Attackers can use many different methods to gain access to a system. In this video, you’ll learn how messages, images, files, default credentials, and more can be used as threat vectors.
A threat vector is the method that an attacker uses to gain access to your systems. Sometimes, you’ll hear this referred to as an attack vector. The attackers are constantly trying to find new ways to gain access to your systems. And so they’re spending all of their time trying to either discover or create new threat vectors.
We’re not only looking for threat vectors that are well known. We’re also looking to see if there’s any opportunity for someone to take advantage of an unknown threat vector. One very common place for attackers to start their threat vectors is with a messaging system. And that’s probably because most of us use some type of messaging to be able to communicate with others.
For example, it’s very likely that you have an email address that you use. And that’s a perfect place for an attacker to send information that they can use against you. For example, they might put malicious links in an email and entice you to click that link, at which point, they may install malicious software or try to gain access to one of your systems by providing a phishing page.
Another good threat vector, especially on our mobile devices, is through Short Message Service, or SMS. These are text messages. And the attackers will use text messages to try to get your attention and have you click links that you should not be clicking. And if you use a messaging system that includes instant messages or direct messages, it’s a perfect way to have the attacker talk directly to you to try to gain access to your systems.
Phishing attacks work exceptionally well using these messaging-based attacks because they can communicate with you directly and entice you to click links that normally you would not click. And then once you click a link and visit a site, it may present you with a front page that looks exactly like your bank’s login. But it’s not really your bank. And that’s where the phishing is able to take advantage of this trust that you have for your messaging system.
The attackers might also use that message to be able to either embed malware within the message itself or provide you with a link that takes you to a website, which then downloads the malware. This is also a great entry point for the attacker because they can also use many different social engineering techniques. For example, the attacker could send you an invoice over email asking for payment. But in reality, it’s payment for a service that was never rendered. Or perhaps they’re trying to use a cryptocurrency scam to either gain access to your existing cryptocurrency wallet or to try to sell you cryptocurrency that doesn’t really exist.
Here’s an example of a spam that I received in my text messages. This one was sent from an onmicrosoft.com email address. And you can see that it says from the United States Postal Service. “Message– you have a package that needs to be delivered, but it has been suspended due to an incorrect delivery address.” And now they expect you to click this link that’s embedded within the text message.
Obviously, I did not click this link. But undoubtedly, it would take me to a US Postal Service site or some other site that might have malware or some other malicious software. And for those of you wondering, I did click the Report Junk link. And hopefully, this particular message or sender was able to be removed from the service.
Not only can our messaging systems be used as an attack vector. The images that we see on our screen can also be used as an attack vector. A good example of this would be the SVG image format. That’s the Scalable Vector Graphic format. And it’s a format understood by most browsers that you might find.
This is actually more than just an image. It’s an XML file that describes the image and allows you to embed other information within the XML. This means an attacker could put information within the image description that would then run inside of your browser. So they might inject HTML code. Or there may be JavaScript contained within the XML that describes an SVG image. Some browsers allow you to enable or disable certain image types. Or it may have the process to provide input validation for these SVG descriptions.
Here’s an XML file that contains a description of an SVG image and code that could potentially be used as an attack vector. And it’s all within just a few lines of software. When you run this inside of your browser, it will show an image. That is the description of this triangle that you can see within the XML.
But as it’s showing you this image on the screen, it’s also running any JavaScript that you have embedded within the XML. In this case, it’s a relatively benign message that simply says, “This is a cross-site scripting attack.” And when you run this, it will put a message on your screen that says exactly that.
Most browsers will look for cross-site scripting and will prevent these types of scripts from running. But if your browser has a vulnerability or the JavaScript that it’s trying to run is not necessarily a cross-site scripting attack, this may be able to get through using this XML embedding.
It may be relatively obvious that the files that we run on our systems could be a potential threat vector. And this is certainly the case for executables, since that’s software that actively runs within the memory of your system. But an executable is not the only type of threat vector you might see in a file format.
For example, an Adobe PDF would be a very good place to try to fit some type of malicious software because it’s effectively a holding place where you put other types of objects within it. When you open a PDF, you’ll find text, images, and, in some cases, even scripting. And this would be a perfect place to start an attack.
Or perhaps the attacker simply hiding the threat within an existing set of compressed files that may be compressed with zip or rar or, really, any compression type. In many ways, this obfuscates that there’s an attack inside because all you see is the compressed file format, such as a zip file. But within the zip file, there may be hundreds or thousands of files. And one of those may contain malicious software.
And our documents, spreadsheets, and other office-related files might also be a good place to use as a threat vector. For example, Microsoft Office allows you to include macros with your documents. And although most of those macros are probably very useful and relatively benign, it is possible for an attacker to write a macro that may gather personal information from your computer and send it to the attacker.
We also see this quite a bit with add-in files or extensions that you might have in your browser, where the extension itself contains malicious software. And by simply adding it to your browser, you’ve now put your entire system at risk.
Our mobile phones and call systems make another valuable threat vector for the attacker. This is vishing, or voice phishing, where they may call you to try to get you to give up credit card information or other type of personal details. We’ve also seen spam over IP, where the attackers will use voice-over-IP systems to send all of these spam messages all through an automated process.
There are also still instances where attackers are trying to find unpublished phone numbers that may gain them access to systems. We often refer to this as war dialing. And it is a process that we still see occurring even today. And sometimes, an attacker is not interested in gaining information but is instead trying to disrupt your systems through a denial-of-service attack. And they can certainly do this by using your messaging systems as a threat vector.
I’ve worked with companies that have spent millions of dollars to install the latest type of firewalls, intrusion prevention systems, and network filtering products. But an attacker can circumvent those millions of dollars of security products with a single $10 USB drive. This can be especially useful if an attacker needs to get onto a network that is air gapped, which means there’s no direct network connection into that internal network.
Instead, the attacker will go into the parking lot of that company, throw a few USB drives on the ground and hope that someone will pick up the drive, take it inside the building, and plug it in. Of course, on the USB drive, there’s malicious software that might disrupt the operations or provide some way to get data out of those networks.
Many of the keyboards that we use on our computers today connect through USB. And specially modified USB drives can also appear to your computer as a keyboard. And when you plug in the USB drive, suddenly, your system is able to automatically type things on the screen. And it’s all coming from this USB drive acting as a keyboard.
And of course, allowing someone to plug in a USB drive even on an air-gapped network makes it very easy for someone to transfer large amounts of data, unplug it, and now they have all of that information on a USB drive. They can put into their pocket and walk out the door.
One of the challenges for the security professional is making sure that all of our software is always up to date to the latest version. That’s because often, we will find security issues and vulnerabilities built into existing versions of software that will require an upgrade. This might be a situation where an application has an infected executable. And if you run that application, you’re effectively infecting your local computer.
But if this is an unknown vulnerability and the attackers find that vulnerability first, they may have an advantage to get into your systems. This is why we’re constantly updating the software on our systems. Not only do we perform monthly Microsoft updates, but we also update all of our other software whenever a security patch is released.
But what about software that’s not installed on your computer? What if it’s more of an agentless system, where you have to connect to a separate system to be able to see that software? This is very common with web-based applications, for example, where you don’t have to install anything local on your computer. You simply use your browser to connect to an external system.
This means if an attacker does find a way to infect the central server, they could potentially also infect all of the connecting clients. This would also be very easy for the attacker to distribute because they know that each person who is logging in for the day is running a new instance of that software because everything is contained on the server.
As we’ve already mentioned, patching is a great way to prevent an attacker from gaining access to a known vulnerability. And we spend a great deal of time and effort to be able to keep all of our systems up to date to the latest version of software. However, there might be systems within your network or your data center that are unsupported systems, where the manufacturer no longer provides patches for those systems. And in that case, you may not have the option for installing new software.
This is very common, for example, on unsupported versions of operating systems. Eventually, an operating system will no longer be supported by the manufacturer. And that makes it an enormous security risk. If there’s no security patches, then that system could potentially be a risk for your organization.
And as many companies have found, you need to make sure that all of these unsupported systems are identified. There have been instances where someone is running an older version of an operating system, and it’s running on an old computer that’s underneath someone’s desk. And the IT department has no idea that that system even exists.
That’s why it’s so important to make sure you always have an updated list of your entire inventory of systems and that you’re able to access all of the individual devices on the network. This would allow you to scan your network periodically to make sure that you know that all of these unsupported systems have been addressed and can be properly secured by your IT department.
The attackers know that your own network creates a digital highway that allows them to move very freely between all of the systems within your network. And they take advantage of vulnerabilities that are built into this networking infrastructure. For example, if you have a wireless infrastructure, you need to make sure that you’re using all of the latest security protocols. If you’re using WEP, WPA, or WPA2, you may want to consider updating to the latest WPA3 protocol.
And many organizations will perform periodic scans of their network to see if anyone may have open or rogue wireless access points that would allow an attacker easy access to the rest of your network. For both wired and wireless networks, it’s usually a good idea to enable 802.1X. This is an authentication protocol that prevents anyone from gaining access to the network unless you provide the proper credentials.
Even wireless protocols like Bluetooth could be used by an attacker as a threat vector. For example, they could use this for reconnaissance to see where a particular system might be. Or the Bluetooth implementation in a system may have limitations or not the proper amount of security, and that would be a great entry point for the attacker.
When you install a web server into a data center, there are a number of open ports that are enabled to provide those services across the network. For example, a web server might use TCP port 80 and TCP port 443. And once you open those ports in a device, that provides a third party with a way to gain access to at least a portion of that system. Normally, we have security in place that prevents unauthorized access. But if an attacker does know of a vulnerability in that web server software, they may be able to use these open ports as a way into that computer.
This is another reason why we’re always updating the software on these services so that we always can patch any of these vulnerabilities that may be associated with our web services or other applications. And of course, it’s very easy to misconfigure one of these very complex applications. And sometimes, a simple misconfiguration can allow unauthorized access into a system.
Each time you install a new service onto this computer, it needs to have its own port number to provide that service to the outside. So the more services you install, the more open ports and potentially the less secure a system might be. This is one of the reasons we use port-based firewalls or application-aware firewalls to create additional security for these systems with open ports. For example, if we’ve installed five or six different services on a computer, we might only limit access from the outside to only one of those services, which would certainly limit the number of possible attacks to that system.
Let’s see if I can guess the credentials used for your cable modem or wireless router that you use at home. Let’s say that you’re using the username of admin and the password of admin. After all, those are the default credentials that are included on many access points and routers. This is a good example of using default credentials.
And if you know what the default credentials are for a device and someone has not updated those credentials, you now have complete access to that system. Fortunately, many of the devices we use today will require you to change that password the first time you log in, which means that the administrative access that you would normally have by using these default credentials is no longer available once you log in for the very first time.
It’s very easy to find the default credentials for these devices. And there’s even websites such as routerpasswords.com that has documented all of these default credentials across thousands of different devices. Once this video is over, you might want to check the devices that are on your network and make sure you’re not using any of these default settings.
Sometimes, these threat vectors appear on your network through the front door by way of a supply chain vector. This allows a third party to gain access to your infrastructure by writing inside of existing equipment that you’re installing. This might be added during the manufacturing process. The manufacturer might have no idea what’s going on. Or it may be added after the manufacturing process by a third party that then wants to gain access to your systems.
Sometimes, these threat vectors are in place because you’re working with a third party that is part of your supply chain. For example, your network may be managed by an MSP. This is a Managed Service Provider. You may be paying this third party to monitor your systems and inform you if anything needs to be updated or changed in your infrastructure. This also makes a perfect place for an attacker to start because if they gain access to the MSP, they will then therefore have access to your systems.
This was the threat vector used by attackers that gained access to Target’s network in 2013 and was able to install malware on all of their point-of-sale systems in order to steal credit card numbers. The attackers gained access to systems that were controlled by HVAC contractors that were hired by Target and therefore were able to jump from the HVAC network to the Target network and then to all of the stores in the Target systems.
And there have been cases where counterfeit hardware itself was used as a threat vector. For example, in 2020, there was a documented case of fake Cisco Catalyst switches being installed. These switches were identified because they weren’t able to update their software properly. But certainly, those systems could be used as a threat vector and have malicious software that would allow an attacker to take over those switches.