As the adage goes, time is money–and nowhere else does this ring more true than in an evolving threat landscape. A data breach will happen to 83% of companies, usually more than once. The faster they detect, respond, and recover from it, the better. Using AI and automation to shorten the breach lifecycle has been shown to save $3 million more compared to not employing these technologies. But there’s more to be done: CISOs must expand their security perimeter and protect from vulnerabilities they can’t see in real time.
One way to start is to define your most vulnerable attack vectors or methods hackers gain unauthorized access to a network or system. From this, you can zoom out and consider your attack surface, comprising the total number of possible access points (i.e., attack vectors) that hackers can exploit. The formula is simple: The bigger the attack surface, the more attack vectors you have. This post considers ten key attack vectors that could threaten your organization’s security this year and how to mitigate them.
Passive vs. Active Attack Vectors
A passive attack vector enables hackers to exploit the systems without affecting or altering data or interacting with the target company. Bad actors gain access to your systems via existing vulnerabilities and open opportunities, usually using customer search queries and session capture techniques.
Inversely, hackers use an active attack vector to interact with an organization’s systems and directly disrupt or compromise them, e.g., malware and phishing attacks like those mentioned below.
10 Common Attack Vectors to Keep in Mind in 2023
An impersonation attack is an attempt to gain unauthorized access to information systems by masquerading as an authorized user. 98% of cyberattacks involve some form of social engineering, and brand impersonation is an ongoing trend because it is so effective for social engineering purposes. “Since impersonation attacks leverage familiarity and reputation, they tend to appear more believable.” – Forbes.
An impersonation attack is different from other cyber crimes because it relies on human trust more than technology vulnerabilities to succeed. There are numerous ways these attacks can happen–be it in person, over the phone, or online. Common methods include phishing and spoofing, and man-in-the-middle (MITM) attacks, which involve the attacker intercepting communications between people, applications, and services to eavesdrop, modify, and/or prevent your communication from happening. Attackers intercept messages between two parties via HTTPS connections, SSL/TLS connections, or unsafe WiFi network connections and relay a forged message attempting to steal important data and login credentials.
Protecting against this attack vector requires consistent, long-term vigilance. MITM attacks are challenging to detect because they don’t rely on fake URLs, so looking for misspellings in the header or email address won’t cut it. Instead, best practices include:
- Avoiding unprotected public WiFi networks
- Avoiding using unsecured, non-HTTPS websites
- Logging out of all sessions after using your device
Additionally, if you already commit to cybersecurity at an executive level, you can harness this influence to provide cybersecurity tips to your customers. For example, you could:
- Assure them that official communications from your brand will always contain certain information, such as their customer ID number.
- Include links to your brand’s official social media accounts and website in all communications.
- Remind customers that you’ll never ask for their personal information.
However, fraud notification warnings and attempts to educate users on these attacks are far from enough. Warnings alone cannot protect users from the far-reaching damages of impersonation attacks. A proactive solution that alerts users of fraud in real-time and prevents them from falling into the traps is needed, which is why we developed one.
Proof of Source Authenticity (PoSA) provides organizations with real-time detection and alerting of impostor attacks, issues real-time fake site alerts to attacked end-users, and provides security teams with complete visibility on the attackers alongside a list of all exposed end-users. Perhaps most importantly, it provides positive confirmation to end-users that web pages they visit and messages they receive are authentic. This makes Memcyco’s PoSA the world’s first agentless security solution that enables businesses to provide security against brand impersonation attacks to their customers outside the organization’s perimeter.
2. Phishing Emails
- Whaling: Impersonating someone known personally to the target (usually a high-profile individual) and sending hyper-personalized fake communications.
- Cloning: A structured approach that impersonates a brand. Hackers send an impersonal email to a long list of victims, hoping for responses.
The key to protecting your business from this attack vector is to modify employee behavior and increase security awareness. You could offer training and phishing simulations, enforce organization-wide data protection best practices, and create standard procedures to verify urgent email requests.
However, as we’ve seen in the previous section, attackers may also use these tactics to target your customers, not just employees. In which case, the defensive mechanisms have been less explored by the cybersecurity industry in comparison to those focusing inside the corporate perimeter. It’s time to change that. At Memcyco, we talk extensively about how securing your customers from impersonation attacks represents a new paradigm for digital trust that can help to shield your brand reputation from the consequences of fraud.
3. Spoofed Websites
Like brand impersonation attacks, domain spoofing targets your end users and customers by using fake domains that, at a glance, look convincingly like your website. Visitors believe they’re accessing a trusted source, but hackers behind the scenes are using your brand’s digital trust to steal customer data.
As well as using barely noticeable fake domains, hackers create cloaked URLs with local redirects, substitute characters in the URL, and fake websites containing minimal differences from your own.
So, why is this attack vector a trend? Well, remediating it means giving both security teams and users the ability to distinguish an authentic website. As a solution, you could employ a Proof of Source Authentication tool like Memcyco’s digital watermark to provide instant visual proof to your customers that they are visiting a legitimate site they can trust, as well as alerts to users and security teams when end users attempt to access spoofed sites.
4. Malicious Code Injections
Rather than creating fake websites, as seen above, hackers also inject malicious scripts into legitimate applications to perform a variety of exploitations. While the primary goal is to access sensitive information, such as session IDs, hackers could modify site content, perform remote code execution, or add malicious redirects. Recent trends in this attack vector include:
- XSS: Executing malicious code into the user’s browser via legitimate web applications.
- Keylogging: Recording keystrokes to access what you type, including passwords and credit card numbers.
- Ad fraud: Overlaying fake content on ads so victims click on fake premium URLs and enter their data.
To prevent this attack vector, the OWASP recommends either only allowing data that matches your predetermined “good” rules (whitelisting) or blocking data that matches your predetermined “bad” rules (blacklisting).
5. Misconfigured Systems
Even tech giants aren’t exempt from the attacks caused by missing or incorrect configuration settings. Microsoft confirmed that a misconfiguration in the Azure Blob Storage exposed the data of 65,000 companies in September 2022.
XSS and code injection attacks (previously mentioned) exploit misconfiguration vulnerabilities. But a troubling trend is emerging as hackers also target misconfigurations in connected IoT devices and cloud infrastructure. They achieve this by changing the login between API gateways, launching DDoS attacks, and exploiting IAM misconfigurations.
Some quick fixes help prevent misconfiguration vulnerabilities, such as taking a least-privilege approach to access management, updating all software regularly, and performing frequent security scans, including on code.
6. Unpatched Software
A major trend to expect in 2023 involves hackers exploiting unpatched and undetected vulnerabilities in operating software that is part of our daily lives. For example, VMware’s popular Horizon product was embedded with a Log4Shell vulnerability detected in January 2022. When VMware patched the issue a month later, this vulnerability had already been found in 55 of its products. Samsung suffered a large data breach as a result of similarly unpatched software.
OS hardening is one remediation strategy you can use. It is a security exercise that lets you decrease the risk of this attack vector using two steps:
- Assessment: Use methods like penetration testing, enforcing configurations, and limiting access permissions to assess your OS’s vulnerabilities.
- Analysis: Identify your OS’s level of risk, how much hardening will be required, and the best practices to implement this.
Server-side request forgery (SSRF), featured in the OWASP’s top 10 list of threats back in 2021, will likely make an unfortunate comeback as a key attack vector in 2023. Microsoft and WordPress identified vulnerabilities that would leave them open to an SSRF attack, which allows the hacker to send malicious requests from a vulnerable web application to other internal systems in an organization. The goal is to gain unauthorized access to systems, perform arbitrary command execution, and extract data.
Detecting SSRF vulnerabilities is a double-edged sword. While it’s fairly easy to spot server-side SSRF, “blind SSRF” occurs when the application makes a request to a back-end server, but the response is not visible on the front end and does not return data to the hacker. To minimize this attack vector, you can:
- Validate inputs: Implement filters for user input, so you can validate the data and take a whitelist/blacklist approach.
- Enable authentication on internal services: Request authentication for as many systems, tools, and services as possible, even on your local network.
- Enforce URL schemas: Disable unused URLs and identify how you access them.
8. Third and Fourth-Party Vendors
It’s almost impossible to imagine a world where businesses don’t outsource to third parties, whether for operational, financial, or technical support. As your corporate data becomes the property of third and fourth-party vendors, the absence of a real-time view of the vendors’ cybersecurity measures makes this attack vector increasingly exploitable for hackers.
The healthcare industry is a prime target for supply chain attacks, which make up 8% of the industry’s data breaches. Hackers target third-party vendors, such as medical records and IoT systems, to gain access to valuable patient data. In the UK, the National Health Service (NHS) suffered a huge supply chain attack that left various vital systems out of action, including ambulance dispatch, emergency prescriptions, and patient referrals.
Protecting against supply chain attacks starts before your vendor signs on the dotted line. You can request a SOC report from vendors to better understand how they protect sensitive data and use it to identify the level of risk.
We’ve all seen James Bond sneaking behind a waiter to gain access to an exclusive event. The same premise applies to tailgating–it’s a social engineering attack (yup, again) through which the bad actor gains physical access to a restricted location to steal off-limits information.
You’re at an increased risk of this attack vector if you have many employees or multiple access points in your building. While tailgating doesn’t make the news as frequently as other social engineering attacks, hybrid working and the return of come-day-go-day employees could contribute to a spike in cases. To help prevent it, consider the following:
- Biometrics: Fingerprint scanning, facial recognition, or a similar biometric authentication system that can’t be easily replicated.
- Security training: Develop a security policy for your physical premises and ensure all employees know it by heart. It could include a hierarchical access control structure and identification cards for all employees.
- Video identification: AI can be harnessed as a security guard to scan employee faces on your CCTV.
10. Missing or Poor Encryption
An ongoing trend in cybersecurity is customers’ growing knowledge base–for example, even non-technical customers and users are aware of encryption, how it works, and its purpose in protecting data. That’s why excuses won’t fly if your organization falls victim to this attack vector. Ironically, password vault vendor Bitwarden recently faced criticism over the ineffective number of hash iterations for its decryption keys. It’s not enough to encrypt sensitive data; your organization should apply encryption to data at rest (stored) and in transit.
Heading Towards a Better Year For Security
The ten attack vectors above demonstrate bad actors’ innovative nature, highlighting the long-term, comprehensive cybersecurity policies that organizations subsequently need to implement.
Traditional security defenses are often insufficient when defending your organization against these ten advanced attack vectors beyond the traditional security perimeter. But rather than focusing on the negatives, the first step towards a strong cybersecurity strategy is to maintain a positive attitude–by staying one step ahead, it is possible to outwit hackers. At Memcyco, we’re thinking outside the box to protect your organization and customers from threats with a Proof of Source Authenticity (PoSA) solution that empowers end users to discern whether they are engaging with your authentic brand or an impersonator online.
Book a demo and see it for yourself today.
Eyal is head of demand generation at Memcyco