hackers have a myriad of ways at their disposal to gain access to valid accounts. For example, they can use password dictionaries and brute-force attack tools to crack weak passwords. Attackers enjoy great success with these methods due to the prevalent use of simple and default passwords. Alternatively, attackers can use compromised passwords, either obtained on the dark web or stolen by themselves through other attacks, to access accounts.   

Ways to mitigate this threat vector: 

  • Educate staff about password hygiene, such as setting strong passwords, avoiding password reuse, keeping passwords safe, and changing default passwords. 
  • Enable two-factor authentication (2FA) whenever possible. 
  • Set an account lockout policy that blocks access to the account after a defined number of failed password attempts. 
  • Use security tools that detect brute-force attacks. 
  • Use security tools that detect weak passwords and request users to change them. 
  • Use network detection and response (NDR) detect unusual account activity to uncover malicious use of valid accounts. 

 

  1. Web Applications

Web applications are programs and services that organizations make available for access on the internet. These include email, office suites, search bars, photo editors, and comments modules. However, vulnerabilities are often found in web applications, including the application servers hosting apps and databases that store their data. Because web applications are accessible on the internet, attackers can freely exploit their vulnerabilities to steal data or gain unauthorized access. For example, using the popular SQL injection attack, in which malicious queries are made to an SQL database, attackers can extract data such as passwords (in encrypted form) and credit card details.   

Ways to mitigate this threat vector: 

  • Use security tools that detect system vulnerabilities and install patches in time.  
  • Control access to the intranet from the public-facing network to prevent propagation.  
  • Deploy a dedicated web application firewall to detect and block web application attacks. 

Web applications threat 

 

  1. Drive-By Download Attack

A drive-by download occurs when malware is downloaded onto a device over the normal course of internet browsing, including legitimate and trusted websites. This happens because attackers have compromised the website with malicious code. In some cases, malware is downloaded after a user clicks on a link, a pop-up window, or advertisement. Attackers often masquerade their ads as attractive offers, warning messages, and browser update alerts to trick people into clicking. In other cases, malware is downloaded without any user interaction. This is made possible by vulnerabilities in the user’s internet browser that allows the attacker’s code to exploit it.   

Ways to mitigate this threat vector: 

  • Avoid clicking on any suspicious pop-ups and advertisements on websites. 
  • Keep browsers and plugins up to date, making sure to update through official channels. 
  • Deploy security tools such as NGFW, EDR and NDR to detect and respond to threats.  
  1. Remote Access Services 

Remote access services allow users to connect to remote systems and networks. Commonly used remote access services include virtual private networks (VPN) and Windows remote desktop services, which provide remote workers with complete access to their workstation using another device. However, threat actors can scan for instances of these remote connections on the internet. Once these are discovered, they can hack the connection by breaking into the user’s account using a brute-force attack or exploiting misconfigurations and vulnerabilities in the service. A successful breach of a remote connection gives hackers access to workstations and network resources just like normal users.   

Ways to mitigate this threat vector: 

  • Make sure remote access services are up to date to prevent exploitation of vulnerabilities. 
  • Set strong passwords for remote access service accounts and use 2FA when possible. 
  • Set an account lockout policy to prevent successful brute-force attacks. 
  • Disable remote access services for users who do not require them. 

Remote access threat

  1. Trusted Relationships

A trusted relationship in this context is an arrangement where a third-party organization is given access to the computer systems and network of another organization. This kind of trusted relationship is often found with managed service providers (MSP), third parties that remotely manage a customer's IT infrastructure and systems, and software suppliers. MSPs and software suppliers are often given elevated levels of privileges to render their services. Attackers can take advantage of these trusted relationships by launching attack against third-party service providers to gain unrestricted access to their customers’ systems and networks in what are known as supply chain attacks.  

Ways to mitigate this threat vector: 

  • Continuously assess the access privileges of third parties to ensure that only the required level of access to render the services is provided. 
  • Deploy NDR to detect irregular behavior by third parties.  
  1. Removable Media

Malware distribution using removable media has been around for a long time. The world’s first ransomware virus was spread using floppy disks back in 1989. However, this form of malware distribution to gain access to computer systems still exists today and is growing. Research from Honeywell indicates that 52% of threats are specifically designed to use USB drives, up from 32% the previous year, with 81% of industrial control systems at risk. In other cases, malware already on a system can copy itself onto any connected USB drives. This gives attackers access to remote systems, especially those on air-gapped networks.  

Ways to mitigate this threat vector: 

  • Disable the AutoRun feature for removable media. 
  • Prohibit removable media from connecting to network devices if they are not required. 
  • Set an automatic virus scan on removable media before they are allowed to connect. 

Removable media threat

 

  1. Insider Threats

Insider threats are threats that come from within an organization in the form of negligent and malicious employees. Negligent insiders are those who are generally aware of the organization’s security policies but choose to ignore them. For example, revealing their passwords and connecting to the intranet using public wi-fi or personal VPNs. These actions inadvertently give attackers an easy route into organization’s systems and networks. Malicious insiders are those who carry out malicious activities on purpose. They may have been bribed by threat actors to steal data like trade secrets and customer information or help them load malware onto systems.   

Ways to mitigate this threat vector: 

  • Establish measures that continuously educate and remind staff of security best practices. 
  • Prohibit the connection of removable media or the copying of data to removable devices. 
  • Use NDR to detect irregular behavior, such as large outbound data transmissions. 

  

How ForeNova Can Help 

At ForeNova, we understand that staying on top of all the risks in your network environment can be a tall order. That’s why we provide a risk assessment service, NovaTA, to help customers uncover all the risks, vulnerabilities, and existing threats inside their network. 

A picture containing text, person

Description automatically generated

  

NovaTA uses our state-of-the-art Network Detection and Response  solution, NovaCommand, to scan your entire network. This helps us gather information about all the assets connected to your network, including PCs, servers, mobile devices, and IoT devices. This ensures that no device is left unaccounted for and unprotected. NovaCommand and our experts combine to identify all security risks and weaknesses, such as operating system vulnerabilities and weak passwords.  

NovaCommand also uses machine learning to teach itself the normal behavior of your network. This enables it to detect irregular behavior on the network that likely indicate an existing threat. After a complete security risk assessment, our experts report their findings and provide you with recommendations on mitigating the identified risks. We also help you eradicate any threats and find out the root cause of the attack to plug the weakness and prevent future compromise.  

With NovaTA, you enjoy a professional risk assessment and remediation service that effectively minimizes your attack surface to safeguard your business. You can find more information on the NovaTA and NovaCommand pages and do not hesitate to contact us for any inquiries.