16 Types of Cyberattacks and How to Prevent Them – TechTarget

Today’s cybercriminals are not part-time amateurs or script kiddies but rather state-sponsored adversaries and professional criminals looking to steal information and make large amounts of money. Disruption and vandalism are still prevalent, and espionage has replaced hacktivism as the second main driving force behind cyberattacks — after financial profit. With these different motives and the increasing sophistication of attackers, many security teams are struggling to keep their IT systems secure.
A variety of cyberattacks are launched against organizations every day. According to threat intelligence provider Check Point Research, there was a weekly average of 1,158 attacks per organization worldwide in 2023. Consulting services and software provider IT Governance reported that a total of 8.2 billion records were breached in publicly disclosed attacks during the year as a whole.
Research and publishing firm Cybersecurity Ventures has predicted that the global cost of cybercrime would hit $8 trillion in 2023 and increase to $9.5 trillion in 2024. The average cost of a data breach at 553 organizations worldwide in the 12 months ending in March 2023 was a record high of $4.45 million, according to a report that IBM publishes annually. The costs of cyberattacks are both tangible and intangible, including not only direct loss of assets, revenue and productivity, but also reputational damage that can lead to loss of customer trust and the confidence of business partners.
Cybercrime is built around the efficient exploitation of vulnerabilities, and security teams are always at a disadvantage because they must defend all possible entry points, while an attacker only needs to find and exploit one weakness or vulnerability. This asymmetry highly favors attackers. The result is that even large enterprises struggle to prevent cybercriminals from monetizing access to their networks, which typically must maintain open access and connectivity while security professionals try to protect enterprise resources.
This article is part of
Download this entire guide for FREE now!
Not only large organizations are at risk of cyberattacks, though. Cybercriminals use any internet-connected device as a weapon, a target or both, and SMBs tend to deploy less sophisticated cybersecurity measures, opening them up to potential security incidents, too.
Security managers and their teams also need to be prepared for all the different attacks they might face. To help with that, here are 16 of the most damaging types of cyberattacks and how they work.
Malware, short for malicious software, is an umbrella term used to refer to a hostile or intrusive program or file that’s designed to exploit devices at the expense of the user and to the benefit of the attacker. There are various forms of malware that all use evasion and obfuscation techniques designed to not only fool users, but also elude security controls so they can install themselves on a system or device surreptitiously without permission.
Currently, the most feared form is ransomware, a program that attackers use to encrypt a victim’s files and then demand a ransom payment in order to receive the decryption key. Because of ransomware’s prominence, it’s covered in more detail below in its own section. The following are some other common types of malware:
Ransomware is usually installed when a user visits a malicious website or opens a doctored email attachment. Traditionally, it exploits vulnerabilities on an infected device to encrypt important files, such as Word documents, Excel spreadsheets, PDFs, databases and system files, making them unusable. The attacker then demands a ransom in exchange for the decryption key needed to restore the locked files. The attack might target a mission-critical server or try to install the ransomware on other devices connected to the network before activating the encryption process so they’re all hit simultaneously.
To increase the pressure on victims, attackers also often threaten to sell or leak data exfiltrated during an attack if the ransom isn’t paid. In fact, in a shift in ransomware tactics, some attackers are now relying solely on data theft and potential public disclosures to extort payments without even bothering to encrypt the data. That change might have contributed to record-breaking numbers of ransomware attacks reported in 2023 by cybersecurity vendors and researchers. Check Point Research said 10% of organizations worldwide were targeted by attempted attacks.
Everyone is a possible ransomware target, from individuals and small businesses to large organizations and government agencies. The attacks can have a seriously damaging impact. In a well-known incident, the WannaCry ransomware attack in 2017 affected organizations in over 150 countries with the disruption to hospitals costing the U.K.’s National Health Service alone around $111 million. More recently, the U.K.’s Royal Mail fell victim to a ransomware attack in 2023 that encrypted crucial files, preventing international shipments for six weeks. Royal Mail refused to pay the initial ransom demand of $80 million or subsequent reduced amounts but said it spent almost $13 million on remediation work and security improvements. In addition, data stolen in the attack was posted online.
Also in 2023, a ransomware attack on MGM Resorts International cost the hotel and casino company an estimated $100 million, disrupted its operations and resulted in the theft of personal information on customers. Caesars Entertainment negotiated a ransom payment of $15 million after a similar attack in an effort to prevent stolen data from being published online, according to The Wall Street Journal. Ransomware is such a serious problem that the U.S. government in 2021 created a website called StopRansomware that provides resources to help organizations prevent attacks, as well as a checklist on how to respond to one.
Despite their many known weaknesses, passwords are still the most common authentication method used for computer-based services, so obtaining a target’s password is an easy way to bypass security controls and gain access to critical data and systems. Attackers use various methods to illicitly acquire passwords, including these:
In a 2023 survey by TechTarget’s Enterprise Strategy Group research division, 45% of the 377 respondents said they knew user accounts or credentials had been compromised in their organization during the past 12 months, while 32% suspected they had been. Of all those respondents, 59% said such compromises led to successful cyberattacks. Also, Verizon’s “2023 Data Breach Investigations Report” found that using stolen credentials was by far the top way in which attackers accessed systems in breached organizations with 49% of 4,291 documented breaches involving their use.
A distributed denial-of-service (DDoS) attack involves the use of numerous compromised computer systems or mobile devices to target a server, website or other network resource. The goal is to slow it down or crash it completely by sending a flood of messages, connection requests or malformed packets, thereby denying service to legitimate users.
Almost 7.9 million DDoS attacks were launched in the first half of 2023, a 31% year-over-year increase, according to a report by performance management and security software vendor Netscout. Political or ideological motives are behind many of the attacks, but they’re also used to seek ransom payments — in some cases, attackers threaten an organization with a DDoS attack if it doesn’t meet their ransom demand. Attackers are also harnessing the power of AI tools to improve attack techniques and direct their networks of slave machines to perform DDoS attacks accordingly. Worryingly, AI is now being used to enhance all forms of cyberattacks, although it has potential cybersecurity uses, too.
In phishing, an attacker masquerades as a reputable organization or individual to trick an unsuspecting victim into handing over valuable information, such as passwords, credit card details and intellectual property. Based on social engineering techniques, phishing campaigns are easy to launch and surprisingly effective. Emails are most commonly used to distribute malicious links or attachments, but phishing attacks can also be conducted through text messages (SMS phishing, or smishing) and phone calls (voice phishing, or vishing).
Spear phishing targets specific people or companies, while whaling attacks are a type of spear phishing aimed at senior executives in an organization. A related attack is the business email compromise (BEC) in which an attacker poses as a top executive or other person of authority and asks employees to transfer money, buy gift cards or take other actions. The FBI’s Internet Crime Complaint Center puts phishing and BEC attacks in separate categories. In 2022, the last year for which data has been released, it received 21,832 complaints about BEC attacks with total losses of more than $2.7 billion and 300,497 phishing complaints that generated $52 million in losses.
Any website that is database-driven — and that’s the majority of websites — is susceptible to SQL injection attacks. A SQL query is a request for some action to be performed on a database, and a well-constructed malicious request can create, modify or delete the data stored in the database. It can also read and extract data such as intellectual property, personal information of customers or employees, administrative credentials and private business details.
SQL injection continues to be a widely used attack vector. It was third on the 2023 Common Weakness Enumeration (CWE) Top 25 list of the most dangerous software weaknesses, which is maintained by The Mitre Corp. In 2023, according to the website CVEdetails.com, more than 2,100 SQL injection vulnerabilities were added to the CVE database, a separate catalog of common vulnerabilities and exposures that Mitre also manages. In a high-profile example of a SQL injection attack, attackers used one of those new vulnerabilities to gain access to Progress Software’s MoveIt Transfer web application, leading to data breaches at thousands of organizations that use the file transfer software.
This is another type of injection attack in which an attacker adds a malicious script to content on a legitimate website. Cross-site scripting (XSS) attacks occur when an untrusted source is able to inject code into a web application and the malicious code is then included in webpages that are dynamically generated and delivered to a victim’s browser. This enables the attacker to execute scripts written in languages such as JavaScript, Java and HTML in the browsers of unsuspecting website users.
Attackers can use XSS to steal session cookies, which lets them pretend to be victimized users. But they can also distribute malware, deface websites, seek user credentials and take other damaging actions through XSS. In many cases, it’s combined with social engineering techniques, such as phishing. A constant among common attack vectors, XSS ranked second on the CWE Top 25 list for 2023.
In a man-in-the-middle (MitM) attack, the attacker secretly intercepts messages between two parties — for example, an end user and a web application. The legitimate parties believe they’re communicating directly with each other, but in fact, the attacker has inserted themselves in the middle of the electronic conversation and taken control of it. The attacker can read, copy and change messages, including the data they contain, before forwarding them on to the unsuspecting recipient, all in real time.
A successful MitM attack enables attackers to capture or manipulate sensitive personal information, such as login credentials, transaction details, account records and credit card numbers. Such attacks often target the users of online banking applications and e-commerce sites, and many involve the use of phishing emails to lure users into installing malware that enables an attack.
It’s easy for attackers to modify a URL in an effort to access information or resources. For example, if an attacker logs in to a user account they’ve created on a website and can view their account settings at https://www.awebsite.com/acount?user=2748, they can easily change the URL to, say, https://www.awebsite.com/acount?user=1733 to see if they can access the account settings of the corresponding user. If the site’s web server doesn’t check whether each user has the correct authorization to access the requested resource, particularly if it includes user-supplied input, the attacker likely will be able to view the account settings of every other user on the site.
A URL interpretation attack, also sometimes referred to as URL poisoning, is used to gather confidential information, such as usernames and database records, or to access admin pages that are used to manage a website. If an attacker does manage to access privileged resources by manipulating a URL, it’s commonly due to an insecure direct object reference vulnerability in which the site doesn’t properly apply access control checks to verify user identities.
The DNS enables users to access websites by mapping domain names and URLs to the IP addresses that computers use to locate sites. Hackers have long exploited the insecure nature of DNS to overwrite stored IP addresses on DNS servers and resolvers with fake entries so victims are directed to an attacker-controlled website instead of the legitimate one. These fake sites are designed to look exactly like the sites that users expected to visit. As a result, victims of a DNS spoofing attack aren’t suspicious when asked to enter their account login credentials on what they think is a genuine site. That information enables the attackers to log in to user accounts on the sites being spoofed.
Because DNS is a trusted service, DNS messages typically travel through an organization’s firewalls in both directions with little monitoring. However, this means an attacker can embed malicious data, such as command-and-control messages, in DNS queries and responses to bypass — or tunnel around — security controls. For example, the hacker group OilRig, which has suspected ties to Iran, is known to use DNS tunneling to maintain a connection between its command-and-control server and the systems it’s attacking.
A DNS tunneling attack uses a tunneling malware program deployed on a web server with a registered domain name. Once the attacker has infected a computer behind an organization’s firewall, malware installed there attempts to connect to the server with the tunneling program, which involves a DNS request to locate it. This provides a connection for the attacker into a protected network.
There also are valid uses for DNS tunneling — for example, antivirus software vendors send malware profile updates in the background via DNS tunneling. As a result, DNS traffic must be monitored to ensure that only trusted traffic is allowed to flow through a network.
A botnet is a group of internet-connected computers and networking devices that are infected with malware and controlled remotely by cybercriminals. Vulnerable IoT devices are also being compromised by attackers to increase the size and power of botnets. They’re often used to send email spam, engage in click fraud campaigns and generate malicious traffic for DDoS attacks.
When the Meris botnet was discovered in 2021, for example, security researchers at software vendor Cloudflare said attackers were using it to launch DDoS attacks against about 50 different websites daily. Meris is also responsible for some of the largest DDoS attacks on record thanks to its use of HTTP pipelining and its size, which was estimated at about 250,000 bots in 2021. The objective for creating a botnet is to infect as many devices as possible and then use the combined computing power and resources of those devices to automate and magnify malicious activities.
In what’s known as a drive-by attack, an attacker uses a security vulnerability to add malicious code to a legitimate website so that, when users go to the site, the code automatically executes and infects their computer or mobile device. It’s one form of a watering hole attack in which attackers identify and take advantage of insecure sites that are frequently visited by users they wish to target — for example, employees or customers of a specific organization or even in an entire sector, such as finance, healthcare and the military.
Because it’s hard for users to identify a website that has been compromised by a watering hole attack, it’s a highly effective way to install malware on their devices. With the prospective victims trusting the site, an attacker might even hide the malware in a file that users intentionally download. The malware in watering hole attacks is often a remote access Trojan that gives the attacker remote control of infected systems.
Employees and contractors have legitimate access to an organization’s systems, and some have an in-depth understanding of its cybersecurity defenses. This can be used maliciously to gain access to restricted resources, make damaging system configuration changes or install malware. Insiders can also inadvertently cause problems through negligence or a lack of awareness and training on cybersecurity policies and best practices.
It was once widely thought that insider threat incidents outnumbered attacks by outside sources, but that’s no longer the case. Verizon’s 2023 data breach report said external actors were responsible for more than 80% of the breaches that were investigated. However, insiders were involved in 19% of them — nearly one in five. Some of the most prominent data breaches have been carried out by insiders with access to privileged accounts. For example, Edward Snowden, a National Security Agency contractor with administrative account access, was behind one of the largest leaks of classified information in U.S. history starting in 2013. In 2023, a member of the Massachusetts Air National Guard was arrested and charged with posting top-secret and highly classified military documents online.
Also known as network or packet sniffing, an eavesdropping attack takes advantage of poorly secured communications to capture traffic in real time as information is transmitted over a network by computers and other devices. Hardware, software or a combination of both can be used to passively monitor and log information and “eavesdrop” on unencrypted data from network packets. Network sniffing can be a legitimate activity done by network administrators and IT security teams to resolve network issues or verify traffic. However, attackers can exploit similar measures to steal sensitive data or obtain information that enables them to penetrate further into a network.
To enable an eavesdropping attack, phishing emails can be used to install malware on a network-connected device, or hardware can be plugged into a system by a malicious insider. An attack doesn’t require a constant connection to the compromised device — the captured data can be retrieved later, either physically or by remote access. Due to the complexity of modern networks and the sheer number of devices connected to them, an eavesdropping attack can be difficult to detect, particularly because it has no noticeable impact on network transmissions.
This is a type of cryptographic brute-force attack for obtaining digital signatures, passwords and encryption keys by targeting the hash values used to represent them. It’s based on the “birthday paradox,” which states that, in a random group of 23 people, the chance that two of them have the same birthday is more than 50%. Similar logic can be applied to hash values to enable birthday attacks.
A key property of a hash function is collision resistance, which makes it exceedingly difficult to generate the same hash value from two different inputs. However, if an attacker generates thousands of random inputs and calculates their hash values, the probability of matching stolen values to discover a user’s login credentials increases, particularly if the hash function is weak or passwords are short. Such attacks can also be used to create fake messages or forge digital signatures. As a result, developers need to use strong cryptographic algorithms and techniques that are designed to be resistant to birthday attacks, such as message authentication codes and hash-based message authentication codes.
The more devices that are connected to a network, the greater its value. For example, Metcalfe’s law asserts that the value of a network is proportional to the square of its connected users. Especially in large networks, that makes it harder to increase the cost of an attack to the point where attackers give up. Security teams have to accept that their networks will be under constant attack. But, by understanding how different types of cyberattacks work, mitigation controls and strategies can be put in place to minimize the damage they do. Here are the main points to keep in mind:
Ultimately, if the connected world is going to survive the never-ending battle against cyberattacks, cybersecurity strategies and budgets need to build in the ability to adapt to changing threats and deploy new security controls when needed, while also now harnessing the power of AI to help security teams.
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry.
Why effective cybersecurity is important for businesses
Remote work cybersecurity: Risks and how to prevent them
How to perform a cybersecurity risk assessment
Cybersecurity certifications to boost your career
What is the future of cybersecurity?
As telecom providers struggle to monetize 5G, hyperscalers like AWS, Google Cloud and Microsoft Azure are betting big on LEO …
Soft skills such as empathy, active listening and problem-solving can be valuable assets to network engineers who interact with …
Juniper’s Mist AI update will include using the Marvis virtual network assistant to obtain information on data center cabling, …
The next U.S. president will set the tone on issues such as AI regulation, data privacy and climate tech. Where do prominent …
Stakeholders want a single rule for reporting software development costs in a simplified manner, which the Financial Accounting …
Digital transformation is crucial for businesses wanting to keep up with technological growth. Start your digital transformation …
These 12 tools approach patching from different perspectives. Understanding their various approaches can help you find the right …
UEM software is vital for helping IT manage every type of endpoint an organization uses. Explore some of the top vendors and how …
IT administrators might encounter an error message that states ‘access denied’ when working with Group Policy. There are a few …
Cloud certifications are available for all levels of cloud expertise. Use this guide to evaluate basic, topic-specific, …
The cost of spot prices can be a risk-and-reward kind of strategy. Better understand the risks that come with Azure Spot VMs so …
A successful FinOps team relies on clear team structure and roles, shared accountability and baseline measures of success. Use …
Amazon Web Services clocked up double-digit revenue growth during the final quarter of 2023, but analyst figures show the company…
Telco’s trading update for nine months to 31 December 2023 shows a quarter of revenue and EBITDA growth while upgrading customers…
Meta CEO Mark Zuckerberg anticipates that training and running AI systems requires 10x computer capacity each year
All Rights Reserved, Copyright 2000 – 2024, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell or Share My Personal Information

source

Related Posts

After 6 months and little explanation, Norton Healthcare patients, employees still feeling effects of cyber attack – WDRB

Spotty shower possible. Storms after midnight Updated: April 16, 2024 @ 12:31 pmNorton Healthcare, a company serving about 600,000 patients a year with nearly $5 billion in assets, continues to…

Read more

CA's top cybersecurity job has been vacant for almost 2 years – CalMatters

Technology Californians get hacked all the time. The state’s top cybersecurity job is vacant In summaryGov. Newsom has yet to appoint a commander who is tasked with informing businesses and…

Read more

13 Cyber Security Measures Your Small Business Must Take – Tech.co

Our content is funded in part by commercial partnerships, at no extra cost to you and without impact to our editorial impartiality. Click to Learn MoreCybersecurity has been important to…

Read more

AVG Antivirus Free review – Ghacks

AVG AntiVirus Free is a longstanding security program for Microsoft Windows that protects computer systems from viruses, trojans and other malicious code.One interesting fact about AVG is that it maintains…

Read more

Vlog Episode #247: Chris Long on Improving Technical SEO Skills & Playing Offense SEO – Search Engine Roundtable

In part one, we learned about Chris Long and his experience working with Bill Slawski. Then, in part two, we spoke about helping people with SEO on LinkedIn and using…

Read more

Information Security Vs. Cybersecurity: What's The Difference? – Forbes

Information Security Vs. Cybersecurity: What’s The Difference?  Forbessource

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *