The term “attack vector”, with respect to computer systems and networks, is derived from the term “vector” in biology, which means an agent that carries and transmits an infectious pathogen into another living organism. In the same sense, an attack vector is a path or means by which an attacker (e.g., a hacker or cracker) may access a computer system or network for the purpose of infecting the computer with malicious code or inflict malicious outcome. Common vectors may utilize buffer overflows, HTML email with JavaScript or other scripting enhancements, networking protocol flaws or human manipulation (i.e., social engineering). Attack vectors may include e-mail attachments, pop-up windows, instant messages viruses or worms.
Firewalls and anti-virus software are commonly used to prevent, identify or block attack vectors. However, attack vectors may still by-pass such defense methods.
Identification of attack vectors challenging organizational defenses is crucial in the prioritization of defense investments and actions. The critical path of attack represents the comprehensive vulnerability of organizational resources and therefore the actual defense posture.
Simulation of attack vectors is done to date by human penetration testing, which is a long and highly skilled process based on professional experience of specific expert or group of experts. Thus, there is a critical need to generate rapidly and continuously simulated attack vectors based on organizational characteristics rather than human expert idiosyncratic expertise.
The foregoing examples of the related art and limitations related therewith are intended to be illustrative and not exclusive. Other limitations of the related art will become apparent to those of skill in the art upon a reading of the specification and a study of the figures.