Common Network Attack Vectors

Network attack vectors represent the specific pathways and techniques adversaries exploit to compromise infrastructure, intercept data, disrupt services, or establish persistent access within organizational environments. This page covers the major categories of network-based attack vectors, their operational mechanics, the scenarios in which they appear, and the criteria practitioners use to prioritize defensive response. Understanding the structural taxonomy of attack vectors is foundational to network security risk assessment, procurement of detection technologies, and regulatory compliance mapping.

Definition and scope

An attack vector, as defined in NIST Special Publication 800-30 Rev. 1 (Guide for Conducting Risk Assessments), refers to the method or pathway through which a threat source can initiate contact with an information system to cause harm. Network attack vectors are the subset of these pathways that operate across communications infrastructure — physical, wireless, or virtualized — rather than through direct physical media access or endpoint-only exploitation.

The scope of network attack vectors spans layer 2 (data link) through layer 7 (application) of the OSI model. CISA's Known Exploited Vulnerabilities Catalog tracks active exploitation of network-layer vulnerabilities across federal and critical infrastructure sectors, with the catalog exceeding 1,000 entries as of the catalog's sustained operation. Regulatory frameworks including NIST SP 800-53 Rev. 5 (control families SI, SC, and CA) and PCI DSS v4.0 (Requirement 11) mandate identification and testing of attack vectors as part of formal risk management programs.

Network attack vectors differ from endpoint vectors (e.g., malicious attachments executed locally) and supply chain vectors (e.g., compromised software updates) in that they require active network connectivity between attacker and target — either directly routed or through protocol manipulation.

How it works

Attack vectors operating at the network layer generally follow a structured progression aligned with the adversarial kill chain model. MITRE ATT&CK (enterprise matrix, network tactics) catalogs the following discrete phases relevant to network exploitation:

1. Reconnaissance — Passive or active collection of network topology, open ports, service banners, and DNS records. Tools such as Nmap and Shodan are commonly used; CISA has published advisories on Shodan-indexed exposed industrial control systems.
2. Initial access — Exploitation of a network-exposed service, credential stuffing against VPN or remote desktop endpoints, or exploitation of a misconfigured firewall rule.
3. Lateral movement — Traversal across internal segments using valid credentials, exploitation of trust relationships, or protocol abuse (e.g., SMB relay attacks). Detection strategies for this phase are covered in lateral movement detection.
4. Command and control (C2) — Establishment of persistent outbound communication channels using encrypted protocols, domain generation algorithms (DGAs), or DNS tunneling to bypass egress filtering.
5. Exfiltration or impact — Data exfiltration over HTTP/S, DNS, or covert channels; or destructive actions such as ransomware deployment or denial-of-service execution.

The velocity at which attackers move between phases has decreased. The 2023 CrowdStrike Global Threat Report documented a median "breakout time" — the interval between initial access and lateral movement — of 79 minutes for eCrime actors (CrowdStrike Global Threat Report 2023).

Common scenarios

Denial-of-Service and Distributed Denial-of-Service (DDoS) — Volumetric attacks flood network pipes or application endpoints with traffic exceeding capacity. Amplification techniques (DNS reflection, NTP amplification) can multiply attack volume by factors exceeding 50x. Mitigation approaches are detailed in DDoS attack mitigation.

Man-in-the-Middle (MitM) Attacks — Adversaries intercept traffic between two communicating parties through ARP poisoning, BGP hijacking, SSL stripping, or rogue wireless access point deployment. The operational mechanics and countermeasures are covered in man-in-the-middle attack prevention. TLS downgrade attacks remain a persistent variant even in environments with certificate management programs.

DNS-Based Attacks — DNS hijacking, cache poisoning, and DNS tunneling exploit the inherently trusted nature of DNS resolution. CISA Emergency Directive 19-01, issued in January 2019, responded to a wave of DNS infrastructure tampering targeting federal civilian agencies (CISA ED 19-01).

Credential-Based Network Attacks — Brute-force, password spraying, and credential stuffing against network-exposed authentication endpoints (VPN, RDP, SSH) represent the primary initial access vector in a majority of ransomware incidents, per FBI IC3 reporting.

Protocol Exploitation — Abuse of network protocols including SMB (EternalBlue exploit), RDP (BlueKeep, DejaBlue), and BGP route hijacking. Protocol-level vulnerabilities are cataloged in the NIST National Vulnerability Database (NVD).

Wireless Network Attacks — Evil twin access points, WPA2 KRACK vulnerabilities, and deauthentication attacks target wireless infrastructure. The wireless attack surface is addressed in wireless network security.

Decision boundaries

Prioritization of defensive resources against network attack vectors depends on three classification criteria:

• Exposure surface: Whether the vector requires external network access (internet-facing services) or internal positioning (post-compromise lateral movement). External vectors demand priority perimeter controls; internal vectors require segmentation and intrusion detection and prevention systems.
• Protocol specificity: Attacks targeting proprietary or legacy protocols (e.g., ICS/SCADA protocols such as Modbus or DNP3) require specialized detection capabilities distinct from those suited to TCP/IP-based environments. The OT and ICS attack surface is addressed separately in OT and ICS network security.
• Authentication dependency: Vectors that depend on credential compromise (credential stuffing, pass-the-hash) are mitigated through identity controls and zero trust principles, while protocol exploitation vectors require patch management and network-layer filtering. The architectural implications are covered in zero trust network architecture.

NIST SP 800-115 (Technical Guide to Information Security Testing and Assessment) provides the authoritative federal framework for classifying attack vectors in formal assessment contexts, with penetration testing for networks serving as the primary validation mechanism.

References

• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
• NIST SP 800-115 — Technical Guide to Information Security Testing and Assessment
• NIST National Vulnerability Database (NVD)
• CISA Known Exploited Vulnerabilities Catalog
• CISA Emergency Directive 19-01 — Mitigate DNS Infrastructure Tampering
• MITRE ATT&CK Enterprise Matrix
• CrowdStrike Global Threat Report 2023
• PCI DSS v4.0 — PCI Security Standards Council