Attack Vectors and Attack Surface
Key Takeaways
- An attack vector is the path used to reach a target; attack surface is the total set of reachable entry points.
- Common vectors include email, web apps, exposed services, credentials, wireless, removable media, cloud misconfiguration, and third parties.
- Reducing attack surface means removing, hardening, segmenting, monitoring, or restricting access to entry points.
- Credential attacks often exploit reuse, weak passwords, exposed secrets, or poor MFA controls.
- Internet-facing systems and identity providers deserve high priority because compromise can spread quickly.
Attack Vectors and Attack Surface
An attack vector is the route. Attack surface is the collection of possible routes. A single exposed admin portal is a vector; all exposed portals, APIs, services, identities, vendors, and devices make up the attack surface.
| Vector | What attackers exploit | Common reduction |
|---|---|---|
| Email and messaging | Links, attachments, impersonation | Filtering, training, DMARC, sandboxing |
| Web application | Injection, broken access control, vulnerable components | Secure coding, testing, WAF, patching |
| Exposed service | Open RDP, SSH, VPN, database port | Disable, restrict, patch, require MFA |
| Credentials | Reuse, weak passwords, leaked secrets | MFA, password manager, secret scanning |
| Wireless | Weak encryption, evil twin, rogue AP | WPA3 where supported, strong auth, monitoring |
| Removable media | Malware, unauthorized data movement | Disable or control USB, DLP, scanning |
| Cloud configuration | Public buckets, permissive IAM, exposed keys | CSPM, least privilege, guardrails |
| Third party | Vendor access, integration, support tools | Due diligence, contracts, segmentation |
Attack Surface Questions
Look for the phrase "reduce the attack surface." The best answer usually removes or narrows reachability, not merely detects later.
| Scenario | Better answer | Weaker answer |
|---|---|---|
| RDP exposed to internet | Put behind VPN/ZTNA and require MFA | Only increase log retention |
| Unused service running on server | Disable the service | Rename the service |
| Public cloud storage bucket | Block public access and fix policy | Add a banner |
| Developers commit API keys | Secret scanning and key rotation | Add a policy reminder without rotating keys |
| Flat network allows lateral movement | Segment networks and restrict east-west traffic | Increase asset inventory detail only |
Credential Attack Clues
| Clue | Attack pattern |
|---|---|
| One password tried against many usernames | Password spraying |
| Many passwords tried against one account | Brute force |
| Known username/password pairs tested across sites | Credential stuffing |
| Captured authentication token reused | Replay or session hijacking |
| Login from impossible travel locations | Stolen credential or session |
Scenario Walkthrough
A company finds that an old management interface is reachable from the internet. It has not been patched in months and supports only passwords. The best first move is to reduce exposure: remove internet access, restrict to an administrative network or ZTNA/VPN path, patch the service, require MFA if supported, and monitor access. A SIEM alert is useful, but it does not reduce the reachable attack path by itself.
Quick Drill
| Question asks for... | Think... |
|---|---|
| Path used to attack | Attack vector |
| All possible paths | Attack surface |
| Fewer reachable services | Disable, firewall, segment, restrict |
| Fewer credential risks | MFA, password policy, breached password checks, secret management |
| Less lateral movement | Segmentation and least privilege |
A scan finds an unused database listener exposed to the internet. Which action most directly reduces attack surface?
Attackers test one common password against hundreds of usernames to avoid account lockout. What is this called?
Which actions reduce attack surface? Choose two.
Select all that apply