Two often confused terms in the infosec world are Attack Vector and Attack Surface. These two interrelated terms are important to understand if you want to maintain a strong security posture.
What is an Attack Surface?
Your attack surface is represented by all of the points on your network where an adversary can attempt to gain entry to your information systems. Basically, any technique that a human can use to gain unauthorized access to your company’s data via any asset. For a medium to large sized enterprise, the attack surface can be gigantic. Hundreds of thousands of assets potentially targeted by hundreds of attack vectors can mean that your attack surface is made up of tens of millions to hundreds of billions of signals that must be monitored at all times – no easy feat!
What is an Attack Vector?
Attack vectors are the methods that adversaries use to breach or infiltrate your network. Attack vectors take many different forms, ranging from malware and ransomware, to man-in-the-middle attacks, compromised credentials, and phishing. Some attack vectors target weaknesses in your security and overall infrastructure, others target weaknesses in the humans that have access to your network. Some of the common attack vectors are:
- Compromised Credentials
- Weak and Stolen Credentials
- Malicious Insider
- Missing or Poor Encryption
- Trust Relationships
The chart below represents your attack surface. The x-axis represents all of your assets – everything from network infrastructure such as wifi access points and routers, to managed and unmanaged devices, IoT devices and cloud applications, and more. The y-axis represents the hundreds of attack vectors available to your adversaries, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption issues, mis-configuration, etc.
Equifax Breach Attack Vectors
Let’s take the Equifax breach of 2017 as an illustrative example of attack surfaces and attack vectors. It is likely that, when planning the breach, the adversaries looked at all externally exposed assets (the external facing portion of the Equifax attack surface) until they found a weakness. In this case, the weakness was an unpatched vulnerability in a public facing web server. The initial attack vector targeted that vulnerability. From there, the attackers now had internal access to Equifax and a broader addressable attack surface.
The next vector used leverage compromised credentials. Since Equifax hadn’t properly segmented and isolated assets on their network, the attackers were able to move laterally, eventually finding a server that stored usernames and passwords in cleartext, giving them access to even more assets. On it went, until critical data was eventually exfiltrated from the Equifax network.