If you’re going to stop the attack, you have to know where the attack is focused. In this video, you’ll learn about direct access, wireless, email, supply chain, and many other attack vectors.
<< Previous Video: Threat Actors Next: Threat Intelligence >>
The attack vector is the method that the attacker will use to gain access to your computer or your network. They are trying to find all of the different ways that they could somehow get around the existing security and find their way to the inside of your network. As you’ll see as we go through this video, the attackers spend a lot of time trying to find these vulnerabilities.
All they need is that one single vulnerability, and they’ve now gained access to the target. As a security professional, you’ll spend a lot of time watching these attack vectors. You’re going to be patching a lot of systems to close existing vulnerabilities, and you’ll be of course watching to see if someone takes advantage of other attack vectors that simply have not yet been discovered.
If an attacker has direct access to the hardware that is running an operating system, then they have a lot of attack vectors available to them. They will find a way into that operating system if they have physical access. This is one of the reasons why all of our data centers are locked up and are usually very highly secured. With many operating systems, you can reboot the system into a particular administrative mode, make a change to an administrative password, reboot again, and now you have full access to the operating system. And although that’s a very common attack vector, there are ways to prevent someone from gaining this type of access to the system, but it’s very difficult to do if they have direct access to that piece of equipment.
Another common direct access attack vector is to attach a keylogger to a keyboard. The keyboards are usually directly on these servers, and the administrators are walking up to the systems and typing in their usernames and passwords. The attackers will put a keylogger into the keyboard system, so they’ll simply disconnect the keyboard and put that right in the middle.
You can see it’s very small. You may not even realize that it’s connected to your computer. That keylogger will remain on that system for a certain amount of time, and then the attacker will stop back by, remove the keylogger, and then take it somewhere else to see exactly what everyone typed into that keyboard while that keylogger was attached.
Another direct access vector is one where you can simply connect a flash drive or some other type of portable media and just simply copy all of the files from that server onto a piece of media that you can then take outside the building with you. And of course, if someone has physical access to the computer, they can simply pull the power cord, pour water into the system, and create a denial-of-service.
On wireless networks, there are a number of attack vectors you have to be aware of. Of course, you have to make sure that your access point is secure. Usually these have usernames and passwords to authenticate the administrator into the system, and you want to be sure you’re not using the default credentials, which of course will be very easy for an attacker to use.
You also have to make sure that your network is not designed to allow rogue access points. This would be someone who brings in an unauthorized wireless access point and plugs it in. If one of your end users is able to do that, then they can effectively turn on a wide open access point that anyone would be able to connect to.
A more malicious form of a rogue access point is an evil twin. An evil twin is specifically designed to be a hacking tool, and it’s made to emulate or look very similar to the access points that are already on your network. This evil twin is designed to fool your users and get them to connect to the evil twin access point instead of the legitimate corporate access point. Once your users are sending data to this malicious access point, the attacker is able to see all of the data going by and even change that data by using an on-path attack.
You also have to make sure that your access points and your clients are using the latest technologies. For example, in 2017, a vulnerability was found with many clients that used WPA2, and they found a key reinstallation attack called KRACK that would be able to gain access to WPA2 networks. This is a vulnerability that was very quickly resolved by updating most of the wireless clients. There are also some older encryption technologies that have significant vulnerabilities, technologies like WEP and WPA, so you want to be sure that you’re running WPA2 or later on your wireless access points.
Email has traditionally been a very successful attack vector for threat actors, and that’s because so many people have an email account. The attackers can send phishing links through email and gather personal information directly from the end user, or they may be attaching malware or other malicious software to the email and having people launch that software from their email client. This is also a great place to perform social engineering attacks, like sending in a fake invoice and convincing people to pay a bill that is not legitimate. This is one of the largest and most difficult attack vectors to manage, and if you’re someone working in IT, you’re probably very focused on keeping all of your email messages as secure as possible.
It’s very likely that most of the things in your organization were purchased from a third party. There’s an entire supply chain designed to provide you with these products, and many different manufacturers and entities were connected with that supply chain until it reached you. Each one of those steps along the way is an attack vector, so it’s important that you know exactly where your technology comes from and that it is as safe as possible.
In the 2013 credit card breach from Target, the attackers took advantage of the supply chain to gain access to the Target network. Those attackers used a third party to Target. This was one of Target’s vendors that then had access to the internal Target network. And once the attacker was able to gain access inside of the Target network, they effectively had access to all of the cash registers at every Target location.
A good example of using the supply chain to disrupt a manufacturing process was in 2010 with the Stuxnet worm. This was a partnership between the United States and Israel that put a worm into Iran’s uranium enrichment program and disrupted the centrifuges that were used during that manufacturing. And in 2020, network administrators started to notice that their Cisco switches weren’t exactly what they were expecting. There were at least two models of Cisco switches that did not originate at Cisco. The details of where these switches came from and what the purpose of having these fake switches might have been is still a bit of a mystery, but it certainly speaks to how important it is to be very secure with your supply chain.
Attackers can gather a lot of information from social media, and sometimes it’s too much information. Just by watching someone’s timeline, they may be able to determine where you are and when you may have visited a location, or they might see that you’re on vacation for two weeks, and you’re going to be nowhere near your home. These social media attack vectors could also be used to attack multifactor authentication.
They might be able to look at your social media account and know where you were born or when you were born, or they might know the name of your school mascot based on your Facebook profile. This information can then be used during a password reset that would then allow the attacker access to your account. And there’s more than one example where someone was pretending to be a friend to gain access to your social media account, and so you have to be very careful about who you allow access to your data and who is kept on the outside and away from your personal information.
One way to gain access to data that may not normally be accessible is to find ways around the existing security technologies. One way to do this is to get on the inside and connect up a system that would allow you to transfer data out of an organization. This can be very easy with a USB drive, and attackers use USB connections constantly to be able to gather information and circumvent existing security controls.
This type of attack may be required if a particular area of a network isn’t connected to the internet. It may be air gapped, and there may be no direct connection to be able to communicate with it. But if you can somehow plug in an infected USB drive, you may be able to infect the system and then have it communicate out to the attacker.
As we mentioned in an earlier video, you may have a USB device that looks just like a flash drive, but in reality, it looks and acts as if it’s a keyboard. So the instant you plug it in, it will start typing on your computer as if it was a person on a keyboard. This is effectively a hacker that’s on a chip inside of this USB-connected device, and it makes it very easy for the attacker to gain access to your systems. And of course, the storage capabilities of these flash drives are getting much larger, while the flash drives and devices continue to get smaller. This makes it very easy to plug in, transfer a bunch of data, disconnect, and then hide that data as you walk outside the building and exfiltrate everything that may have been on the inside.
Cloud-based applications have brought an entirely new set of attack vectors to consider. Very often, these applications are publicly-facing, so it’s not only important that the application is secure, but the entire configuration of that application. For example, if you’re putting data in the cloud, you want to be sure that data is protected from prying eyes. The application should be the only thing gaining access to that data, but unfortunately, misconfigurations can be made, and certain areas of data may be opened up for anyone to be able to see.
Attackers are usually very good at brute forcing access to these publicly-facing applications, but they might also use phishing techniques to have users send them their own usernames and passwords. Attackers might also have you waste resources by increasing the load on a particular cloud-based service and requiring additional instances of that application to be created. This may not allow the attacker access to your data, but it would certainly cost resources and money. And because these applications are public-facing, it’s important that you plan for any denial-of-service. Anyone would be able to access that device from the outside, so you want to be sure you have all of the security tools in place to mitigate or prevent any type of denial-of-service attack.