2.2: Explain common threat vectors and attack surfaces // Wolf//Sec

A threat vector is the path an attacker uses to reach a target. The attack surface is the total set of all possible entry points. Reducing attack surface and hardening vectors is foundational defense.

Message-Based Vectors

Email

The most exploited vector in cybersecurity. Period.

Phishing: Mass emails impersonating legitimate entities to steal credentials or deliver malware
Spear-phishing: Targeted phishing aimed at specific individuals with personalized content
Whaling: Spear-phishing targeting executives (CEO, CFO)
Business Email Compromise (BEC): Attacker compromises or impersonates a business email to authorize fraudulent transfers
Malicious attachments: Weaponized Office docs (macro-enabled), PDFs, archive files
Malicious links: URLs leading to credential harvesting pages or drive-by download sites

SMS (Smishing)

Phishing via text message. Exploits trust in SMS and mobile-first behavior.

Fake shipping notifications, bank alerts, MFA codes
Often includes shortened URLs to hide the destination

Instant Messaging

Phishing via Slack, Teams, Discord, WhatsApp.

Exploits implicit trust within internal communication platforms
Compromised accounts send malicious links to colleagues

Image-Based Vectors

Malicious code embedded in image metadata (EXIF) or pixel data
Steganographic payloads — data hidden in images that appears normal
Exploits in image parsers (buffer overflows triggered by malformed image files)

File-Based Vectors

Infected documents, executables, scripts distributed via email, file shares, downloads
Polyglot files: files that are valid as multiple formats simultaneously (e.g., a file that’s both a valid PDF and a valid ZIP)
Living-off-the-land: malicious scripts using built-in tools (PowerShell, bash) rather than dropped executables

Voice-Based (Vishing)

Social engineering over phone calls.

Pretexting as IT support, bank, government agency
Deepfake voice technology makes impersonation more convincing
Often combined with other vectors (call follows a phishing email to add urgency)

Removable Media

USB drives (dropped in parking lots, mailed to employees)
USB Rubber Ducky / BadUSB: Devices that appear as USB drives but act as keyboards, injecting keystrokes
Optical media, SD cards, external hard drives
Exam tip: Removable media policies (disable autorun, restrict USB ports, endpoint DLP) are the primary defense

Unsecure Networks

Wireless

Evil twin: Rogue access point mimicking a legitimate network name (SSID)
Rogue AP: Unauthorized access point connected to the corporate network
Deauthentication attacks: Forcing clients off legitimate AP to capture handshakes or redirect to evil twin
Bluetooth attacks: Bluejacking (unsolicited messages), Bluesnarfing (data theft)

Wired

Physical access to network jacks in lobbies, conference rooms, unsecured areas
Network taps and inline devices
ARP poisoning on the local network

Vulnerable Software

Client-Based

Unpatched browsers, email clients, office suites
Browser extensions with excessive permissions
Software supply chain attacks (compromised update mechanisms)

Agentless

Vulnerabilities in network services that don’t require software installation on the target
Exploiting exposed management interfaces, APIs, web applications

Open Service Ports

Every open port is a potential entry point
Common targets: RDP (3389), SSH (22), SMB (445), HTTP/S (80/443)
Unnecessary services = unnecessary attack surface. If it’s not needed, disable it.

Default Credentials

Factory-set usernames and passwords on routers, switches, cameras, IoT devices
Publicly documented and actively scanned by automated tools
Exam staple: Default credentials are one of the most common and easily preventable vectors

Supply Chain Vectors

Managed Service Providers (MSPs)

Compromise the MSP → gain access to all their clients
MSPs have privileged access across multiple organizations
SolarWinds attack was a supply chain attack through a managed IT tool

Vendors

Third-party software, hardware, or services that become the attack path
Pre-installed malware on hardware (documented cases with firmware implants)
Compromised software updates (SolarWinds Orion, Codecov, Kaseya VSA)

Suppliers

Upstream component providers whose compromise cascades downstream
Hardware supply chain: tampered chips, intercepted shipments
Open source dependencies: malicious packages in npm, PyPI, etc.

Human Vectors

The art of manipulating people into breaking security procedures.

Phishing — Broad deception via electronic communication
Pretexting — Creating a fabricated scenario to extract information
Impersonation — Posing as someone with authority (IT admin, executive, vendor)
Watering hole — Compromising websites the target frequently visits
Typosquatting — Registering domains that mimic legitimate ones (gogle.com)
Brand impersonation — Fake login pages, spoofed emails matching corporate branding

Misinformation/Disinformation

Manipulating information to influence behavior
Fake security alerts that trick users into installing “fixes” (malware)

Attack Surface Management

The total attack surface = all possible vectors combined. Reducing it is a continuous process:

Asset inventory — Can’t protect what you don’t know about
Vulnerability scanning — Find what’s exposed
Patch management — Close known holes
Network segmentation — Limit blast radius
Principle of least functionality — Disable everything that’s not needed
Regular review — Attack surface changes with every new system, user, or integration

Offensive Context

An attacker’s reconnaissance phase maps exactly to this objective — they’re looking for the easiest vector with the highest payoff. Automated scanners test default credentials and open ports. OSINT reveals the org’s technology stack. Supply chain analysis identifies trusted third parties that might be softer targets. The defender’s job is to see their organization through the attacker’s eyes and make every vector as expensive as possible.

Explain common threat vectors and attack surfaces