When attackers target more than one attack surface or vector at a time - their chances of successful entry dramatically improve.
Historically, these ‘multi-vector’ attacks — network infiltration attempts via multiple points of compromise — were only used by the most sophisticated, well-financed attackers. But that’s starting to change. Today, it’s becoming more common for attackers to employ multiple tactics in tandem — sometimes to pressure-test various defenses, sometimes to exploit subtle security gaps, and sometimes just to overwhelm an organization’s ability to respond.
The frequency of these multi-vector attacks increasing is driving the need for a more integrated and streamlined security approach — one that involves reducing the number of niche security services.
Exploiting two (or more) attack vectors increases the attack’s success rate. If the attack involves targeting multiple entry points into a network — e.g. using email phishing, voice phishing, and exploiting a VPN vulnerability — only one of these attempts has to work for the overall attack to succeed. Phishing is a common component of multi-vector attacks for this very reason — it often exploits human error rather than software flaws, making it hard to stop.
Unfortunately, the rise in hybrid work makes these consequences more likely. A well-documented rise in bring-your-own-device (BYOD) environments — along with increasing reliance on public cloud, SaaS applications, and untrusted wireless networks — has eroded longstanding network perimeters. A greater range of less trusted identities and devices accessing sensitive data stored and shared across the Internet introduces far more vulnerabilities while simultaneously reducing visibility and control for Security.
Small wonder, then, that ransomware set records in 2021, and there were 338.4 million ransomware attempts in the first three quarters of 2022.
Organizations of sufficient size and complexity have a number of possible attack vectors — paths or means by which attackers can access a network or device. The open-source MITRE ATT&CK matrix provides a detailed list of the various vectors attackers target and the tactics and techniques used to exploit them.
Recent examples show that attackers are combining vectors over the course of a single campaign. In 2022, a group known as 0ktapus used a combination of SMS phishing and background downloading of remote access malware to target over 160 organizations — many of which were compromised to varying degrees. Crucially, an independent analysis of the attack indicated that the attackers were surprisingly, somewhat inexperienced — a far cry from the sophistication often expected with multi-vector attacks.
Similarly, a recent spate of Royal ransomware-based attacks used a combination of phishing, Remote Desktop Protocol compromise, and malware downloads to target critical infrastructure organizations. And the widespread Log4j vulnerability offered attackers the opportunity to combine supply chain compromise with several other vectors.
Multi-vector attacks on corporate networks can be difficult to stop for many reasons. One is the ongoing prevalence of perimeter-based security policies. If an attacker exploits one vector to access an organization’s VPN, for example, they may have unfettered access to the entire network.
Limited staff and resources have surfaced as another common problem. Many organizations are struggling to staff up their security team and may not have the budget needed to outsource unmet jobs to managed service providers. Most have employed traditional defenses for decades, but today, traditional defenses are stretched thin by the increase in hybrid work and hybrid cloud — two phenomena for which on-premises firewalls, gateways, and even point cloud security solutions were not intended to protect.
Firewalls and gateways guarding the network perimeter are insufficient when attackers target personal devices or cloud deployments and particularly when they are already inside the network — which is far too often the case. A complex, fragmented security stack constructed of non-interoperable point products — even best-of-breed — may have gaps that Security is not aware of. In addition, if one point product does detect malicious activity, it is incapable of alerting other solutions automatically but instead, results in an increase in security alerts — and accompanying alert fatigue.
Historically, there have been valid reasons for organizations to defend their networks using individual point products for each vector. But this approach is not well-suited for modern multi-vector attacks. Instead, organizations need a natively integrated approach — one that is:
Cloud-native and distributed so that all traffic passes through the security platform, no matter its protocol, origin, or destination. It is no longer safe to assume that corporate resources and data will be accessed over company-controlled network connections.
Tightly integrated with access control via authentication, authorization, and audit. Lateral movement is easier for attackers when accounts have too much access. Verifying both the identity and the context is paramount. For example, no user role or device type should be trusted automatically.
Phishing-resistant. Phishing and social engineering are widely used techniques by attackers looking to gain initial access. With so many attacks starting with a phishing email, it’s critical to deploy comprehensive protection against targeted and evasive campaigns that look to build trust and exploit users by engaging them across various forms of communication (e.g. email, web, social, IM, and SMS).
Seamless to the end user. Exposure to browser-based threats, such as malicious scripts, drive-by downloads, and credential harvesters, has become inevitable. Remote browser isolation can provide a safety net that insulates users from unknown and untrusted web content, but it’s only effective if the experience is indistinguishable from using a local browser.
Cost-efficient. Organizations have to mitigate threats with limited resources. Optimizing security costs by paying fewer vendors that prioritize platform-driven security consolidation is one clear path forward here.
Point products and on-premises hardware boxes cannot aid in implementing the principles above. Organizations today need wide-ranging threat defense across attack vectors and both inside and outside the network.
Cloudflare One consolidates threat defense and the on-ramps required to cover hybrid work. Cloudflare One defends against threats by natively integrating secure web gateway and cloud email security services — with remote browser isolation and data loss prevention. The platform goes beyond threat defense by integrating these services with Zero Trust Network Access (ZTNA) and cloud access security broker (CASB) — services that secure access.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
After reading this article you will be able to understand:
The range of attack vectors used today
The MITRE ATT&CK matrix
Mitigation challenges of multi-vector attacks
How a consolidated platform solves these challenges
Learn more about stopping multi-vector threats in the Reference Architecture for Internet-Native Transformation whitepaper.