What is a threat vector and why is it important to define
by Kapua Iao
The internet and digital revolutions have changed every industry in positive ways, but they have also introduced an unprecedented level of risk with cyberattacks.
At best, an attack can be a nuisance; at worst it can ruin a business and put people’s lives at risk—especially in healthcare.
In this post, we’ll take a step back and more broadly examine the how and why of cyberattacks by focusing on threat vectors (also called attack vectors).
By recognizing and minimizing threat vectors, organizations are able to block several attack methods at once, saving time, money, and stress.
What is a threat vector?
A threat vector is a path or a means by which a cybercriminal gains access through one or more of six main routes into a computer system by exploiting a route vulnerability (also called an attack surface).
The six main routes (points of entry) are:
- The network
- Web applications
- Remote access portals
- Mobile devices
A system can be attacked for passive (an attempt to gain or use information but not affect a system) or active (a direct attempt to alter a system or affects its operations) reasons.
The list of threat vectors continuously grows as hackers discover new methods to exploit people and system vulnerabilities to deliver malicious software, access sensitive data, or access operating systems.
Threat vectors are categorized as either programming or social engineering.
|Programming Threat Vectors||Social Engineering Threat Vectors|
|Malware/ransomware||Chat room messages|
|Macros||Poor password protection|
|Bogus email attachments or web links||Baiting|
|Rootkits||Cybersquatting (e.g., typosquatting)|
|SQL injection||Man-in-the-middle or session hijacking|
|Unpatched vulnerabilities||Credential reuse|
|Brute force/cracking||Domain shadowing or hijacking|
|Distributed denial-of-service (DDoS)||Malvertising|
|Misconfigured cloud services like Google Cloud, Amazon Web Services (AWS)||Disgruntled employees|
Both programming and social engineering threat vectors can be employed simultaneously and fluidly, which is why it is necessary to broaden how organizations approach cybersecurity.
How is a threat vector used?
In order to gain access to a system through one or more of the six routes, a hacker:
- Identifies a potential target and threat vectors
- Gathers information
- Uses the information to identify additional tools needed
- Gains access to steal data or install malicious code OR monitors for information worth stealing in the future OR takes control of the hacked system with a command and control server for personal use
Hackensack Meridian Health learned this first hand in December 2019 when its system was breached and encrypted after a ransomware attack.
Once the cybercriminal(s) identified Hackensack and realized that email security was lax, it was easy to utilize a ransomware threat vector to infiltrate, encrypt data, and demand a ransom.
Email is the number one threat vector
Today, the weakest route into any computer system is through email, and it is what many threat vectors focus on.
In fact, a huge reason for this is due to the human factor.
Email filtering tools can block a lot of malicious messages, but if even one gets through it just takes one inadvertent click to grant unauthorized access to a hacker.
Furthermore, breaches and leaks of sensitive data are not limited to outside attacks; some are caused by employees sending sensitive information in unsecured email messages.
This is proven to be especially true in healthcare as the majority of breaches are caused by email according to the Health and Human Services (HHS) Breach Portal.
Why is it important to think in terms of threat vectors?
It is imperative, therefore, to change the way we approach information security, from focusing on specific events to aiming at threat vectors.
Healthcare, for example, is one of the most vulnerable industries with a lucrative payoff and a large set of threat vectors.
These threat vectors include legacy and medical devices with patch vulnerabilities, an increased reliance on internet-of-things (IoT) devices, business associates with flimsy security and access to protected health information (PHI), and overworked employees reached through social engineering.
By learning about and focusing on threat vectors, healthcare organizations (and all industries) can proactively strengthen security for all six entry routes.
Even without knowing the who or when of a cyberattack, identifying threat vectors as early as possible provides an organization with the what, where, and how in order to create a solid information security program.
How can this knowledge help you?
Hackensack may have gotten off luckier than other organizations as its hacker(s) end game was monetary.
Some targeted organizations instead are seized to abet public-wide attacks.
Others become victims for corporate espionage on behalf of another country (like the Chinese hacking group APT10, believed to be working for China’s Ministry of State Security).
Such reasons are why the federal government has increased its assessments and fines against noncompliant organizations, and why it is so important to understand threat vectors in conjunction with attacking methods rather than focus on each specific breach individually.
Once the vulnerable threat vectors are identified, strong cybersecurity can decrease the number of attack surfaces a cybercriminal can use.
Some prevention strategies include:
- HIPAA compliant email
- Virtual patching
- Isolation of old machines
- Multi-factor authentication
- Strong password policies
- Offline backup
- Strict policy enforcement
- Continuous employee training
- Additional smart device security
- Web filters
- Inbound email security
- Threat detection programs
No single method alone is foolproof. Just as there are multiple threat vectors, there should be multiple layers of security and protection.
Learning more about threat vectors and how cybercriminals use them is necessary in order to safeguard your organization and improve your security posture.
How Paubox can help
Paubox Email Suite Plus can help mitigate inbound email threats by utilizing hundreds of checks on each incoming email to protect you against malicious attacks.
Display name spoofing has become a headache for every organization and represents 91% of phishing attacks. Paubox’s patent-pending ExecProtect feature immediately identifies and quarantines attacks, never letting them get to the inbox.
Paubox Email Suite Plus is constantly improving and uses new approaches to detecting threats, such as checking senders domain age and leveraging Google’s safe browsing API to stay ahead of threats that may not yet be on blacklists.