Skip to main content

Attack Surfaces

All the points at which a malicious actor could try to exploit a vulnerability.

Any location or method where a threat actor can interact with a network port, app, computer, or user is part of a potential attack surface. To reduce the surface, one needs to restrict access to only a few known endpoints, protocols/ports, and services/methods. Constant assessment is necessary for vulnerabilities and intrusions to be detected and mitigated.

Threat vectors refer to the specific points at which an attacker can use to penetrate network defenses. Sophisticated threat actors make use of multiple vectors. They might plan out a multistage attack instead of a "smash and grab" (CROODS REFERENCE!) raid.

Vulnerable Software Vectors

Vulnerable software contains a flaw in its code or inherent design that is exploitable to circumvent access control or to simply crash the program. Usually security patches by the app's vendor fix these exploits, but due to the increasing complexity of modern software design, vulnerabilities are bound to be found given time.

Unsupported Systems and Applications

Software whose vendor no longer releases updates or security patches for. This means that exploits are almost guaranteed to be found over time, and organizations usually need to phase out usage of that software for security reasons.

Client-based vs. Agentless

A core step of reconnassaince, in which scanning software helps organizations automate the discovery and classification of software vulnerabilities. Threat actors do the same thing, but for the purpose of finding and exploiting said vulnerabilities. The scanning software can be implemented as a client-based agent thats running a process on each host. Each host will then report to a central management server where detection and prevention can be executed from on a network-wide level. However, attackers are more likely to use agentless scanning, to avoid detection and to minimize setup time (no installation required!).

Network Vectors

Vulnerable software can allow actors to perform arbitrary code execution (ACE) on the host system. However, the threat actor needs to do this from somewhere. Either remotely or locally. A remote vector means that the threat actor sends code over a network, without authentication from the system. A local vector means that the session is authenticated on the target system. While it's true the actor could send the code to be exected over the local network, they'd still need to hijack an active session or conjure up a valid set of credentials to initialize the session.

Networks

Back to top