Cyber attacks are a constant threat for organizations, with most facing the question of when, not if, they will be targeted.
Just as businesses adopt new technology and processes to harden their defenses or enhance operations, threat actors are continually evolving their tactics, techniques, and procedures (TTPs) to bypass those defenses, exploit newer technologies, and launch more frequent and damaging attacks. The dynamic nature of modern cyber threats, shaped by the ongoing back-and-forth between emerging threats and evolving security measures, makes staying ahead a persistent challenge for organizations.
This is evidenced in The Arctic Wolf State of Cybersecurity: 2025 Trends Report, in which 52% of organizations identified one or more breaches within their environment in 2024 (up from 48% a year ago), and 70% stated they experienced at least one “significant cyber attack” in 2024, which may have included ransomware, business email compromise (BEC), and malware infections.
Cybercrime, now the number one global business risk, rakes in trillions of dollars for cybercriminals. Given the ever-present and costly threats facing organizations, it’s important to look at the attack vectors threat actors are using to understand how organizations can harden their defenses in a proactive, strategic manner to better withstand future threats.
What Is an Attack Vector?
An attack vector is the way a threat actor gains access to a network, system, application, or endpoint. Simply put, when analyzing a cyber attack or intrusion, the attack vector refers to how the threat actor got in.
If ransomware is the attack type, the method through which the threat actor gains access and deploys that ransomware would be the attack vector. Attack vector examples include phishing emails, vulnerability exploits, and malware downloads. Attack vectors are also referred to as the root point of compromise, meaning the initial entry point leveraged by a threat actor to access an environment in order to launch an attack.
There are two terms closely related to attack vector that should be made clear, as well.
Attack Surface vs. Attack Vector
The attack surface refers to a total set of points in a system or an organization — including the organization’s users — that are exposed or potentially exposed to a threat actor and which could be utilized as attack vectors. If the attack vector is a successful phishing email, then the attack surface is the user accessing that email within an organization. It’s the “where” of a cyber attack.
Threat Vector vs. Attack Vector
A threat vector refers to any potential route or means through which a threat could reach or impact a system. A threat can lead to an attack; it isn’t an actual attack, but it is a risk an organization should consider. In other words, an attack vector is the actualized version of a threat vector.
Organizations often create threat vectors within themselves through a lack of cybersecurity best practices. Threat vectors can include an employee reusing the same password, leading to a credential-based attack on an application, or even a lack of multi-factor authentication (MFA), leading to a brute-force attack on a system.
Successful Cyber Attack Vectors: The Top Three Attack Vectors Used by Threat Actors
While there’s certainly talk about (and evidence for) more complicated attack methods – including the exploitation of zero-day vulnerabilities, the rise of AI-enabled attacks, and the evolution of malware strains – it appears that threat actors are overwhelmingly sticking to relatively simple, tried-and-true attack methods to infiltrate organizations and achieve their cybercrime goals.
Every year, Arctic Wolf analyzes its own data, made up of cases investigated by Arctic Wolf® Incident Response and compiled in the 2025 Arctic Wolf Threat Report, to better understand what attack vectors threat actors are using and how organizations can better defend their attack surfaces.
This year we identified three main attack vectors:
- External remote access
- External exploit
- Human risk
Unsurprisingly, this trio is similar to last year’s, when the attack vectors standing on the podium were external remote access driven primarily by compromised credentials, external exploits of known vulnerabilities, and user action fueled by social engineering attacks .
While it’s important to note that not all attack vectors are created equal – for example social engineering is more widely used as a precursor to business email compromise (BEC) attacks than other attacks, and remote monitoring and management (RMM) abuse appears to be most often utilized in ransomware cases – that doesn’t mean any of these common attack vectors should be dismissed.
Threat actors are opportunists and will go for the path of least resistance every time, no matter the organization’s size or industry. As such, cybersecurity is showing itself more and more to be a multifaceted discipline, where an organization needs to take multiple approaches, simultaneously, to properly secure its environment against all kinds of potential attack vectors.
External Remote Access
External remote access is an attack vector in which threat actors gain unauthorized access to an organization’s network from outside the physical perimeter.
External remote access was deemed the primary attack vector in:
- 59.4% of ransomware cases
- 40.2% of intrusion cases
This use of external remote access illustrates two key points about the state of cybercrime. One is that the rise of hybrid-work models, application-based IT environments, and identity-centric operations has greatly expanded the attack surface, opening new threat vectors.
Two is that the same tools organizations’ deploy to support and secure these new work models are the very same tools threat actors are exploiting. From abuse of RMM tools to the use of compromised credentials for remote desktop protocol (RDP) and virtual private network (VPN) solutions, threat actors are often turning to more simple, low-tech ways to bypass this newer technology.
Securing Your Environment Against External Remote Access Attack Vectors
Looking at how threat actors are achieving access also illuminates the defenses your organization can implement and harden. For external remote access, there are a few steps any organization can take:
1. Implement phishing-resistant multi-factor authentication (MFA) and other access controls in line with a zero trust strategy to prevent both initial access and the risk of lateral movement.
2. Conduct employee security training that focuses on credential security, how to stay secure while using tools like VPNs and RDPs, and how to spot social engineering tactics.
3. Ensure applications are properly configured, encrypted, and monitored, reducing the risk of security gaps or unobserved unauthorized access.
External Exploit
As the name suggests, an external exploit refers to the exploitation of a security vulnerability from an external location. The most common form of this is the exploitation of a known software vulnerability by a threat actor.
External exploit was deemed the primary attack vector in:
- 33.2% of ransomware cases
- 26.5% of intrusion cases
It’s not a surprise that external exploit ranks so high on this list. The sheer volume of vulnerabilities continues to increase year after year – jumping almost 40% between 2023 and 2024 – and the number of critical- and high- severity vulnerabilities is following a similar trend.
What’s most alarming, however, is the frequency in which known, patchable vulnerabilities are utilized as an attack vector. In 76% of intrusion cases, threat actors employed one or more of 10 specific vulnerabilities, all of which were previously known and contained a patch at the time of exploitation. This trend is similar when looking at ransomware cases, where zero-day exploits were only responsible for 0.4% of cases. This attack vector can be closed off to threat actors through simple, concrete actions.
Securing Your Environment Against External Exploit Attack Vectors
There are multiple ways organizations can put themselves in a better position when it comes to vulnerabilities, including:
- Performing host-based vulnerability scanning to patch and remediate severe risks
- Regularly updating software and patching software when patches become available
- Focusing on risk-based vulnerability remediation and mitigation
What all these methods have in common is that they are part of a robust risk-based vulnerability management program. Because every organization has different and variable security and business needs, the goal with vulnerability management should not be to eliminate every possible vulnerability, but to take a risk-based approach that prioritizes high-risk issues and serves to reduce overall vulnerability risk over time.
Human Risk
Human risk refers to the risk posed by insecure actions of users , either intentional or accidental, that lead to a cybersecurity incident or compromises valuable assets within an organization. This term encompasses actions such as falling for a social engineering attack or phishing scam, malicious insider actions, or even unintentional errors such as reusing a password.
Human risk was deemed the primary attack vector in:
- 99.2% of business email compromise (BEC) cases
- 23.9% of intrusions cases
- 6.6% of ransomware cases
(This is the first time we’re mentioning BEC attacks, and it’s for a reason. If a threat actor can launch a BEC attack, there is little reason for them to then try to exploit other external tools to gain access. Additionally, BEC attacks often occur in isolation, meaning the threat actor is or was solely focused on conducting the BEC attack, not on gaining access to other parts of the IT environment or exploiting vulnerabilities.)
While human risk still makes up the minority of all attack vectors, it’s gaining traction as identity becomes the new IT perimeter and credentials become digital keys to the kingdom. BEC attacks especially rely on human risk, as Arctic Wolf research has revealed that phishing was the primary root point of compromise in 73.5% of BEC cases.
But human risk is not limited to BEC alone. From utilizing previously compromised credentials to launching social engineering attacks to pursuing other credential-based attacks, taking advantage of human risk is often a quick and easy way for a threat actor to gain access to an environment and launch a variety of attacks – no complex coding or deeply technical knowledge required.
Securing Your Environment Against Human Risk-based Attack Vectors
Securing your user base takes a multi-pronged approach that encompasses both technology-based defenses and user education. This approach includes:
- Employing proper identity and access management (IAM) strategies, which builds a strong framework for your organization’s identities to exist in, and includes access controls such as phishing-resistant MFA
- Utilizing email security technology that can spot potential BEC and phishing emails as well as flag impersonations and malicious files and messages, preventing them from ever reaching users
- Conducting robust security awareness training that teaches users how to spot key social engineering attacks, utilizes phishing simulations, and builds an organization-wide culture of security
Preventing Attacks with a Security Operations Approach
As the data above shows, threat actors are utilizing a Swiss Army knife of techniques, tactics, and procedures (TTPs) to gain access and launch increasingly sophisticated, damaging attacks on organizations of all sizes and industries. Having one measure of defense in place is not enough, and taking a reaction-based approach will leave your security in perpetual state of immaturity, not to mention expose significant parts of the attack surface for threat actors to target.
Arctic Wolf is working to reduce cyber risk through an operations-based approach that combines proactive and reactive security measures alongside risk transfer best practices to help your organization stop immediate threats, harden your attack surface against future ones, and create an efficient, effective cybersecurity strategy that works for your unique needs and risk levels.
Explore how Arctic Wolf drives down cyber risk.
Explore the data shown above in-depth with expert analysis in the 2025 Arctic Wolf Threat Report.
Understand how your peers are evaluating risk and security measures for both today and tomorrow with The Arctic Wolf State of Cybersecurity: 2025 Trends.
