Attack Vector vs Attack Surface: The Subtle Difference
To establish a better security posture, you must address vulnerabilities in your attack vectors and surfaces. While these terms are similar, they’re not the same. This article explores key differences between the two, helping you make your system more secure.
Cybersecurity discussions about “attack vectors” and “attack surfaces” sometimes use these two terms interchangeably. However, their underlying concepts are actually different, and understanding these differences can provide a better understanding of security nuances, allowing you to improve your organization’s security by differentiating between these terms.
This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two concepts and establish a more mature security posture.
Attack vector vs. attack surface
Most simply, an attack vector is any means by which an attacker can infiltrate your environment, whereas attack surface refers to the collective vulnerability that these vectors create. Any point that allows data to pass into your application or network represents a potential attack vector. Identities, networks, email, supply chains, and external data sources such as removable media and cloud systems, are all exploitable channels that a malicious actor may use to compromise your sensitive data or personal information. This also means that any system update or release could create new attack vectors.
Common attack vectors
Rapid technological change means that some of these attack vectors will fall out of favor with hackers and become less common. Nonetheless, some choices have been consistently common and will likely remain so.
Social engineering via email
Email attachments remain one of the most common vectors of the last 30 years.
Consider a situation in which you receive an email with the subject: “Please correct your tax form to receive your next paycheck.” This sender’s address seems to be from your boss or HR department, and the email contains an attachment called W2.pdf.
This type of email originates from an attacker using a spoofed return address to appear legitimate and trustworthy. However, what appears to be a PDF file may in fact be an executable file (W2.pdf.exe) containing a Trojan horse virus. If you open the file using an insecure PDF reader, you might execute the Trojan, infecting your system.
An attack like this is an example of a social engineering attack, which takes advantage of predictable or controllable human behavior to access personal information, credentials, and so on. Focusing on important subjects like personal finances or critical business processes is an effective way to trick a user into opening the email and its attachment.
Wireless attacks are a more recent attack vector. Many places of business provide wireless access for end users who work on laptops or mobile devices. Unfortunately, the administrators who configure this access too often use insufficient encryption (for example, WEP) or choose simple passwords for employee convenience.
In the case of the latter, an attacker may be able to guess the password or use a disassociation attack to interrupt the user’s Wi-Fi connection and then capture their reconnection—and, as a result, their encrypted password. If the password is weak or commonplace, an attacker could crack it in a relatively short amount of time. Once the network is penetrated, more attack vectors become available and the attack surface expands considerably.
Common attack surfaces
The attack surface is the collection of total attack vectors to your system. Consequently, the larger the system you are trying to protect, the greater your attack surface becomes. Unfortunately, it’s virtually impossible to know the precise size of your attack surface because it requires a real-time awareness of available attack vectors, many of which remain hidden from view until exploited. This undetectable segment represents the “zero-day” exploit category, which defines attack vectors that remain unknown and, therefore, unpatched.
While an individual password represents an attack vector, an application or website’s password requirement comprises an attack surface. This surface is less widespread as organizations turn to other modes of authentication, but many still protect assets from non-credentialed users via password-based authentication. And, as many users rely on weak or easily guessable passwords, a malicious actor has an enormous surface that offers numerous potential entry points into your system.
So, while many users may use more secure passwords, those who employ any of the most common active passwords (for example, “password,” “qwerty,” “123456”), leave your system vulnerable multiple times over. Fortunately, a well-postured portal will automatically check services like Have I Been Pwned to detect compromised passwords and use rate-limiting to prevent these attacks.
Another attack surface is software—specifically, the always-on software used in servers. Servers must remain operational 24/7 to support global workforces. Therefore, implementing patches to fix security issues takes a backseat to user productivity and, as such, many patches are never implemented. So, the more always-on components you have active, the greater your attack surface.
Within hybrid architectures, the attack surface encompasses every physical machine and every cloud resource. Access management may control access to these resources, but the aggregate of their individual entry points vastly increases the size of the attack surface.
Many times, organizations deploy a server or software in the cloud and assume that it has remained secure because it has not noticeably malfunctioned. However, a competent attacker may have already compromised one or more resources without affecting system functionality. As a result, the collection of less-noticeable vectors creates an especially vulnerable portion of your attack surface.
The attack surface in action
The following is an example of a complete cybersecurity breach highlighting attack vectors operating against an attack surface.
NewCompany is a hybrid-remote company that recently moved into a new office space. It requires all employees to work in the office at least three days per week. The IT staff securely configure the wireless access, using WPA3 on the router and changing the default wireless password. However, in the rush to open, no one disabled the Guest account, which has no password protection. This mistake remained undiscovered.
An attacker, Eve, walks into NewCompany’s office one day and blends into the bustle of workers. Eve opens her laptop, logs into the network using the unprotected Guest account, downloads a database of Personally Identifiable Information (PII) from the server, and walks out without anyone even knowing she was there.
In the above example, you can see the large attack surface of an open office space with no checkpoint controls. The risk of this is compounded by an open Guest account for wireless access, which enables Eve to exploit the lack of password protection and unencrypted PII to steal information. The attack vectors in this example are the methods Eve used to enter the office and the network, and these vectors comprise the attack surface—the unprotected network and unencrypted data on the server.
Protecting against attacks
Since attack surfaces can be large and unknown, defending against attacks used to require a variety of technologies cobbled together to ensure the broadest possible coverage. Now, you can turn to industry-specific tools like Sentry to quickly identify and mitigate cloud security risks your organization faces. In contrast to the patchwork of solutions that were once necessary, Cloud Sentry surfaces active threats in your environment across virtual machines, container registries, and serverless functions all in one place.
For cloud-based infrastructure, Cloud Sentry has been designed from the ground up to identify and remediate cloud-based risks that could be leveraged by attackers. Many industries have seen the benefit of moving assets to the cloud for high availability, scalability, as well as the ease of use of software as a service (SaaS). However, organizations don’t always consider the increase in attack surface prompted by cloud migration. Trend Cloud One™ is built to integrate into such environments to provide security teams with the tools they need in order to protect off-site assets.
Furthermore, to address the least visible parts of your attack surface, there is Trend Vision One™, a powerful solution able to detect the most commonly overlooked threats against an attack surface. Many detection and response solutions only examine endpoints, which are traditional targets for attackers. However, as technology has progressed, so has attack methodology. As such, many other attack vectors have to be considered within the scope of modern infrastructure.
Trend Vision One has broad extended detection and response (XDR) capabilities that collect and automatically correlate data across many different security layers including email, endpoints, servers, cloud workloads, and networks. This allows defenders to get a clear picture of their entire infrastructure and protect it accordingly.
Although “attack vector” and “attack surface” overlap, it’s crucial to understand that your attack surface is the totality of attack vectors across your system. Without a clear understanding of the attack vectors that leave your systems vulnerable, you may overlook weaknesses in your organization’s wider attack surface. It can also make thorough and accurate protection nearly impossible.
Learning to spot existing vectors and discover new vectors is critical in maintaining a proper security posture. Implementing tools such as Trend Vision One and Trend Micro™ Cloud Sentry provide a more complete picture, granting you an automated defense both against today’s most popular attack vectors and those that will be leveraged tomorrow.