Chapter 21 Β· Common Threat Vectors

Every Door an Attacker Can Walk Through

A threat vector is any pathway an attacker can use to gain unauthorized access. Marcus Chen spent three days mapping every possible entry point for Mercer Financial β€” and what he found would keep any security professional up at night.

Day One: The Brief

Marcus Chen had been a security consultant for eleven years, but the call from Mercer Financial's CISO still gave him a familiar rush. "We need a full threat vector assessment," she said. "Board meeting in two weeks. They want to know every door an attacker can walk through."

Marcus flew in on a Sunday night. By Monday morning he had a conference room, a whiteboard, and a cup of coffee going cold. He drew a single box in the center of the board labeled MERCER FINANCIAL. Then he started drawing arrows pointing at it.

A threat vector β€” sometimes called an attack vector β€” is the specific path or method an attacker uses to gain unauthorized access to a system or network. It is not the attacker. It is not the malware. It is the door. And Marcus had learned over the years that organizations almost always spend all their time worrying about the wrong doors.

"The scary vectors are rarely the ones that look scary," he told his junior associate, Priya. "The scary ones look boring."

Vector 1 β€” Message-Based: The Invoice That Almost Wasn't

Marcus started where most breaches start: the inbox. Message-based vectors include email, SMS text messages, and instant messaging or direct messages on corporate platforms like Teams or Slack. They are the most common delivery mechanism for malware and social engineering attacks on the planet.

He interviewed the accounts payable team. "Have you ever gotten a text message about a package delivery?" he asked. Hands went up across the room.

"That's the US Postal Service phishing campaign," Marcus said. "A text that looks like it's from USPS with a link to 'track your package.' The link goes to a credential harvesting page. Millions of these go out every day." SMS phishing is so common it has its own name: smishing.

But SMS was the appetizer. Marcus pulled up the email logs. Over the past six months, Mercer's staff had received hundreds of phishing emails. The most dangerous: invoice scams that spoofed a real vendor and asked for a wire transfer to a "new bank account." Business Email Compromise cost US organizations billions every year. One employee had nearly authorized a $240,000 transfer before a manager caught it.

"And here's one most people don't think about," Marcus said, pulling up a flagged email. It contained an SVG image attachment. SVG files β€” Scalable Vector Graphics β€” can embed HTML injection or JavaScript directly inside their XML structure. When the email client or browser renders the SVG, it can execute the embedded code. "The image looks completely normal. You'd never know visually. But inside the file is a script that redirects the browser to a credential phishing page the moment it renders."

Message-based vectors deliver malware, direct victims to phishing pages, or use pure social engineering to convince people to take an action they shouldn't. Email remains the single most-used initial access vector in documented breaches worldwide.

Vector 2 β€” Image-Based: The Picture That Bites

Marcus devoted a full section of his assessment to image-based vectors, because he knew this one surprised people the most.

"When someone says 'image file,' people think JPEG. They think PNG. They think: how can a picture hurt me?" He pulled up the SVG spec. "SVG stands for Scalable Vector Graphic. Unlike JPEG or PNG, SVG is not a pixel-based image format. It is an XML file. It is a text file with markup tags that describe shapes, paths, and geometry β€” and critically, it can legally contain HTML elements and JavaScript."

He showed a proof-of-concept: an SVG file that displayed a perfectly normal-looking company logo. Inside the XML was a script element. When the browser rendered the SVG, it executed the script. No warning. No prompt. The visual appearance of the file gave no indication of the code inside.

"This is why input validation in browsers is critical," Marcus said. "Browsers need to validate and sanitize SVG content before rendering it, treating it like HTML β€” because it is HTML." Organizations that allow employees to open SVG attachments from email without security controls are exposed to this vector.

The difficulty with image-based vectors is detection. A malicious SVG file looks identical to a benign one until you open the XML and read it. Automated scanning for malicious images requires understanding file formats at the markup level, not just the pixel level.

Vector 3 β€” File-Based: It's Not Just Executables

"Most people know not to run unknown .exe files," Marcus said to the IT team. "What they don't know is that executables are the least interesting file-based vector."

He listed the file types that had delivered malware in documented incidents over the past three years.

Adobe PDF files. PDFs are not simple documents β€” they are complex container formats that support embedded JavaScript, embedded objects, form fields, and external content references. A malicious PDF can exploit vulnerabilities in PDF reader software or use embedded JavaScript to drop and execute payloads. Marcus had seen infected PDFs passed around as "invoices" and "legal notices."

ZIP and RAR compressed archives. Archives hide malware inside hundreds of benign-looking files. A ZIP containing 500 images and one malicious executable β€” renamed to look like an image β€” is hard for both users and some email security tools to inspect effectively. "Password-protected ZIPs are even worse," Marcus noted. "The security gateway can't scan inside them."

Microsoft Office documents with macros. Word, Excel, and PowerPoint files can contain VBA macros β€” programmatic scripts that run when the document is opened. Malware authors spend enormous energy crafting convincing lure documents: fake invoices, HR policy updates, tax forms. When the user clicks "Enable Macros," the payload executes. Macro malware defined a generation of ransomware delivery.

Browser add-ins and extensions. A malicious browser extension can read every page the user visits, capture passwords as they're typed, modify page content, and exfiltrate data β€” all while appearing completely functional as an advertised tool. Extensions in browser stores are supposed to be vetted, but malicious extensions regularly slip through, sometimes for months before being removed.

Mercer Financial had no policy restricting browser extensions. Marcus flagged it immediately.

Vector 4 β€” Voice Call: The Phone Still Works

On Tuesday morning, Marcus had Priya call the IT help desk from a blocked number and claim to be a vice president locked out of her account. Using only social engineering β€” no technical tools β€” she had a password reset token in four minutes.

"This is vishing," Marcus told the CISO. "Voice phishing. An attacker calls an employee β€” often impersonating IT support, a bank, the IRS, or a senior executive β€” and uses social pressure to extract credentials, authorize transactions, or bypass security procedures."

He described three related voice-based threat vectors. SPIT β€” Spam over Internet Protocol Telephony β€” is the voice equivalent of email spam: automated, large-scale robocall campaigns delivered over VoIP infrastructure. They can reach thousands of targets with recorded vishing messages in minutes, at essentially zero cost. "Your car warranty has expired" is SPIT. "We've detected fraud on your account" is SPIT. All designed to get someone to press a button and talk to a fake representative.

War dialing was a technique from the 1980s β€” an automated system that dials every number in a range, listens for modem tones, and records which numbers connect to computers, PBX systems, or networks. Marcus smiled at the looks on the younger IT staff's faces. "You think this is obsolete. You're wrong. Modems and analog lines still exist in industrial environments, manufacturing facilities, legacy banking systems, and government facilities. Modern automated scanners still run war dialing campaigns. Last year, a penetration test I ran for a hospital found an analog modem connected to a biomedical device β€” it had been there for nine years with no one knowing."

Call tampering rounds out voice-based vectors: disrupting voice communications to cause a denial of service β€” flooding a phone system with calls to prevent legitimate use, injecting noise into calls, or intercepting VoIP traffic.

Vector 5 β€” Removable Devices: Terabytes Walk Out the Door

"How many USB drives do your employees have?" Marcus asked during the physical security walkthrough.

Nobody knew.

Removable devices β€” primarily USB flash drives β€” represent one of the most underestimated threat vectors in enterprise security. The reason is simple: they completely bypass network-based defenses. Your firewall blocks incoming connections. Your email gateway scans attachments. Your proxy inspects web traffic. None of that matters if an attacker gets a USB drive connected to an internal workstation.

USB drives can carry malware onto the most isolated networks on earth. The most famous example: Stuxnet, the worm developed by the United States and Israel to sabotage Iran's Natanz nuclear enrichment facility. The Natanz facility was air-gapped β€” physically disconnected from the internet. No email. No external network connections. Theoretically unreachable. Stuxnet was introduced via USB drives, allegedly dropped in parking lots near the facility and carried inside by unwitting employees or contractors. Once inside the air-gapped network, Stuxnet spread silently and ultimately destroyed approximately 1,000 uranium enrichment centrifuges by causing them to spin at destructive speeds while reporting normal operation to operators.

Beyond carrying malware, USB drives are a data exfiltration channel that leaves no network trace. "Terabytes of data can walk out the door with zero bandwidth used," Marcus told the team. "No anomalous outbound traffic. No DLP alerts on network traffic. Someone copies files to a drive, puts it in their pocket, and leaves." Many DLP tools focus on network-based exfiltration β€” USB exfiltration is a gap in those approaches.

The most insidious USB attack is the HID attack β€” "Hacker on a Chip." A device that looks exactly like a USB flash drive actually emulates a keyboard β€” a Human Interface Device. When plugged in, the computer sees an authorized keyboard and asks no questions. The device then automatically types a pre-programmed sequence of commands at machine speed: opening a terminal, downloading malware from the internet, creating a backdoor account, or exfiltrating files β€” all completed in seconds before any user realizes what happened. Tools like the USB Rubber Ducky have made HID attacks accessible to anyone.

Marcus recommended USB port lockdown policies and device whitelisting as high-priority controls.

Vector 6 β€” Vulnerable Software: Client-Based and Agentless

Software vulnerabilities are the core of most technical attack paths. Marcus distinguished two important categories for the Mercer team.

Client-based software vectors involve an installed application on the client device. An attacker exploits known or unknown vulnerabilities in that application β€” the browser, the PDF reader, the VPN client, the endpoint agent. This requires that the software be installed and running on the device. The defense: constant updates and patch management. Known vulnerabilities have patches available; organizations that apply patches quickly close the window of exposure. Unknown vulnerabilities β€” zero-days β€” are exploitable until a patch is released, which is why defense-in-depth matters for vulnerabilities that can't yet be patched.

Agentless software vectors are more dangerous in a different way. Here, there is no installed executable on the client β€” the client simply connects to a server and runs an instance of the application in a session. Think of a web-based application, a remote desktop session, or a streaming application. The client doesn't install anything locally.

"The catch," Marcus said, "is what happens when that server is compromised. Every client that connects runs a new instance of the application in that session. If the server is delivering malicious content, every single client that connects to it is immediately affected β€” simultaneously, as they log in. There is no patch to push to the clients, because nothing is installed on the clients. The entire user population is hit at once."

He pointed to Log4Shell as the example. Log4j was a logging library used on the server side of countless Java applications β€” clients didn't install anything. When the critical vulnerability was disclosed in December 2021, every server running vulnerable Log4j was potentially exposed, and every application connecting to those servers could be used as an attack pathway. The blast radius was enormous precisely because the vector was agentless β€” it lived on the server side.

Vector 7 β€” Unsupported Systems: The Legacy Problem

Marcus spent an hour going through Mercer's asset inventory β€” and found what he almost always found.

Three servers still running Windows Server 2008. A network-attached storage device running firmware from 2016 that the vendor had discontinued. Two workstations in the branch office running Windows 7 because the specialty financial application they used had never been updated to support newer OS versions.

"Unsupported systems," Marcus said at the whiteboard, "are systems where the manufacturer no longer provides security patches. The operating system or application has reached end-of-life β€” officially, the vendor won't help you anymore." This creates a permanent, unfixable vulnerability window. New vulnerabilities are discovered continuously. If the software is unsupported, those vulnerabilities will never receive patches. Attackers know this. Lists of known vulnerabilities in end-of-life software are publicly available.

The WannaCry ransomware outbreak of 2017 was a demonstration of this principle at scale. WannaCry exploited a vulnerability in Windows SMB (EternalBlue) β€” Microsoft had patched it, but only for supported versions. Organizations running Windows XP β€” still common in hospitals and industrial environments β€” had no patch available. WannaCry infected over 200,000 systems in 150 countries in a single day, with hospitals in the UK forced to cancel thousands of appointments because their Windows XP systems were encrypted.

"A single unsupported system can be the entry point to the entire network," Marcus told the CISO. "The attacker doesn't care that it's an old NAS box in the corner. They care that it has a known, unpatched vulnerability that gives them a foothold." His recommendations: maintain a complete inventory, scan the network regularly to find devices that are off the inventory, and establish a remediation plan β€” upgrade, isolate, or formally accept the risk with compensating controls β€” for every unsupported system.

Vector 8 β€” Unsecure Network Vectors: Wireless, Wired, and Bluetooth

Marcus walked the office with a wireless scanner. In twenty minutes he had a full picture of the wireless environment β€” and two problems.

Wireless vectors center on protocol security and rogue access points. "WEP was broken twenty years ago," Marcus told the network team. "WPA had known weaknesses. WPA2 is widely deployed and reasonably secure but has vulnerabilities β€” KRACK being the most significant. WPA3 is the current standard and should be the target for any organization deploying or upgrading wireless infrastructure." Mercer had one conference room SSID still broadcasting WPA β€” a legacy segment that the team had forgotten to upgrade.

Open wireless networks β€” no authentication required β€” are a direct invitation. Anyone within radio range can connect and intercept unencrypted traffic. Rogue access points are a related threat: an attacker sets up an access point that mimics a legitimate corporate SSID. Employees' devices auto-connect. All their traffic routes through the attacker's equipment.

Wired network vectors are often overlooked. An unlocked conference room with an active Ethernet port is an attack surface: anyone who walks in can plug in and be on the network. 802.1X is the standard defense β€” it requires devices to authenticate before the switch port grants network access. Without 802.1X, any physical access to an Ethernet port equals network access. Mercer had 802.1X on employee workstation ports, but not on conference room ports or lobby visitor drops.

Bluetooth vectors complete the picture. Bluetooth reconnaissance allows attackers to discover and profile nearby Bluetooth devices. Implementation vulnerabilities in Bluetooth stacks have historically enabled arbitrary code execution (BlueBorne, 2017, affected billions of devices). Employees walking through an office building with Bluetooth enabled on their phones are broadcasting discoverable information to anyone with a scanner.

Vector 9 β€” Open Service Ports: Every Port Is an Opportunity

Marcus ran a port scan against Mercer's internet-facing infrastructure.

"Every open TCP or UDP port on a system is an opportunity for an attacker," he told the technical team. "An open port means a service is listening. That service either has vulnerabilities β€” known or unknown β€” or it has been misconfigured in a way that creates exposure. The more services you expose, the more attack surface you have."

The relationship between services and attack surface is direct and cumulative. One web server listening on port 443 has one service to defend. Add a database port accidentally exposed to the internet, an admin panel on a non-standard port, and an old FTP service nobody remembers setting up β€” and you have four services, each with its own vulnerability history, each requiring firewall rules that allow external traffic to reach them.

Marcus found three services on Mercer's external network that had no documented business justification. One was a development database instance that a developer had spun up for testing and forgotten about. The database was running with default credentials.

Firewall rules are the gating control: traffic must be explicitly allowed to reach an open port. But firewall rules accumulate over years, and rules that were added for temporary purposes rarely get removed. Marcus recommended a formal port audit β€” document every externally accessible service, verify each has a current business justification, and close everything else.

Vector 10 β€” Default Credentials: admin / admin

During the network walkthrough, Marcus picked up a network-attached device and typed the IP address into a browser. The login page appeared. He typed admin in the username field and admin in the password field.

He was in.

"Most network devices β€” routers, switches, wireless access points, IP cameras, printers, NAS devices, IoT sensors β€” ship from the manufacturer with default usernames and passwords," Marcus told the shocked room. "The default exists so the device can be initially configured. It must be changed immediately after installation." The website routerpasswords.com maintains a publicly searchable database of default credentials for thousands of devices from hundreds of manufacturers. An attacker doesn't need to crack a password β€” they look up the model number and try the factory default.

"The right credentials equal full administrator access," Marcus said. "There is no technical exploit. There is no vulnerability to patch. The front door is unlocked with a key anyone can find online."

The Mirai botnet demonstrated the scale of the default credentials problem. In 2016, Mirai scanned the internet for IoT devices β€” cameras, routers, DVRs β€” and attempted to log in using a list of 61 default username/password combinations. It compromised hundreds of thousands of devices and used them to launch the largest DDoS attack ever recorded at the time, temporarily taking down DNS provider Dyn and disrupting major internet services across the US and Europe. All from default passwords that owners never changed.

Mercer had eleven devices with default credentials still set. Marcus marked them all as critical findings.

Vector 11 β€” Supply Chain: Trusting the Wrong People

On the final afternoon, Marcus presented the finding that concerned him most β€” not because of what he found at Mercer specifically, but because of its structural implications.

"Supply chain attacks target the relationships and dependencies your organization trusts," he said. "Rather than attacking you directly β€” where you have defenses β€” they attack your vendors, suppliers, contractors, or the software and hardware you use. They compromise the supply chain upstream, and the compromise flows downstream to you."

He walked through the mechanisms. Tampering with manufacturing or underlying infrastructure means compromising a product before it reaches the customer β€” injecting malicious code into software during the build process, or installing backdoors in hardware during manufacturing. The 2020 discovery of fake Cisco Catalyst switches is a documented example: counterfeit Cisco switches were installed in networks, containing hardware backdoors. They were identified not through security testing, but because they behaved oddly when firmware updates were applied β€” the counterfeit hardware couldn't update properly because the update process expected authentic components.

Managed Service Providers are a particularly high-value supply chain target. An MSP manages IT infrastructure for many client organizations from a centralized platform. They have privileged, authenticated access to all of their customers' networks from a single location. "Compromise the MSP, and you have access to every customer they serve," Marcus said. "A single breach reaches dozens or hundreds of separate organizations. That is extraordinary leverage."

The most famous supply chain breach in history predated the MSP model. In 2013, Target Corporation was breached through its HVAC contractor. Target had granted the contractor network access to submit invoices and perform remote monitoring of heating and cooling systems. Attackers compromised the HVAC vendor's credentials, used that trusted vendor access to enter Target's network, moved laterally from the vendor systems to the point-of-sale network, and installed memory-scraping malware on POS terminals across all Target stores. The result: 40 million credit card numbers stolen. The attackers never touched Target's public-facing infrastructure directly β€” they walked in through a trusted vendor's door.

"When you grant access to a third party," Marcus concluded, "you inherit their security posture. Their weaknesses become your weaknesses."

The Report: Every Door, Mapped

Marcus stood at the whiteboard. The box labeled MERCER FINANCIAL had eleven arrows pointing at it, each labeled with a vector category. Every single one had at least one finding.

"There is no single 'front door' an attacker is trying to break through," he told the CISO. "There are eleven categories of doors, each with multiple specific entry points. Your job isn't to build one perfect wall. It's to find and close as many of these openings as possible β€” and detect when someone gets through the ones you couldn't close in time."

The board authorized the remediation project. Marcus flew home on Wednesday night. Priya was already writing the first ticket.

Threat Vector Summary β€” Chapter 21
# Vector Method Key Defense
1Message-BasedEmail, SMS, IM β€” phishing, malware, social engineeringEmail security gateway, user training, MFA
2Image-BasedSVG XML files embedding JavaScript or HTMLInput validation, SVG sanitization in browsers
3File-BasedPDF, ZIP/RAR, Office macros, browser extensionsDisable macros, restrict extensions, sandbox file analysis
4Voice CallVishing, SPIT, war dialing, call tamperingCallback verification, staff training, VoIP security
5Removable DevicesUSB malware, HID attacks, data exfiltrationUSB port lockdown, device whitelisting, DLP
6Vulnerable SoftwareClient-based (installed) and agentless (server-side)Patch management, defense in depth
7Unsupported SystemsEnd-of-life OS/software β€” no patches availableInventory, upgrade/isolate/accept risk with controls
8Unsecure NetworksWireless (WEP/WPA), wired (no 802.1X), BluetoothWPA3, 802.1X, disable unnecessary Bluetooth
9Open Service PortsListening ports = attack surfaceMinimize services, firewall rules, regular port audit
10Default CredentialsFactory-set passwords never changedChange all defaults immediately on deployment
11Supply ChainCompromised vendors, MSPs, hardware/software tamperingVendor risk management, least privilege for third parties