Attack Surfaces & Threat Vectors
Understanding attack surfaces is one of the most important concepts in cybersecurity because every cyberattack starts with a place where the attacker can interact with a system.
An organization is never attacked “randomly.”
A threat actor always searches for:
- A reachable target
- A weakness
- A method to exploit it
That combination forms the basis of an attack.
Attack Surface
An attack surface is the complete collection of all possible entry points that an attacker could use to interact with a system, network, application, device, or user.
This includes:
- Open network ports
- Web applications
- Cloud services
- User accounts
- Email systems
- Wireless access points
- USB ports
- APIs
- Vendor connections
- Employee devices
The more exposed systems an organization has, the larger the attack surface becomes.
ORGANIZATION
------------------------------------------------
| Web Apps | Servers | Wi-Fi | Email | Cloud |
| Users | APIs | VPN | USB | MSPs |
------------------------------------------------
= ATTACK SURFACE
A large attack surface increases:
- Complexity
- Vulnerabilities
- Monitoring difficulty
- Risk exposure
For this reason, security teams try to reduce the attack surface as much as possible.
Threat Vectors
A threat vector (or attack vector) is the actual method or pathway an attacker uses to exploit the attack surface.
The attack surface is the “available doors.”
The threat vector is “which door the attacker chooses and how they open it.”
For example:
- A phishing email
- Exploiting an open port
- Malware on a USB drive
- Weak cloud credentials
- A malicious vendor connection
These are all threat vectors.
Attacker
|
v
Threat Vector
(phishing / exploit / malware)
|
v
Attack Surface
(email / server / VPN / user)
|
v
Compromise
Sophisticated attackers usually combine several vectors together into a multi-stage attack.
Multi-Stage Attacks
Modern cyberattacks are rarely a single action.
Instead, attackers chain multiple vectors together.
For example:
- Send phishing email
- Steal credentials
- Access VPN
- Move laterally
- Escalate privileges
- Exfiltrate data
Phishing Email
|
v
Credential Theft
|
v
VPN Access
|
v
Internal Movement
|
v
Sensitive Data Stolen
This is why organizations must secure every stage of the environment, not just the perimeter.
Assessing the Attack Surface
Security teams must identify:
- What systems are exposed
- Who can access them
- Which services are running
- What vulnerabilities exist
- How attackers might move between systems
An organization has:
- An overall attack surface
- Smaller attack surfaces for individual systems
For example:
- A server has its own attack surface
- A web application has its own attack surface
- Employee identities have their own attack surface
External vs Internal Attack Surface
External attackers usually have limited access at first.
They typically see:
- Public websites
- VPN portals
- Email servers
- Cloud services
Internal attackers already have trusted access, making them much more dangerous.
External Attacker
|
v
Internet-Facing Systems
|
v
Internal Network
--------------------------------
Insider Threat
|
v
Already Inside Network
|
v
Sensitive Systems
Because insiders already bypass many security layers, organizations apply:
- Least privilege
- Monitoring
- Segmentation
- Auditing
Vulnerable Software Vectors
Software vulnerabilities are one of the most common attack vectors.
A vulnerability is a flaw in:
- Code
- Design
- Logic
- Configuration
Attackers exploit these flaws to:
- Execute code
- Bypass authentication
- Crash services
- Escalate privileges
Vulnerable Application
|
v
Exploit Code Executed
|
v
Unauthorized Access
Because modern software is extremely complex, vulnerabilities are constantly discovered.
Why More Software Means More Risk
Every operating system, application, plugin, or service increases the attack surface.
An environment with:
- Multiple operating systems
- Different software versions
- Unpatched systems
creates massive security complexity.
More Applications
|
v
More Vulnerabilities
|
v
Larger Attack Surface
|
v
Higher Risk
Security teams therefore prefer:
- Standardization
- Centralized patching
- Fewer software products
Unsupported Systems
Unsupported systems are especially dangerous because vendors no longer provide:
- Security patches
- Updates
- Bug fixes
Examples include:
- Windows XP
- Old Android versions
- Legacy industrial systems
Unsupported System
|
+--> No Security Updates
|
+--> Public Exploits Exist
|
+--> High Risk
Attackers specifically target outdated systems because vulnerabilities remain permanently exposed.
Compensating Controls
Sometimes a legacy system cannot be replaced.
In this case, organizations use compensating controls to reduce exposure.
These controls include:
- Network isolation
- Firewalls
- No Internet access
- Strict monitoring
Legacy Server
|
+--> Isolated VLAN
|
+--> Firewall Rules
|
+--> Monitoring
|
+--> Restricted Access
The goal is to minimize opportunities for exploitation.
Vulnerability Scanning
Organizations use scanning tools to discover weaknesses before attackers do.
These scanners:
- Detect missing patches
- Identify open ports
- Find outdated software
- Assess risk exposure
Client-Based Scanning
Client-based scanning installs an agent on each device.
The agent continuously reports security information.
Host Device
|
Security Agent
|
v
Management Server
Advantages:
- Detailed visibility
- Continuous monitoring
- Better endpoint awareness
Agentless Scanning
Agentless scanning works remotely over the network.
No software installation is required.
Scanner
|
+-------> Host 1
|
+-------> Host 2
|
+-------> Host 3
Threat actors often use agentless scanning during reconnaissance.
Remote vs Local Exploits
Software exploits are usually categorized as:
- Remote
- Local
Remote Exploits
A remote exploit works over a network without requiring local access.
This is extremely dangerous because attackers can operate from anywhere.
Attacker
|
Internet
|
v
Vulnerable Server
Examples:
- Web server exploits
- SMB vulnerabilities
- Open service exploits
Local Exploits
Local exploits require:
- A logged-in account
- Stolen credentials
- Existing system access
Stolen Credentials
|
v
Authenticated Session
|
v
Privilege Escalation
Local exploits are commonly used after initial compromise.
Network Attack Surface
Networks are one of the largest attack surfaces in any organization.
A network becomes vulnerable when it lacks:
- Confidentiality
- Integrity
- Availability
These three principles form the CIA Triad.
Confidentiality Attacks
If confidentiality fails, attackers can read network traffic.
This is called eavesdropping.
Examples:
- Packet sniffing
- Password theft
- Data interception
User -----> Network -----> Server
|
v
Attacker Sniffing
Encryption is the primary defense.
Integrity Attacks
Integrity attacks involve modifying traffic or impersonating systems.
Examples:
- Spoofing
- Man-in-the-middle
- Rogue devices
User ---> Fake Gateway ---> Server
^
|
Attacker
The attacker secretly intercepts and modifies communication.
Availability Attacks
Availability attacks attempt to stop systems from functioning.
These are called Denial of Service (DoS) attacks.
Massive Fake Traffic
|
v
Server Overloaded
|
v
Real Users Blocked
Direct Access Vectors
Physical access is still extremely dangerous.
An attacker may:
- Steal a laptop
- Use a boot disk
- Access an unlocked workstation
Attacker Enters Building
|
v
Physical Device Access
|
v
System Compromise
Physical security is therefore part of cybersecurity.
Wired Network Vectors
Attackers can plug unauthorized devices into network ports.
Rogue Device
|
v
Internal Switch
|
v
Corporate Network
This can allow:
- Sniffing
- Spoofing
- Malware delivery
- Lateral movement
Wireless & Remote Access Vectors
Wireless networks and VPNs expose remote attack surfaces.
Attackers may:
- Crack Wi-Fi passwords
- Steal VPN credentials
- Create fake access points
Fake Wi-Fi AP
|
Employee Connects
|
Credentials Captured
|
Attacker Gains Access
Cloud Attack Surface
Cloud environments dramatically increase exposure because they are Internet-accessible.
Attackers commonly target:
- Weak cloud credentials
- Misconfigured storage
- Cloud APIs
- Admin accounts
Weak Cloud Password
|
v
Cloud Account Access
|
v
Entire Cloud Environment Exposed
Default Credentials
Many devices still use default passwords.
Examples:
- admin/admin
- root/password
Device Installed
|
Default Password Left Enabled
|
Attacker Logs In
This is extremely common in:
- IoT devices
- Routers
- Cameras
Open Ports
Every open port exposes a potential service.
Server
|
+--> Port 22 (SSH)
+--> Port 80 (HTTP)
+--> Port 443 (HTTPS)
+--> Port 3389 (RDP)
Unnecessary ports increase attack opportunities.
Security principle:
Open Only What Is Required
Lure-Based Vectors
Sometimes attackers cannot directly exploit systems.
Instead, they trick users into helping them.
This is called a lure-based attack.
USB Drop Attacks
Attackers leave infected USB drives where employees may find them.
Malicious USB Left Outside
|
Employee Picks It Up
|
USB Plugged Into PC
|
Malware Executes
Human curiosity becomes the attack vector.
Trojan Horse Malware
A Trojan pretends to be useful software while secretly installing malware.
"Free Useful Program"
|
v
User Installs It
|
v
Backdoor Created
Document & Image Exploits
Attackers hide malicious code inside:
- PDFs
- Word files
- Images
Open Document
|
v
Application Vulnerability Triggered
|
v
Malware Installed
Sometimes simply viewing the file is enough.
Zero-Click Attacks
The most dangerous attacks require no user interaction.
Receive Message
|
v
Exploit Automatically Executes
|
v
Device Compromised
No clicking is required.
Message-Based Vectors
Messaging systems are major delivery mechanisms for attacks.
This includes:
- SMS
- Instant messaging
- Social media
Email Attacks
Email is the most common vector.
Used for:
- Phishing
- Malware delivery
- Credential theft
Phishing Email
|
v
User Clicks Link
|
v
Fake Login Page
|
v
Password Stolen
SMS & Messaging Attacks
Attackers also use:
- SMS (smishing)
- Telegram
- Slack
- Teams
Encrypted messaging makes detection harder.
Drive-By Downloads
Compromised websites can automatically infect visitors.
User Visits Website
|
v
Browser Vulnerability Triggered
|
v
Malware Downloaded
Social Engineering
Many attacks depend more on psychology than technology.
Attackers manipulate:
- Fear
- Curiosity
- Urgency
- Trust
Human Trust
|
v
Manipulation
|
v
Security Bypass
Humans are often the weakest security layer.
Supply Chain Attack Surface
Organizations also inherit risk from suppliers and vendors.
Attackers may target:
- Vendors
- MSPs
- OEMs
- Delivery companies
instead of attacking the organization directly.
Supply Chain Example
Attacker
|
v
Vendor Compromised
|
v
Trusted Access Used
|
v
Target Organization Breached
This is dangerous because vendor relationships are trusted by default.
MSP Risks
Managed Service Providers often have:
- Remote administration
- Monitoring access
- Privileged credentials
MSP Access
|
+--> Customer A
|
+--> Customer B
|
+--> Customer C
Compromising one MSP can compromise many companies.
Final Mental Model
ATTACK SURFACE
----------------------------------------------------------------
| Servers | Users | Cloud | Email | Wi-Fi | APIs | Vendors |
----------------------------------------------------------------
^
|
THREAT VECTORS
----------------------------------------------------------------
| Phishing | Exploits | Malware | USB | VPN | Open Ports |
----------------------------------------------------------------
^
|
THREAT ACTORS
----------------------------------------------------------------
| Hackers | Insiders | Criminal Groups | Nation States |
----------------------------------------------------------------
Easy Memory Rule
Attack Surface = WHERE attackers can attack
Threat Vector = HOW attackers attack
Vulnerability = WHAT weakness is exploited