Today's cybercriminals are not part-time amateurs or script kiddies, but state-sponsored adversaries and professional criminals looking to steal information. While disruption and vandalism are still prevalent, espionage has replaced hacktivism as the second main driving force behind cyber attacks, after financial profit. Whatever the motive, many security teams are struggling to keep their IT systems secure.
Cyber attacks are launched against organizations every day: According to Check Point Research, in the fourth quarter of 2021, there was an all-time peak in weekly cyber attacks, reaching over 900 attacks per organization, while IT Governance reported 34.9 million records breached in June 2022 alone.
A RiskIQ study estimated that cybercrime costs organizations $1.79 million every minute. These costs are both tangible and intangible, including not only direct loss of assets, revenue and productivity, but also loss of business confidence, trust and reputational damage.
Cybercrime is built around the efficient exploitation of vulnerabilities, and security teams are always at a disadvantage because they must defend all possible entry points, while an attacker only needs to find and exploit one weakness or vulnerability. This asymmetry highly favors any attacker, with the result that even large enterprises struggle to prevent cybercriminals from monetizing access to their networks -- networks that typically must maintain open access and connectivity while trying to protect enterprise resources.
This article is part of
Not only large organizations are at risk of cyber attacks; cybercriminals will use any internet-connected device as a weapon, a target or both, and SMBs tend to deploy less sophisticated cybersecurity measures.
So, which are the most damaging cyber attacks, and how do they work? Here are the 13 most damaging types of cyber attacks.
1. Malware attack
Malware, or malicious software, is an umbrella term used to refer to a hostile or intrusive program or file that is designed to exploit devices at the expense of the user and to the benefit of the attacker. There are various types of malware, but they all use evasion and obfuscation techniques designed to not only fool users, but also evade security controls so they can install themselves on a system or device surreptitiously without permission. Here are some of the most common types of malware:
- Ransomware. Currently, the most feared form of malware is ransomware -- a program designed to encrypt a victim's files and then demand a ransom in order to receive the decryption key; 2021 saw an 82% increase from 2020 in ransomware-related attacks with some of the biggest attacks in history hitting critical Infrastructures and facilities. Ransomware is covered in more detail below.
- Rootkit. Unlike other malware, a rootkit is a collection of software tools used to open a backdoor on a victim's device, which allows the attacker to install additional malware, such as ransomware and keyloggers, or to gain control of and remote access to other devices on the network. To avoid detection, rootkits often disable security software. Once the rootkit has control over a device, it can be used to send spam email, join a botnet, or collect and send sensitive data back to the attacker.
- Trojan. A Trojan horse is a program downloaded and installed on a computer that appears harmless but is, in fact, malicious. Typically, this malware is hidden in an innocent-looking email attachment or free download. When the user clicks on the email attachment or downloads the free program, the hidden malware is transferred to the user's computing device. Once inside, the malicious code executes whatever task the attacker designed it to perform. Often, this is to launch an immediate attack, but it can also create a backdoor for the hacker to use in future attacks.
- Spyware. Once installed, spyware monitors the victim's internet activity, tracks login credentials and spies on sensitive information -- all without the user's consent or knowledge. Cybercriminals use spyware to obtain credit card numbers, banking information and passwords, which are sent back to the attacker. Recent victims include Google Play users in South and Southeast Asia, but spyware is also used by government agencies in many countries. Pegasus spyware has been used to spy on activists, politicians, diplomats, bloggers, research laboratories and allies.
2. Password attack
Despite their many known weaknesses, passwords are still the most common authentication method used for computer-based services, so obtaining a target's password is an easy way to bypass security controls and gain access to critical data and systems. There are various methods attackers use to obtain a user's password:
- Brute-force attack. An attacker can try well-known passwords, such as password123, or passwords based on information gathered from the target's social media posts, like the name of a pet to guess a user's login credentials through trial and error, while others deploy automated password cracking tools to try every possible combination of characters.
- Dictionary attack. Similar to a brute-force attack, a dictionary attack uses a preselected library of commonly used words and phrases, depending on the location or nationality of the victim.
- Social engineering. It is easy for a hacker to craft a personalized email or message that looks genuine to someone by collecting information about them from their social media posts. These messages, particularly if they are sent from a fake account impersonating someone the victim knows, can be used to obtain login credentials under false pretenses.
- Password sniffer. This is a small program installed on a network that extracts usernames and passwords that are sent across the network in cleartext. It's no longer the threat it used to be as most network traffic is now encrypted.
- Keylogger. This secretly monitors and logs a user's every keystroke to capture passwords, PIN codes and other confidential information entered via the keyboard. This information is sent back to the attacker via the internet.
- Stealing or buying a password database. Hackers can try to breach an organization's network defenses to steal its database of users' credentials to either sell the data to others or use it themselves.
A 2022 survey by Identity Defined Security Alliance found that 84% of respondents had experienced an identity-related breach. Recent high-profile examples are the successful identity-based attacks against SolarWinds and Colonial Pipeline. Verizon's "2022 Data Breach Investigations Report" found 61% of all breaches involved exploited credentials.
Ransomware is now the most prominent type of malware. It is usually installed when a user visits a malicious website or opens a doctored email attachment. It exploits vulnerabilities on the device to encrypt important files, such as Word documents, Excel spreadsheets, PDF files, databases and critical system files, making them unusable. The attacker then demands a ransom in exchange for the decryption key needed to restore the locked files. The attack may target a mission-critical server or try to install the ransomware on other devices connected to the network before activating the encryption process so they are all hit simultaneously. To increase the pressure on victims to pay, the attackers often threaten to sell or leak data exfiltrated during the attack if the ransom is not paid.
Everyone is a possible target, from individuals and small businesses through to major organizations and government agencies. The attacks can have a seriously damaging impact on the victim and its clients. The WannaCry ransomware attack in 2017 affected organizations in over 150 countries, with the disruption to hospitals costing the U.K.'s National Health Service alone around $111 million. More recently, an attack on the meat retailer JBS Foods in 2021 caused meat shortages across the U.S. To avoid ongoing disruption, the company paid a ransom of $11 million, while Colonial Pipeline paid a $5 million ransom after a ransomware attack shut down one of the country's largest pipelines. Ransomware is such a serious problem that there is an official U.S. government website called StopRansomware that provides resources to help organizations prevent ransomware attacks, as well as a checklist on how to respond to an attack.
A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
2021 saw another large rise in the number of DDoS attacks, many of them disrupting critical infrastructures around the world; ransom DDoS attacks increased by 29%. Attackers are also harnessing the power of AI to understand what kinds of attack techniques work best and to direct their botnets -- slave machines used to perform DDoS attacks -- accordingly. Worryingly, AI is being used to enhance all forms of cyber attack.
A phishing attack is a form of fraud in which an attacker masquerades as a reputable entity, such as a bank, tax department, or person in email or in other forms of communication, to distribute malicious links or attachments to trick an unsuspecting victim into handing over valuable information, such as passwords, credit card details, intellectual property and so on. It is easy to launch a phishing campaign, and they are surprisingly effective. Phishing attacks can also be conducted by phone call (voice phishing) and by text message (SMS phishing).
Spear phishing attacks are directed at specific individuals or companies, while whaling attacks are a type of spear phishing attack that specifically targets senior executives within an organization. One type of whaling attack is the business email compromise (BEC), where the attacker targets specific employees who have the ability to authorize financial transactions in order to trick them into transferring money into an account controlled by the attacker. The FBI's Internet Crime Complaint Center said that BEC attacks made up the majority of incidents reported in 2021, accounting for 19,954 complaints and losses of around $2.4 billion.
6. SQL injection attack
Any website that is database-driven -- and that is the majority of websites -- is susceptible to SQL injection attacks. An SQL query is a request for some action to be performed on a database, and a carefully constructed malicious request can create, modify or delete the data stored in the database, as well as read and extract data such as intellectual property, personal information of customers, administrative credentials or private business details. SQL injection is third in the 2022 top list of the most dangerous weaknesses compiled by Common Weakness Enumeration (CWE) Top 25 and continues to be a common attack vector. PrestaShop, a developer of e-commerce software used by some 300,000 online retailers, recently warned users to update to its latest software version immediately as certain earlier versions are vulnerable to SQL injection attacks that enable an attacker to steal customer credit card data.
7. Cross-site scripting
XSS enables an attacker to steal session cookies, allowing the attacker to pretend to be the user, but it can also be used to spread malware, deface websites, create havoc on social networks, phish for credentials and -- in conjunction with social engineering techniques -- perpetrate more damaging attacks. XSS has been a constant attack vector used by hackers, ranking second on the CWE Top 25 in 2022.
8. Man-in-the-middle attack
A man-in-the-middle (MiTM) attack is where attackers secretly intercept and relay messages between two parties who believe they are communicating directly with each other, but in fact, the attackers have inserted themselves in the middle of the online conversation. The attackers can read, copy or change messages before forwarding them on to the unsuspecting recipient, all in real time. A successful MiTM attack can allow hackers to capture or manipulate sensitive personal information, such as login credentials, transaction details and credit card numbers.
9. URL interpretation/URL poisoning
A URL is the unique identifier used to locate a resource on the internet and tells a web browser how and where to retrieve it. It is easy for hackers to modify a URL to try and access information or resources to which they shouldn't have access. For example, if a hacker logs in to their account at awebsite.com and can view their account settings at https://www.awebsite.com/acount?user=2748, they can easily change this URL to https://www.awebsite.com/acount?user=1733 to see if they can access the account settings of user 1733. If the awebsite.com web server doesn't check if each user has the correct authorization to access the requested resource, particularly if it includes user-supplied input, then the hacker is able to view the account settings of user 1733 and probably every other user.
This type of attack is used to gather confidential information, like usernames, files, and database data or access admin pages that are used to manage the entire site. If an attacker does manage to access privileged resources through URL manipulation, it is called insecure direct object reference.
10. DNS spoofing
Hackers have long exploited the insecure nature of DNS to overwrite stored IP addresses on DNS servers and resolvers with fake entries so victims are directed to a hacker-controlled website instead of the legitimate one. These fake sites are designed to look exactly like the site the user was expecting to visit so they are not suspicious when asked to enter login credentials to what they think is a genuine site.
A botnet comprises a collection of internet-connected computers and devices that are infected and controlled remotely by cybercriminals. Vulnerable IoT devices are also being used to increase the size and power of botnets. They are often used to send email spam, engage in click fraud campaigns and generate malicious traffic for DDoS attacks. The Meris botnet, for example, launches a DDoS attack against about 50 different websites and applications every day, having launched some of the largest HTTP attacks on record. The objective for creating a botnet is to infect as many connected devices as possible and to use the computing power and resources of those devices to automate and magnify the malicious activities.
12. Watering hole attack
In a drive-by attack, an attacker embeds malicious code into a legitimate but insecure website so, when anyone visits the site, the code automatically executes and infects their device without any interaction from the visitor. As it is hard for users to identify this type of compromised website, it is a highly effective way to install malware on a device. Cyber attackers have finessed this random attack by identifying sites that are frequently visited by users they wish to target, e.g., employees of a specific organization or even an entire sector, such as defence, finance or healthcare. This is called a watering hole attack. As the site is trusted by the victim, the malware may even be hidden in a file that they intentionally download from the site. The malware is often a remote access Trojan giving the attacker remote access to the target's system.
13. Insider threat
Employees and contractors have legitimate access to an organization's systems, and some have an in-depth understanding of its cybersecurity defenses. This can be used to gain access to restricted resources, make system configuration changes or install malware. It was widely thought that attacks by malicious insiders outnumbered those caused by other sources, but research in Verizon's "2022 Data Breach Investigations Report" shows that 80% of breaches are caused by those external to an organization. However, some of the largest data breaches have been carried out by insiders with access to privileged accounts. For example, Edward Snowden, a National Security Agency contractor with administrative account access, was behind one of the largest leaks of classified information in U.S. history.
How to prevent common types of cyber attacks
The more people and devices a network connects, the greater the value of the network, which makes it harder to raise the cost of an attack to the point where hackers give up. Metcalfe's law asserts that the value of a network is proportional to the square of its connected users. So, security teams have to accept that their networks will be under constant attack, but by understanding how different types of cyber attacks work, mitigating controls and strategies can be put in place to minimize the damage they can do. Here are the main points to keep in mind:
- Hackers, of course, first need to gain a foothold in a network before they can achieve whatever objectives they have, so they need to find and exploit one or more vulnerabilities or weaknesses in their victim's IT infrastructure.
- Vulnerabilities are either human- or technology-based, and according to a recent IBM "Cyber Security Intelligence Index Report," human error was a major contributing cause in 95% of all breaches. Errors can be either unintentional actions or lack of action, from downloading a malware-infected attachment to failing to use a strong password. This makes security awareness training a top priority in the fight against cyber attacks, and as attack techniques are constantly evolving, training needs to be constantly updated as well to ensure users are alerted to the latest types of attack. A cyber attack simulation campaign can assess the level of cyber awareness among employees with additional training where there are obvious shortcomings.
- While security-conscious users can reduce the success rate of most cyber attacks, a defense-in-depth strategy is also essential. These should be tested regularly via vulnerability assessments and penetration tests to check for exploitable security vulnerabilities in OSes and the applications they run.
- End-to-end encryption throughout a network stops many attacks from being able to successfully extract valuable data even if they manage to breach perimeter defenses.
- To deal with zero-day exploits, where cybercriminals discover and exploit a previously unknown vulnerability before a fix becomes available, enterprises need to consider adding content disarm and reconstruction to their threat prevention controls as it assumes all content is malicious so it doesn't need to try to detect constantly evolving malware functionality.
- Finally, security teams need to proactively monitor the entire IT environment for signs of suspicious or inappropriate activity to detect cyber attacks as early as possible -- network segmentation creates a more resilient network that is able to detect, isolate and disrupt an attack. And, of course, there should be a well-rehearsed response plan if an attack is detected.
Security strategies and budgets need to build in the ability to adapt and deploy new security controls if the connected world is going to survive the never-ending battle against cyber attacks.