What is a Threat Vector and Why it’s Important to Define
by Rick Kuwahara CMO of Paubox
The internet and digital evolution has changed every industry in positive ways, but it has also introduced and unprecedented level of risk with cyberattacks.
At best, an attack can be a nuisance; at worst it can ruin a business and put people’s lives at risk – especially in healthcare.
In this post we’ll take a step back and more broadly examine the how and why of cyberattacks by focusing on threat vectors (also called attack vectors).
By recognizing and minimizing threat vectors, organizations would be able to block several attack methods at once, saving itself time, money, and stress.
What is a threat vector?
A threat vector is a path or a means by which a cybercriminal gains access through one or more of six main routes into a computer system by exploiting a route vulnerability (also called an attack surface).
The six main routes (points of entry) are:
- The network
- Web applications
- Remote access portals
- Mobile devices
It can be for passive (an attempt to gain or use information but not affect a system) or active (a direct attempt to alter a system or affects its operations) reasons.
The list of threat vectors continuously grows as hackers discover new methods to exploit people and system vulnerabilities to deliver malicious software, access sensitive data, or access operating systems.
Threat vectors can be categorized as programmatic or social engineering.
|Programming Threat Vectors||Social engineering Threat Vectors|
|Macros||Poor password protection|
|Bogus email attachments or web links||Baiting|
|Rootkits||Cybersquatting (e.g., typosquatting)|
|SQL injection||Man-in-the-middle or session hijacking|
|Unpatched vulnerabilities||Credential reuse|
|Brute force/cracking||Domain Shadowing or hijacking|
|Distributed denial-of-service (DDoS)||Malvertising|
|Misconfigured cloud services like Google Cloud, Amazon Web Services (AWS)||Disgruntled employees|
Programming and social engineering can be employed simultaneously and fluidly, which is why it is necessary to broaden how organizations approach cybersecurity.
How is a threat vector used?
In order to gain access to a system through one or more of the six routes, a hacker:
- Identifies a potential target and threat vectors
- Gathers information
- Uses the information to identify additional tools needed
- Gains access to steal data or install malicious code OR monitors for information worth stealing in the future OR takes control of the hacked system with a command and control server for personal use
Hackensack Meridian Health learned this first hand in December 2019 when their system was breached and encrypted after a ransomware attack.
Email is the number one threat vector
Today, the weakest route into any computer system is through email and is what many threat vectors focus on.
A huge reason for this is due to the human factor.
Email filtering tools can block a lot of malicious messages, but if even one gets through it just takes one inadvertent click to grant unauthorized access to a hacker.
Breaches and leaks of sensitive data isn’t limited to outside attacks either. Many data breaches are caused by employees sending sensitive information in unsecured email messages.
This was proven to be especially true in Healthcare where the majority of breaches were caused by email according to the Health and Human Services (HHS) Breach Portal.
Once the cybercriminal(s) identified Hackensack and realized that email security was lax, it was easy to utilize a ransomware threat vector to infiltrate, encrypt data, and demand a ransom.
Why is it important to think in terms of threat vectors?
It is imperative, therefore to change the way we approach information security, from focusing on specific events to aiming at threat vectors.
Healthcare, for example, is one of the most vulnerable industries with a lucrative payoff and a large unique set of threat vectors.
These threat vectors include legacy and medical devices with patch vulnerabilities, an increased reliance on internet-of-things devices (IOT), business associates with flimsy security and access to protected health information (PHI), and overworked employees reached through social engineering.
By learning about and focusing on threat vectors, healthcare organizations (and all industries) can proactively strengthen security for all six entry routes.
Even without knowing the who or when of a cyberattack, identifying threat vectors as earlier as possible provides an organization with the what, where, and how in order to create a solid information security program.
How can this knowledge help you?
Hackensack may have gotten off luckier than other organizations as its hacker(s) end game was monetary.
Some targeted organizations instead are seized to abet public-wide attacks.
Others become victims for corporate espionage or even on behalf of another country (like the Chinese hacking group APT10, believed to be working for China’s Ministry of State Security).
Such reasons are why the federal government has increased its assessments and fines against uncompliant organizations.
And why it is so important to understand threat vectors in conjunction with attacking methods rather than focus on each specific breach individually.
Once the vulnerable threat vectors are identified, strong cybersecurity can decrease the number of attack surfaces a cyber criminal can use.
Some prevention strategies include:
- Virtual patching
- Isolation of old machines
- Multi-factor authentication
- Strong password policies
- Offline backup
- Strict policy enforcement
- Continuous employee training
- Additional smart device security
- Web filters
- Inbound email security
- Threat detection programs
No single method alone is foolproof. Just as there are multiple threat vectors, there should be multiple layers of security and protection.
Learning more about threat vectors and how they are used by cybercriminals is necessary in order to safeguard your organization and improve your security posture.
How Paubox can help
Paubox Inbound Security can help mitigate inbound email threats by utilizing hundreds of checks on each incoming email to protect you against malicious attacks.
Display name spoofing has become a headache for every organization and represents 91% of phishing attacks. Paubox’s patent-pending ExecProtect feature immediately identifies and quarantines attacks, never letting them get to the inbox.
Paubox Inbound Security is constantly improving and uses new approaches to detecting threats, such as checking senders domain age and leveraging Google’s safe browsing API to stay ahead of threats that may not yet be on blacklists.