Chapter 21 Β· Concepts

Threat Vector Concepts

Category tables, attack surface model, and supply chain attack flow.

Threat Vector Categories β€” All 11

VectorMethodKey RiskDefense
Message-BasedEmail, SMS (smishing), IM/DM β€” phishing links, malware attachments, social engineeringMost common initial access vector; SVG images can embed executable JavaScriptEmail security gateway, anti-phishing training, MFA, attachment sandboxing
Image-BasedSVG files β€” XML format can embed HTML injection or JavaScript; renders in browsersVisually indistinguishable from benign images; code executes on renderBrowser input validation, SVG content sanitization, block SVG attachments from email
File-BasedPDFs (scripts/objects), ZIP/RAR archives, Office macros, browser extensionsMalware hidden in trusted-looking document types; macros auto-executeDisable macros by default, restrict browser extensions, sandbox file analysis, password-protected archive inspection
Voice CallVishing (phone social engineering), SPIT (automated VoIP spam), war dialing, call tamperingBypasses technical controls entirely; exploits human social complianceCallback verification procedures, staff training, VoIP security, analog line inventory
Removable DeviceUSB malware delivery, HID keyboard emulation attacks, data exfiltrationBypasses all network-based defenses; bridges air-gapped networks; undetectable exfiltrationUSB port lockdown, device whitelisting, disable autorun, DLP on endpoints
Vulnerable SoftwareClient-based (installed apps with known/unknown CVEs); agentless (server-side, affects all clients simultaneously)Agentless: one compromised server exposes entire user population at loginPatch management, vulnerability scanning, defense in depth, software inventory
Unsupported SystemsEnd-of-life OS/firmware β€” no patches available for new CVEs discovered after EOLPermanent, unfixable vulnerability accumulation; single entry point can compromise whole networkAsset inventory, regular network scanning, upgrade/isolate/accept risk with compensating controls
Unsecure NetworksWireless (WEP/WPA protocols, open/rogue APs), wired (no 802.1X), Bluetooth (recon, implementation vulns)Unauthorized network access; traffic interception; rogue AP man-in-the-middleWPA3 for wireless, 802.1X for wired and wireless authentication, Bluetooth policies
Open Service PortsTCP/UDP listening ports β€” each service is a potential vulnerability or misconfigurationMore services = larger attack surface; forgotten services often have weak configurationsMinimize running services, firewall allow rules only for justified services, regular port audits
Default CredentialsFactory-set usernames/passwords never changed β€” any attacker can look them up onlineFull administrator access with no technical exploit; routerpasswords.com lists thousands of defaultsChange all defaults immediately on deployment; include credential audit in onboarding procedures
Supply ChainCompromised vendors/contractors, MSP access, tampered hardware/software, build pipeline injectionBypasses perimeter by entering through trusted relationships; MSP compromise = all customers compromisedVendor risk management, least privilege for third-party access, hardware authenticity verification

Attack Surface: More Services = More Risk

WHAT IS ATTACK SURFACE?

Attack surface is the total set of different points (attack vectors) where an unauthorized user can try to enter data to or extract data from an environment. Every service, port, protocol, application, user account, and network interface contributes to the attack surface.

The relationship is direct: every additional service running on a system = at least one additional port = at least one additional attack vector. Each service has its own vulnerability history, its own patch cadence, and its own potential for misconfiguration.

THE ACCUMULATION PROBLEM

Attack surface grows over time and is rarely cleaned up. Services are added for projects that end but the service stays running. Firewall rules are added for temporary access and never removed. Test environments persist into production. Vendor access accounts accumulate.

The result: an organization's actual attack surface is almost always larger than anyone believes. Regular audits β€” port scans, firewall rule reviews, access account reviews β€” are required to maintain an accurate picture of current exposure.

MINIMIZING ATTACK SURFACE

Disable unnecessary services: If a service doesn't need to run, stop it. A service that isn't running cannot be exploited.

Close unused ports: Firewall rules should explicitly deny all traffic except what is documented and justified.

Principle of least functionality: Systems should be configured to provide only the minimum capabilities required for their intended purpose β€” no more.

Remove unused software: Installed applications with no current use are attack surface with no benefit.

CLIENT-BASED vs. AGENTLESS

Client-Based Software: Installed locally on the endpoint. Vulnerabilities affect that specific device. Defense: patch the installed application on each device. Requires pushing updates across all endpoints.

Agentless Software: No local installation β€” client connects to a server session. Vulnerabilities live on the server. If the server is compromised, every client connecting to it is affected simultaneously β€” the entire user population, often without individual warning. Defense: secure the server; the client has nothing to patch.

Supply Chain Attack Flow

1
Target Hardened β€” Direct Attack Difficult
The ultimate target organization has strong perimeter defenses, mature security controls, and rapid detection capabilities. Direct attack attempts are likely to fail or be detected quickly. The attacker looks for a softer path in.
↓
2
Identify Trusted Third Party
Attacker maps the target's vendor relationships, contractors, MSPs, and software dependencies. Looks for an entity with privileged access to the target that has weaker security β€” HVAC vendor, IT service provider, software update server, hardware manufacturer.
↓
3
Compromise the Third Party
Attack the weaker link β€” phish the vendor's employees, exploit unpatched systems, inject code into the vendor's software build pipeline, or intercept hardware during shipping and install backdoors. The third party becomes the attacker's staging point.
↓
4
Leverage Trusted Access
Use the compromised third-party's legitimate, authenticated access to reach the ultimate target. The connection arrives from a trusted source β€” a known vendor's IP, a signed software update, a contractor's authorized credentials. Perimeter controls allow the traffic because it looks legitimate.
↓
5
Lateral Movement to High-Value Target
From the initial foothold (vendor network segment, software update infrastructure), move laterally toward the actual target systems β€” POS terminals (Target breach), domain controllers, intellectual property repositories, or critical infrastructure.
↓
6
Achieve Objective β€” Data Theft / Persistence / Sabotage
Execute the mission: steal payment card data (Target 2013), install surveillance backdoors in thousands of organizations (SolarWinds 2020), cause physical damage (Stuxnet via USB to air-gapped network). Often undetected for months because the access path appeared legitimate throughout.

Wireless Security Protocol Progression

ProtocolStatusSecurityAction Required
WEPDeprecated (broken ~2001)Critically weak β€” crackable in minutes with freely available toolsReplace immediately β€” no compensating controls are sufficient
WPADeprecated (replaced 2004)Weak β€” TKIP protocol has known vulnerabilitiesReplace immediately
WPA2Still widely deployedReasonably secure β€” KRACK vulnerability (2017) requires patching; PMKID attack possibleUpgrade to WPA3 where possible; ensure all clients/APs are patched
WPA3Current standardStrong β€” SAE (Simultaneous Authentication of Equals) replaces PSK; resistant to offline dictionary attacksDeploy on all new wireless infrastructure; migrate existing where supported