Verizon has conducted its annual Data Breach Investigations Report (DBIR) every year since 2008. What they found this year was that nearly every breach could be traced back to human error or supply-chain compromises. These breaches cost companies an average of $4.24 million, which means it’s worth knowing the most common attack vectors. Below we look at which ones are the go-to's for hackers and how to mitigate the risks.
What Is an Attack Vector?
In the cybersecurity world, vector refers to the method of attack. These attacks allow criminals to exploit vulnerabilities to extract valuable information after a breach.
The Countdown: Least to Most Dangerous
We’ll look at the different vector examples from the Verizon DBIR, building from bad to catastrophic.
Trojan-downloader malware is a type of trojan that can wait until the right connection opens up (e.g., remote server, website, etc.). Only then will it download malware onto the infected computer. One of the most famous kinds of malware is known as NotPetya, which made headlines in 2016 and 2017. Petya and NotPetya both encrypt the hard drives of infected computers, though NotPetya is more versatile in its spread and likely to be government-sponsored in Russia.
Direct action viruses (sometimes known as direct install) hide in otherwise legitimate programs. As soon as that program is launched, the virus is installed. The code of the virus can actually be positioned between the hard disk and diskettes, making it possible to affect multiple devices. There is some evidence that this is a common methodology for government-sponsored Chinese hackers. They largely target VPNs and public-facing apps.
Remote Desktop Protocol (RDP) hacks are an attempt for criminals to access the passwords and system information on workplace networks. The US Office of Personnel Management was hacked in 2015 and went through an ordeal when a hacker was able to gain permission to the agency’s servers. Now that more people are working from home, this kind of attack is becoming more popular by the day and why organizations need to implement methodologies like zero trust to better protect their data and systems.
Link clicks, downloads, forgotten updates, misconfigurations: plenty of hackers use plain old human error to their advantage. Twitter employees famously fell victim to a spear-phishing hacking where criminals collected information about employees working from home and then posed as Twitter execs to gain access to their credentials. They were then able to reset accounts for some of the most famous Twitter users on the platform.
A backdoor refers to any method that allows someone to bypass the standard security metrics of a system. Back doors aren't solely used by hackers, though the term is often used in this context. Hackers will distribute backdoor apps through something like fake crypto wallets, such as one famous breach story that originated from China. Once they'd distributed the backdoor app, they then used the technology to access funds.
If a hacker gets hold of a distributor’s key, they can use it to sign a malicious update and then send it to a target. This is a stealthy one as other users will see just the regular update channel. Android made headlines in 2021 when a hacker group designed malware that successfully posed as an update.
In 2021, 61% of breaches were a supply-chain partner issue, meaning criminals are targeting companies upstream. Doing so gives them access to more organizations at once. When the government IT firm SolarWinds was hacked, 80% of those affected were non-government agencies.
Email is still a great way for hackers to exploit businesses and individuals by gaining access. Commonly known as spoofing, this attack vector typically involves a hacker pretending to be someone else. The chairman of Hillary Clinton’s campaign famously found himself a victim of Russian hackers who pretended to be Google. It meant that they could release all of his emails before the election.
Cybercriminals are always looking for opportunities with software and servers. If they can exploit a vulnerability and keep it hidden until they launch the attack, this is known as a zero-day attack. Sony Picture Entertainment was famously breached last year thanks to an undisclosed vulnerability — one that gave hackers the ability to attack multiple parts of the studio’s network.
The takeaway here is that no one is immune from these attack vectors, regardless of how many resources they have at their disposal. (If Sony's having trouble with security, small businesses aren't going to have it any easier.)
It's critical for IT employees to be aware of these threats, and to diversify their protections and security visibility whenever and wherever possible. The DBIR suggests that even a few policy changes, such as more frequent password updates or training employees to spot fake emails, could make a big difference in whether they're targeted for or vulnerable to an attack.