Threat Vectors, Attack Surface, and Common Attack Patterns

From Theory to Entry Points

Earlier you met threat actors and saw how change management and cryptography help secure systems. Now we zoom in on the how: the concrete paths attackers use to get from outside to inside a target.

Three Core Ideas

We focus on three ideas: attack surface (everything an attacker can interact with), threat vectors (routes attackers use), and attack patterns (repeatable ways they combine tools and techniques).

Mental Model

1. Assets are what attackers want. 2. Every way those assets connect outward becomes attack surface. 3. Attackers pick the easiest threat vectors. 4. You see recurring patterns: initial access, credential theft, lateral movement, data theft, disruption.

Your Exam Goal

You need to define attack surface, list major vectors (email, web, removable media, remote, cloud, supply chain), map attacks to vectors, and suggest high-level mitigations that reduce risk without killing availability.

Definition: Attack Surface

An attack surface is the sum of all the points where an unauthorized user could try to enter data into, extract data from, or otherwise interact with a system or environment.

Building Analogy

Imagine a building: every door, window, vent, and cable is attack surface. Some are obvious (front door = public web app), others subtle (maintenance hatch = forgotten admin console or old API).

Modern Attack Surface

It spans network (IPs, ports, VPNs, Wi‑Fi), applications (web, mobile, APIs), endpoints (laptops, IoT, OT), identities (accounts, keys), data interfaces (file shares, DBs), people, and third parties.

How It Grows

Attack surface grows whenever you add systems, enable new connectivity, or integrate partners. Shadow IT and poor asset inventory silently expand it, making defense much harder.

Definition: Threat Vector

Threat vectors are the specific paths or methods an attacker uses to get into or move within your environment. Attack surface is the map; vectors are the roads attackers choose.

Core Vector Types

Key vectors: email, web/browser, removable media, remote access, cloud/SaaS, mobile and IoT/OT, and supply chain or third-party relationships.

Vector vs Vulnerability

Vulnerability = weakness (unpatched server). Vector = path (internet-facing port exploited via that weakness). Exam questions often test whether you can distinguish the two.

Chaining Vectors

Attackers chain vectors: phishing email steals VPN credentials, VPN gives access to internal systems, then cloud consoles are abused for data theft or ransomware.

Sample Network Diagram

Picture: Internet → firewall → DMZ with web and mail servers → internal LAN with file, DB, domain controller, workstations; plus VPN appliance, SaaS CRM, and payroll API.

Internet-Facing Surface

Attack surface: public web server, mail gateway, VPN appliance. Each exposes ports, services, admin consoles, and underlying OS that can be probed from the internet.

Internal and Human Surface

Inside: file and DB servers, domain controller, workstations, and users. Endpoints and people are exposed via email, browsers, and internal services like SMB or LDAP.

Cloud and Third Parties

SaaS CRM and payroll API add cloud and vendor attack surface: user accounts, SSO, API keys, and trust relationships that can be abused if misconfigured or compromised.

Email-Based Patterns

Email carries phishing, spear phishing, BEC, and malware attachments. The goal is to trick users into clicking, opening, or entering credentials to gain initial access.

Web and Browser Patterns

Web vectors include drive-by downloads, watering-hole attacks, and credential harvesting via fake login pages or malicious JavaScript on compromised sites.

Credential-Based Attacks

Credential stuffing reuses leaked passwords across many sites. Password spraying tries a few common passwords across many accounts. Brute force guesses systematically.

Network Exposure Attacks

Attackers scan for open ports and vulnerable services (RDP, VPN, web servers) and can run MitM on insecure Wi‑Fi or unencrypted protocols to steal data or credentials.

Remote Access Vector

Remote access is attacked via exposed RDP/SSH, stolen VPN credentials, and abused remote management tools. These often give direct access deep into internal networks.

Cloud and SaaS Vector

Cloud risks: misconfigured storage, overly permissive IAM, leaked API keys, and OAuth or SSO abuse by malicious apps requesting broad permissions.

Supply Chain Vector

Supply chain attacks poison software updates, dependencies, or vendor remote access. A single compromise can impact many downstream organizations.

Exam Signal

If many organizations are hit via the same vendor or update, identify it as a supply chain attack using a third-party vector, not just generic phishing.

Inventory and Minimize

Shrink attack surface with good asset inventory, decommissioning unused systems, and removing unnecessary ports or services using the principle of least functionality.

Harden Exposed Services

Patch and securely configure internet-facing systems, protect web apps with WAFs, and require strong authentication (ideally MFA) for VPN, admin, and cloud access.

Identities, Users, and Segmentation

Use least privilege and MFA, train users on phishing and BEC, verify payment changes out-of-band, and segment networks while monitoring logs for unusual behavior.

Third-Party Risk

Limit vendor access, enforce MFA for MSP accounts, and regularly review integrations and API keys to prevent supply chain and third-party vectors from being abused.