Executive summary
Attackers aren’t winning with “new magic.” They keep exploiting the same high-yield entry points—email and identity, exposed edge devices, cloud/API misconfig, and software supply chain gaps—now supercharged by AI for scale and realism. Below is a prioritized, technical breakdown of the top attack vectors, how they work, what to watch for, and exact controls that actually move risk.
The top attack vectors (ranked)
-
Phishing, BEC & Deep-fake Social Engineering
-
How it lands: Realistic emails/chats/calls (now AI-written/voiced), domain look-alikes, payment instruction changes, QR-phish.
-
TTPs: HTML smuggling, OAuth consent phishing, mailbox-rule abuse, MFA push fatigue, thread hijacking.
-
First indicators: New forwarding rules; impossible-travel logins; unusual vendor bank updates; spikes in OAuth “consent” grants.
-
Controls that work:
-
Phishing-resistant MFA (FIDO2/WebAuthn), number-matching for push.
-
DMARC/DKIM/SPF enforcement, MTA-STS/TLS-RPT; high-risk payments require out-of-band voice verification.
-
OAuth app governance (disable user-consent except approved apps).
-
User simulations + just-in-time banners (“External sender”, “Domain look-alike”).
-
-
Credential Attacks & Session Theft
-
How it lands: Password reuse → credential stuffing; OTP bots; session cookie theft via reverse-proxy phish (Evilginx-style); stale long-lived tokens.
-
TTPs: MFA fatigue spam; token replay; refresh-token abuse; residential proxies to mimic geolocation.
-
Controls:
-
Passwordless (FIDO2), conditional access + device posture.
-
Short-lived tokens, DPoP/token binding where supported; Secure/HttpOnly/SameSite=strict cookies; per-request step-up for sensitive actions.
-
Kill-switch for mass token revocation; impossible-travel + session-age detection.
-
-
Unpatched Internet-Facing Services (VPN/ESB/WAF/Gateway/FTPs)
-
How it lands: RCE/dir-traversal on edge appliances, deserialization bugs, auth-bypass in portals; mass scanning + one-day exploit drops.
-
Indicators: Sudden config changes on appliances; new admin accounts; spikes in outbound traffic from edge boxes.
-
Controls:
-
External Attack Surface Management (EASM) inventory + KEV/EPSS-based patch SLAs (patch edge first).
-
Virtual patching (WAF) while scheduling maintenance; no direct internet admin; backup/restore tested.
-
-
Cloud & IaC Misconfiguration
-
How it lands: Public buckets,
*:*IAM policies, over-permissive roles, exposed access keys in repos, open security groups, forgotten test tenants. -
Indicators: Anonymous object access; unusual
AssumeRole; spikes inList/GetObjector KMS decrypt. -
Controls:
-
Least-privilege by design (SCPs/permission boundaries); CloudTrail/Audit Logs immutable.
-
IaC scanning (Checkov/tfsec), drift detection, guardrails (OPA/Gatekeeper).
-
Secrets management (Vault/KMS), key rotation, block public by default (e.g., S3 Block Public Access).
-
-
API Abuse (IDOR/BOLA, Broken Auth, Mass Assignment)
-
How it lands: Mobile/web/API clients call object IDs directly; missing object-level authorization; verbose error leaks; lack of rate limits.
-
Indicators: High 403/404 → 200 patterns; enumeration of incremental IDs; excessive
PATCH/PUTwith unexplained fields. -
Controls:
-
AuthZ at object level (user-to-object checks in the service, not just gateway).
-
Strict schemas (OpenAPI), allow-listing fields; mTLS for service-to-service; rate limiting + anomaly detection.
-
-
Software Supply Chain (Dependencies & CI/CD)
-
How it lands: Typosquatting packages, dependency confusion, compromised maintainer accounts, malicious post-install scripts; stolen CI tokens.
-
Indicators: New dependency with tiny download history; unsigned releases; CI pulling from public instead of internal mirror; unexpected “preinstall” runs.
-
Controls:
-
SBOMs (CycloneDX/SPDX) on every build; signature verification (Sigstore/Cosign).
-
Lockfiles/allow-lists, private registries/mirrors; no plaintext CI secrets; short-lived OIDC tokens.
-
Policy: block builds when SBOM or signatures are missing.
-
-
RDP/VPN Exposure & Initial Access Brokers
-
How it lands: Open RDP, weak VPN creds; bought access from brokers.
-
Controls: Close RDP to internet; geo/IP-restrict, FIDO2 on VPN; PAM for admin access; continuous dark-web monitoring for creds.
-
Living-off-the-Land (LotL) & C2 over Encrypted Channels
-
How it lands: PowerShell/WMIC, PsExec,
rundll32, LOLBins; C2 via HTTPS/DoH/WebSockets; exfil to cloud drives or Telegram. -
Indicators: Signed tools doing unusual things; JA3/JA4 TLS fingerprints not seen before; DNS/HTTP beacons with regular jitter.
-
Controls:
-
Constrained PowerShell + AMSI, block known LOLBins; command-line auditing.
-
Egress control (DNS/HTTP categories), TLS fingerprinting baselines; UEBA for process-tree anomalies.
-
-
Mobile/Payment Fraud (esp. India)
-
How it lands: App overlays, screen-sharing “support,” QR/UPI scams, APK sideloads, SIM swap.
-
Controls: App hardening; Play Integrity/DeviceCheck; in-app warnings for screen sharing; bank callback for high-value UPI changes; user education in local languages.
-
AI-Related Vectors (new but rising)
-
Prompt injection & tool hijack in LLM apps; model/data poisoning; sensitive data leakage via AI integrations; deepfake voice for approvals.
-
Controls:
-
Model isolation & least-privilege tools, retrieval allow-lists, output filtering.
-
Red-teaming prompts, training data provenance, audit logs of model/tool actions.
-
Detection ideas (fast wins)
-
Identity: Alert on MFA push bursts, OAuth consent to new multi-tenant apps, risky sign-ins without device posture.
-
Email: Creation of mailbox rules; external sender replying within internal threads (thread hijack).
-
Cloud: Public object creation; wildcard IAM; first-time KMS decrypt for a principal; sudden spike in cross-region data egress.
-
Endpoints: PowerShell spawning
rundll32/regsvr32; LOLBins contacting unfamiliar domains; JA3 seen <N times historically. -
APIs: Excessive
GETto sequential IDs; POSTs with unexpected fields; tokens used from new ASN/continent.
Incident response: 24-hour playbook (condensed)
Hour 0–1: Declare P1; isolate endpoints; freeze CI/CD; revoke suspicious tokens; block IOCs at DNS/WAF/EDR; preserve volatile evidence.
Hour 1–6: Scope users/systems; check edge appliances & last deploy; rotate secrets/keys; enable heightened EDR/WAF rules; stakeholder comms.
Hour 6–24: Patch exploited paths; remove persistence; restore from signed, SBOM-verified images; custom detections for seen TTPs; brief customers if needed.
Hardening checklist (what measurably reduces incidents)
-
Identity: FIDO2 for admins + finance; risky sign-in policies; session-age limits; mass-revocation button.
-
Email & Payments: DMARC p=reject; MTA-STS; mandatory call-backs for vendor bank changes ≥₹X.
-
Edge & Patch: KEV-driven patching; external surface inventory; block admin panels from internet.
-
Cloud: SCP guardrails; IaC scanning in PR; S3 block-public; key rotation & secret vaults.
-
APIs: Object-level authZ, schema enforcement, rate limits, mTLS.
-
Supply chain: SBOM + Sigstore; allow-listed registries; CI OIDC with least privilege.
-
Detection: Baseline TLS fingerprints; UEBA; mailbox-rule & OAuth app alerts.
-
Process: Tabletop exercises; after-action items mapped to backlog epics.
MITRE ATT&CK mapping (quick)
-
Initial Access: Phishing (T1566), Valid Accounts (T1078), Exploit Public-Facing App (T1190), Supply Chain (T1195).
-
Execution & Persistence: PowerShell (T1059.001), Scheduled Task (T1053), Office Macros (T1566.001/TA0002).
-
Privilege Escalation / Defense Evasion: Token Impersonation (T1134), Obfuscated/Compressed Files (T1027).
-
C2 & Exfil: Encrypted Channel (T1573), Exfil to Cloud Storage (T1567.002), DNS/DoH (T1071.004).
What to do this week
-
Turn on FIDO2 for admins and finance; enforce number-matching for the rest.
-
Inventory + patch: fix KEV items on internet-facing systems first.
-
Lock OAuth: disable user consent; register only approved apps.
-
Enable mailbox-rule/OAuth alerts and impossible-travel.
-
Require SBOM + signature in CI; block unsigned builds.
-
Create a one-click token kill-switch and CI/CD freeze capability.