Common Network Attack Vectors

Network attack vectors represent the pathways and methods adversaries use to gain unauthorized access to, disrupt, or exfiltrate data from networked systems. This page covers the primary classification categories, operational mechanics, real-world scenario patterns, and the decision boundaries that differentiate one vector class from another — structured as a professional reference for security practitioners, risk managers, and researchers navigating the network security service landscape.

Definition and Scope

An attack vector, as defined in the NIST Computer Security Resource Center glossary (NIST IR 7298 Rev. 3), is the path or means by which an attacker gains access to a computer or network server in order to deliver a payload or malicious outcome. The scope of common network attack vectors spans Layer 2 through Layer 7 of the OSI model, encompassing physical-layer interference, protocol exploitation, application-layer injection, and social engineering paths that terminate at network entry points.

The Cybersecurity and Infrastructure Security Agency (CISA) categorizes attack vectors within its Known Exploited Vulnerabilities (KEV) catalog (CISA KEV), which as of 2023 contained over 1,000 individual entries tied to active exploitation paths across federal and critical infrastructure networks. Regulatory frameworks including NIST SP 800-53 Rev. 5 (§SI-3) and the FISMA-mandated continuous monitoring programs require federal agencies to maintain documented inventories of attack surfaces and their associated vectors.

The scope covered here includes:

• Network-layer vectors — exploiting routing, addressing, and transport protocols
• Application-layer vectors — targeting services and APIs exposed over the network
• Credential-based vectors — leveraging stolen, weak, or misconfigured authentication
• Supply chain and third-party vectors — compromising trusted external connections
• Wireless and physical-access vectors — exploiting proximity-based entry points

How It Works

Attack vectors operate through a structured exploitation sequence. The MITRE ATT&CK framework (MITRE ATT&CK Enterprise) organizes adversary behavior into 14 tactics, each representing a phase in the attack lifecycle. The general mechanics follow a recognizable progression:

1. Reconnaissance — The attacker enumerates exposed services, open ports, DNS records, and WHOIS data. Tools such as passive DNS analysis and OSINT aggregation identify entry candidates without triggering network alerts.

2. Initial Access — The adversary exploits a specific vector to achieve a foothold. This may be a phishing link delivering a payload, an unpatched CVE in an internet-facing service, or a brute-forced credential against a VPN endpoint.

3. Execution and Persistence — Once inside, malicious code executes and establishes mechanisms for re-entry — backdoors, scheduled tasks, or modified startup configurations.

4. Lateral Movement — The attacker traverses internal network segments using techniques such as Pass-the-Hash, SMB relay attacks, or compromised service accounts to escalate privileges and reach target assets.

5. Exfiltration or Impact — Data is extracted over encrypted channels, ransomware encrypts accessible file systems, or critical infrastructure controls are manipulated.

Passive vs. Active Vectors: A passive vector (e.g., traffic sniffing on an unencrypted segment) does not alter network state and is harder to detect through standard alerting. An active vector (e.g., a SYN flood or ARP poisoning attack) injects packets or alters routing tables, generating detectable anomalies but also causing immediate service degradation. This distinction shapes detection architecture decisions — passive vectors require deep packet inspection or behavioral baselining, while active vectors are more suited to signature-based IDS rules (NIST SP 800-94).

Common Scenarios

Phishing and Spear-Phishing — The Anti-Phishing Working Group (APWG) recorded over 1.3 million phishing attacks in the first quarter of 2022 alone (APWG Phishing Activity Trends Report). These attacks exploit email infrastructure to deliver credential-harvesting pages or malware, making the human endpoint the terminal node of a network attack.

Man-in-the-Middle (MitM) Attacks — Attackers intercept traffic between two communicating hosts by exploiting ARP cache poisoning, rogue Wi-Fi access points, or BGP hijacking. The 2008 Hijacking Incident affecting Pakistan Telecom demonstrated how BGP route injection can redirect global internet traffic through unauthorized autonomous systems.

SQL Injection and API Abuse — Web-facing databases reached through HTTP/HTTPS represent a Layer 7 vector. OWASP ranks injection flaws consistently within its Top 10 (OWASP Top 10), and API endpoints that lack rate limiting or input validation extend this attack surface beyond traditional web applications.

Denial-of-Service (DoS) and Distributed DoS (DDoS) — Volumetric attacks consume bandwidth; protocol attacks exhaust stateful connection tables; application-layer attacks target specific service functions. CISA's guidance on DDoS mitigation (CISA DDoS Guidance) distinguishes these three subtypes and prescribes different mitigation architectures for each.

Credential Stuffing — Automated tools test username/password combinations from publicly leaked credential databases against target authentication endpoints. This vector is distinct from brute force in that it uses valid credential pairs from prior breaches rather than generating combinations algorithmically.

Supply Chain Compromise — The SolarWinds incident (disclosed in December 2020) demonstrated how a trusted software update mechanism can function as a network attack vector, granting adversaries access to 18,000 organizations (CISA Emergency Directive 21-01).

Decision Boundaries

Classifying an attack vector accurately determines the defensive countermeasure, the applicable regulatory notification requirements, and the incident response pathway. The following boundaries apply:

External vs. Internal Origin — Vectors originating outside the organizational perimeter (internet-facing exploits, phishing) fall under external threat categories. Vectors exploiting insider access, misconfigured internal segmentation, or compromised internal credentials are classified as internal — and are subject to different access control requirements under NIST SP 800-53 Rev. 5 AC-3 and AC-17 controls.

Automated vs. Targeted — Mass-exploitation campaigns scan for known vulnerabilities at scale using automated tools, affecting any organization running a vulnerable version. Targeted attacks, also called Advanced Persistent Threat (APT) operations, involve adversary-specific reconnaissance and customized payloads. The FBI and CISA joint advisories (Joint CISA/FBI Advisories) consistently distinguish these two categories because response timelines and escalation procedures differ materially.

Network vs. Endpoint Entry Point — Some vectors exploit the network infrastructure directly (BGP hijacking, VLAN hopping). Others use the network only as a transport medium and terminate at an endpoint (phishing, credential stuffing). Security teams and the network security professionals verified in this network structure their detection coverage differently depending on where the terminal exploitation event occurs.

Encrypted vs. Cleartext Channels — Attacks delivered over TLS-encrypted sessions evade perimeter inspection tools that lack SSL/TLS decryption capability. NIST SP 800-52 Rev. 2 (NIST SP 800-52) governs TLS configuration standards for federal systems, and the inability to inspect encrypted attack traffic represents a structural gap in signature-based detection models.

Understanding these classification boundaries informs how organizations structured around the scope described in this reference resource approach vendor selection, tooling procurement, and professional service engagement. The distinctions also govern mandatory reporting obligations under frameworks including HIPAA, PCI DSS, and FISMA, each of which specifies incident types tied to particular vector categories.