Attack Vector vs. Attack Surface

Two often confused terms in the infosec world are Attack Vector and Attack Surface. These two interrelated terms are important to understand if you want to maintain a strong cybersecurity posture.

What is your Attack Surface?

Your attack surface is the sum of all of the points on your enterprise network where an attacker can attempt to gain unauthorized access to your information systems. Basically, this represents the number of different ways/techniques that an adversary can use to gain unauthorized access to your company’s data (via any of your assets). It includes all vulnerabilities or security issues at any of your endpoints that can be exploited to carry out a security attack. Your enterprise attack surface also includes your users and the various permutations and combinations of ways in which they can be tricked by an attacker to result in a breach of your enterprise.

The amount of cyber risk is different at different parts of the attack surface, which means that different parts of your attack surface are not equally important from a business viewpoint.

Attack Surface
The Enterprise Attack Surface

What is an Attack Vector?

Attack vectors are the specific methods that adversaries use to breach or infiltrate your network. Attack vectors take many different forms, ranging from malware and ransomware, to man-in-the-middle attacks, compromised credentials, and phishing. Some attack vectors target weaknesses in your security and overall infrastructure, others target weaknesses in the humans that have access to your network.

Some of the commonly used attack vectors are:

  1. Compromised or Stolen Credentials
  2. Weak Credentials
  3. Software vulnerabilities aka CVEs
  4. Missing or Poor Encryption
  5. Missing or Poor Authentication
  6. Misconfigurations
  7. Phishing
  8. Malicious Insider
  9. Trust Relationships
  10. Denial-of-Service

For a medium to large-sized enterprise, the attack surface can be gigantic- hundreds of thousands of assets times hundreds of attack vectors. This means that your attack surface is made up of tens of millions to hundreds of billions of elements that must be monitored continuously by your cybersecurity team  – no easy feat!

The picture below is a more detailed illustration of your your attack surface. The x-axis represents all your assets – everything from servers, desktops, laptops, network infrastructure such as WiFi access points, network switches and routers, to managed and unmanaged devices, IoT devices and cloud applications, and more. The y-axis represents the hundreds of attack vectors available to your adversaries, ranging from simple things like weak passwords, to more complex things like phishing, unpatched software, encryption issues, mis-configuration, etc.

Attack surface: The x-axis represents your assets and the y-axis represents attack vectors. 

Attack Vectors in the Equifax Breach

Let’s take the Equifax breach of 2017 as an illustrative example of attack surfaces and attack vectors. It is likely that, when planning the breach, the adversaries looked at all externally exposed assets (the external facing portion of the Equifax attack surface) until they found a weakness. In this case, the weakness was an unpatched vulnerability in a public-facing web server. The initial attack vector targeted that vulnerability. From there, the attackers now had internal access to Equifax and a broader addressable attack surface.

The next vectors in the Equifax breach leveraged trust relationships and compromised credentials. Since Equifax hadn’t properly segmented and isolated assets on their network, the attackers were able to move laterally, eventually finding a server that stored usernames and passwords in cleartext, giving them access to even more assets. On it went, until critical data was eventually exfiltrated from the Equifax network.

Attack vectors used in Equifax Breach
 Example of multiple attack vectors used in Equifax Breach

Types of Attack Surface

There are many ways to classify and categorize the enterprise attack surface. Three of the common methods are by type, by exposure and by attack vector. The table below summarizes the various classifications.

Types of attack surface
Types of attack surface

Digital Attack Surface vs Physical Attack Surface

Let’s first borrow an analogy from real life. Imagine your house as an organization.

The physical attack surface of your house would include all its physical points of entry, such as main doors, windows, balconies, an alternate entrance, and garage doors. If these entry points are not secured, your house could be vulnerable to attacks such as theft. You can secure the physical attack surface by installing strong locks, grills, security cameras, and alarms to deter intruders.

The digital attack surface of your house refers to all its digital entry points, such as the Wi-Fi network, mobile phones, laptops, desktop computers, IoT devices, open ports, and more. These digital entry points could be vulnerable to cyber-attacks, such as malware, phishing, denial-of-service, ransomware, etc., if they are not secured properly. Your digital attack surface can be secured by gaining real-time understanding of your cyber risk, comprehensive visibility into the asset inventory, embracing risk-based vulnerability management, leveraging security controls, and improving overall cyber-hygiene by using strong passwords, regularly updating software, and more.

Digital attack surface breach example:

The Atlassian JIRA data exposure incident in 2019 was one of the most significant exploits of a misconfiguration. JIRA project management software is used by 100,000 plus organizations. The misconfiguration issue was due to permissions being wrongfully assigned when a user created a filter or dashboard in JIRA. By default, access was set to “All users” and “Everyone” (public). Additionally, due to an authorization misconfiguration, the user selection feature listed every user’s username and email address. The exposed data could have provided attackers with access to a broad range of information including employee roles, employee names, email ids, upcoming milestones, secret projects, and features.

Physical attack surface breach example:

In 2018 data breach involving West Virginia-based Coplin Health Systems notified that data of 43,000 patients breached after theft of unencrypted laptop. A laptop of its employee was stolen from a car and apparently the data on the laptop wasn’t encrypted. The attacks involving insiders, hardware theft are considered as a part of physical attack breach.

Following table further outlines the differences between a digital attack surface and a physical attack surface.

Key Differences between Digital Attack Surface and Physical Attack Surface
Key Differences between Digital Attack Surface and Physical Attack Surface

Other Attack Surface Related Topics

Related topics that might be of interest to you are attack surface management, vulnerability management, asset discovery/inventory and cyber risk quantification.

Frequently Asked Questions

What are attack surface examples?

The elements that comprise your cybersecurity attack surface are essentially all the software (and firmware) that runs in your enterprise, including on your servers, desktops, laptops, smartphones, tablets, network infrastructure, your applications (in a traditional data center or in the cloud). Each element can be compromised via (often 100s of) attack vectors. Your users – employees, contractors and also part of your attack surface.

What are the types of attack surface?

There are various ways to classify your attack surface.

  1. By Type. The three types are Digital Attack Surface (your software), Social Engineering Attack Surface (your users) and Physical Attack Surface (your physical computers/devices). The first two types are more relevant in cybersecurity while the third takes us into the realm of physical security.
  2. By Exposure. External Attack Surface (your attack surface elements that are exposed to the Internet, e.g., public web servers), and Internal Attack Surface (the assets you have placed behind your corporate firewalls, non external facing, e.g., internal servers). Your External Attack Surface can be directly targeted by attackers, while Internal Attack Surfaces are leveraged by attackers to move around (“lateral movement”) within your enterprise network after they have established an initial beachhead.
  3. By Attack Vector. Some people like to classify their attack surface by attack vectors. In 2022, some of the most commonly used attack vectors are:
    • Compromised or Stolen Credentials
    • Weak Credentials
    • Software vulnerabilities aka CVEs
    • Missing or Poor Encryption
    • Missing or Poor Authentication
    • Misconfigurations
    • Phishing
    • Malicious Insider
    • Trust Relationships
    • Denial-of-Service
What is Attack Surface Management?

Attack surface management refers to the continuous processes required to mitigate cyber risk. It includes risk assessments tasks such as asset discovery, vulnerability assessments, penetration testing and cyber risk quantification, as well as the deployment and management of security controls, vulnerability management processes – everything that cybersecurity teams do to map and protecting the attack surface. The goal of attack surface management is to mitigate cyber risk to acceptable levels by reducing the likelihood and impact of future cyber attacks.

How do you limit your attack surface?

Limiting, reducing/shrinking and hardening your attack surface involves an iterative and continuous process with the following steps:

  1. Enumerate your attack surface (asset discovery, vulnerability assessments, penetration testing)
  2. Prioritize attack surface elements by risk (cyber risk quantification)
  3. Remove apps and devices you don’t need.
  4. Review configurations of all Internet-facing assets to minimize complexity of software exposed. Turn off features and services you don’t need.
  5. Implement rigorous vulnerability management (patching) practices for Internet-facing assets (servers, infrastructure assets and end-user devices)
  6. Implement strong access control (e.g., multi-factor authentication) and protective controls (e.g., web-application firewalls) for Internet facing servers and infrastructure assets.
  7. Implement strong protection for all end-user computing devices (e.g., browser security and EDR)
  8. Repeat for steps 1-7 continuously
  9. Also perform these steps for non-internet assets
  10. Deploy network segmentation and/or zero trust throughout your network to limit the impact of attacks that might compromise a small number of your assets

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility