2.2 common threat vectors and attack surfaces.

SMS (Message Vector)

fraudulent text messages with malicious links or requests

Example: Text from “bank” asking to verify info

Email

Attacks from ____ that are Used to send phishing, malware, or exploit links

Instant Messaging (IM) (Message Vector)

Malicious links via apps like Slack, Teams, WhatsApp

Example: Friend’s account sends you a suspicious link

Image-based (Attack Vector/Threat)

Malicious code hidden in image files | An attacker embeds JavaScript in a .png used in email phishing |

File-based (Attack Vector/Threat)

Files used to exploit system vulnerabilities | A malicious PDF with an embedded exploit payload |

Voice call (Attack Vector/Threat)

Vishing: voice phishing for credentials | "Bank" calls asking for your credit card info |

Removable device ((Attack Vector/Threat))

Malware delivered via USBs or external drives | Found USB stick infects PC with ransomware when plugged in |

Vulnerable Software

Outdated or misconfigured apps can be exploited

Client-based

Requires installation on user system | Old Java app with buffer overflow vulnerability

Agentless

Web apps that don't need installation but can be exploited remotely | Misconfigured SaaS application with weak auth |

Unsupported Systems/Apps

No longer receive security updates, leaving them open to attack | Windows XP PC in a hospital network being targeted |

Unsecure Networks

Inadequately protected network connections

Wireless

Easy to intercept if unencrypted | Public Wi-Fi without WPA3

Wired

Less targeted, but still vulnerable to physical access | Plugging into open Ethernet port in office

Bluetooth

Short-range wireless that can be exploited | Bluejacking or Bluesnarfing attacks on phones |

Open Service Ports

Unmonitored open ports allow unauthorized access | Port 22 (SSH) open to internet with default creds |

Default Credentials

Using manufacturer usernames/passwords that are widely known | Admin/admin on a router never changed |

Supply Chain

Compromise through third-party vendors or software

MSPs (Managed service providers)

Attackers compromise managed service providers | MSP breach gives attacker access to clients' networks

Vendors/Suppliers (Common Threat Vectors & Attack Surfaces)

Attackers tamper with software/hardware before delivery | SolarWinds Orion update containing backdoor |

Phishing (Human vector)

Deceptive emails to steal info

Example:

Email from “HR” asking to reset password

Vishing (human vector)

Voice phishing

Example: Robocall pretending to be from the IRS

Smishing (Human Vector)

SMS-based phishing

Example: Text with fake delivery notice

Misinformation (Human Vector)

False info spread accidentally

Example: Fake COVID-19 updates on social media

Disinformation (Human Vector)

False info spread intentionally

Example: Malicious actor creates fake news to influence elections

Impersonation (Human Vector)

Pretending to be someone trustworthy

Example: Hacker poses as CEO to get wire transfer

Business Email Compromise (BEC) (Human Vector)

Targeted phishing to trick employees into sending money/data

Example: Spoofed email from CFO requesting urgent invoice payment

Pretexting (Human Vector)

Lying to obtain information

Creating a false identity or scenario to trick someone into revealing confidential information

(example: Pretending to be IT support to get login info)

Watering Hole (Human Vector)

Compromising websites likely visited by target

Example: Infecting an industry forum site to target engineers

Brand Impersonation (Human Vector)

Faking trusted brands to gain access

Example: Spoofed PayPal login page

Typosquatting (Human Vector)

Registering fake URLs similar to real ones

Example: go0o0gle.com used to phish Google credentials