What are Cyber Attacks?
A cyber attack is any type of assault made in an attempt to disable, steal information, destroy data, or make unauthorized use of a computer, network, or any other digital asset.
Cyber attacks can be performed by anyone: hired individuals, criminal organizations, state sponsored groups, etc. Depending on the skills of the cybercriminal, attacks vary largely in terms of sophistication. For example, an individual can purchase a malware strain from the dark web that simply has to be attached to an email or a hacking group may commit a large scale breach of an organization. Cyber attacks can even be used as tools of cyberwarfare and cyberterrorism.
What’s the Difference Between Outsider vs Insider Threats?
Attacks can be distinguished by their point of origin. An outside attack begins outside of the security perimeter and is committed by an individual or group that is seeking to gain access to the environment’s data or functionality. Insider attacks are initiated from inside the security perimeter by those that already have access of some kind, like an employee, contractor, or someone who has stolen credentials.
Malicious insiders are typically dissatisfied or opportunistic employees that use their access to sensitive information or valuable assets for their own gain. Other times, resentful ex-employees who have just been let go pose a unique risk given their knowledge of the organization and their vengeful motivations. Many businesses fall victim to malicious insider attacks by not following the principle of least privilege, which limits users to only the access they need. Others fail to have protocols in place for ensuring that departing employees are immediately stripped of any privileges, from user accounts to building keys.
A negligent or accidental insider threat is an example of when a successful outside attack can pivot into an insider attack. There are many types of inadvertent insiders—well-meaning employees who are often at fault when it comes to misconfigured servers, networks, and databases, users susceptible to phishing attacks, or other careless behavior—that allow an outsider to gain entry.
What Are The Different Types of Cyber Attacks?
Cyber attacks are typically divided into two categories: active and passive. Active cyber attacks interrupt or alter normal system operations. Though it is possible to maintain stealth, these attacks can often be disruptive, with the victim becoming aware of the breach during or shortly after the attack is complete. They also typically have more destructive goals, like locking users out, deleting data, or leaching power. Examples include ransomware, DOS attacks, or cryptojacking.
Passive cyber attacks tend not to affect system resources. Their intent is to gather intelligence, which can often go unnoticed by victims. Once access is gained, passive attacks monitor systems and find sensitive information. This data can be collected through various means, including copying files, or eavesdropping on and recording communications through methods like keystroke logging.
Over the years, multiple types of attacks methods have emerged. Different approaches suit certain goals better than others based on their requirements. While some attack types are flexible, others are solely intended for gaining access, disabling systems, controlling systems, extracting information, blocking access, etc. Additionally, attackers must choose what best suits their needs depending on their level of skill, the type of access needed, whether stealth is desired, etc.
Oftentimes, attackers can’t achieve all of their goals with one type of attack. Advanced threat actors are able to chain attacks together in order, ultimately gaining control of the entire domain.
What are Malware Attacks?
Malware is the broad term that covers every type of software that is created to disable or damage computer systems. Some common pieces of malware include:
Though people often use virus as the generic term for malicious software, a virus is actually just one type of malware. Viruses infect an environment, replicating themselves and inserting their own malicious code into preexisting applications and software. In order to spread to other systems, a virus must be attached to a file or executable program, and only infects a system when opened. Read more>
While some viruses cause merely minor annoyances, like repetitive popups, others can be extremely destructive, wiping hard drives or even causing complete crashes. For example, the Melissa virus, which began appearing as an email attachment in 1999, replicated and sent itself to 50 of the recipient’s contacts when opened. Though seemingly harmless, enough people opened the attachment to cause a massive amount of traffic, slowing email servers to a crawl, even bringing some to a standstill.
Similar to a virus, a worm can also replicate itself on a computer system and cause varying levels of damage. Unlike a virus, a worm is a standalone program, and does not need to be attached to a file and opened to spread. A worm exploits vulnerabilities in a system, and uses network connections to infect other systems with similar weaknesses.
For example, the ILOVEYOU worm, which was delivered via email with the subject line “I love you,” was notoriously harmful, spreading rapidly and overwriting files as it went.
Ransomware is software that holds data hostage, with the threat to publish it or destroy it unless a ransom is paid. Unfortunately, even if organizations pay, they’re not guaranteed to get their data back, recovery will still take time, and giving into demands only encourages a repeat attack. For example, Travelex paid $2.3 million in ransom, and took a full month before their website was partially restored.
Additionally, one of the greatest threats of ransomware is its power to be used as a decoy. Attackers use ransomware as a tool to get IT and security teams chasing potential infections, allowing them to infiltrate the network and get what they are truly seeking. For example, Killdisk malware, added decoy ransomware to distract from its true purpose of cyber-espionage and sabotage.
Cryptojacking uses malware to infect a system in order to leach its processing power for cryptomining, allowing cryptominers to mine more transactions faster in order to get a much larger payout. Unfortunately, it leaves the victims with painfully slow systems, or ones that end up crashing altogether. Organizations with multiple computers and servers make perfect targets because of their large supply of processing power.
For example, one business discovered that a particularly stealthy strain of cryptomining malware, Norman, had spread to almost every computer in the company. Suspicion was raised only after alerts of network slowdown and unstable applications were investigated.
Named after the Trojan horse of Greek legend, digital Trojans operate on a similar principal. Trojans serve as a malicious delivery system, as they hide any type of malware that enters into an environment by disguising themselves as legitimate, harmless files or applications.
For example, Emotet is an infamous Trojan that has been paired with numerous threats in order to steal data, harvest emails, and deliver ransomware. Emotet disguises itself as a legitimate email, even able to appear as a reply in a pre-existing thread.
Spyware is software that monitors, collects, and transmits data from a computer system without a user’s or organization’s knowledge. For example, cookie trackers can log web activities like search and download histories, keyloggers track anything typed on a keyboard, and system monitors log almost everything a user does while on the compromised device.
Spyware is unique in that it can be used legally. For example, FinSpy, also known as FinFisher, is a commercial spyware tool advertised to law enforcement agencies.
Though some use the term adware to describe any advertising supported software, adware can also be used to describe a very specific type of spyware installed without a user’s permission intended to display ads for any given product or service. Adware can display these ads in multiple ways, like redirecting web pages to go to an advertising site or creating popups. Adware is typically a harmless annoyance, but can also serve as a carrier for more dangerous malware.
This tricky variant of malware is particularly dangerous because it does not use executable files to install new software, but instead is a type of living off the land attack, leveraging pre-existing software and applications. It is primarily memory resident, which makes fileless malware incredibly difficult to uncover, since it leaves no signature behind. Since it can evade detection fairly easily in most environments, fileless malware can also have a significantly longer dwell time.
What are DOS and DDOS Attacks?
A denial-of-service (DoS) attack interrupts normal operation of a system or device (typically network servers), forcing it to deny access and or cause downtime. This is usually accomplished by bombarding the target with traffic so no regular traffic can get through. This often results in a slow down of service or a complete crash. In a DoS attack, the flood of traffic comes from a single source, but a distributed-denial-of-service attack (DDoS) is at a much larger scale, since the influx of traffic comes from multiple sources. This makes recovery significantly more challenging, since the attack is multi-faceted, the origin is difficult to pinpoint, and can result in much longer periods of downtime.
Botnets are also often used for executing DDoS attacks. A botnet is a group of internet connected devices like computers, servers, or smartphones that have all been compromised and are now controlled by the attacker. Each device serves as a bot, and the threat actor uses this group of devices—a botnet—to execute tasks. Since there are so many devices that make up a botnet, they are ideal for flooding targets with traffic. For example, DNS provider Dyn was hit by a massive botnet, which was made up of over 100,000 bots. After the botnet used Mirai malware to cause outages for sites like Amazon, Netflix, Reddit, and Twitter, Dyn’s reputation plummeted, and thousands of domains dropped from their service.
Attackers don’t even need to create their own botnet to strike—those that do have them are now renting out their botnets to other parties for similar purposes. For example, a threat actor that goes by the code name “Greek helios” has been promoting their botnet dark nexus, which is made up of over 1300 bots, on YouTube for as little as $18.50 a month.
What is Phishing?
Phishing is an attack strategy that uses deception to get malware past the perimeter or access credentials. This is typically accomplished through malicious links or attachments embedded in emails. Although phishing is almost as old as email, it has become increasingly more sophisticated, often evading spam filters and human detection.
Though there are still emails with obviously fake email addresses, riddled with spelling errors, an increasing number are nearly impossible to tell from the real thing. Many lead to websites prompting credentials that look almost identical to the site they are imitating. Spear phishing uses targeted attacks against a specific person or organization. A threat actor does research in order to learn personal information to tailor emails accordingly. For example, phish could be created to look like an individual’s specific bank, or an organization may be phished with emails that appear to be from those working in human resources. Since spear phish are from familiar names or organizations, and often look more realistic, users are much more likely to open them.
Phishing campaigns can be remarkably effective. Whether it’s a convincing presentation or a distracted user, anyone can fall victim. In fact, even the SANS Institute, who provides cybersecurity training, suffered an attack. Around 28,000 pieces of sensitive, personally identifiable information were lost after a single employee was phished.
What is a Man-in-the-Middle Attack?
A Man-in-the-Middle attack (MITM) is when a threat actor is able to obtain sensitive information by secretly serving as the relay during communication between two entities. An attacker can intercept and alter the communication before relaying it to the other party, or simply eavesdrop. Typically, these attacks are essentially one website stepping in-between the user and a legitimate website so that whatever the user does on the legitimate website can be seen and stolen by the attacker who owns the site in the middle.
There are two common ways an attacker can achieve this: First, an attacker could take over the Domain Name System (DNS) server that tells a user’s browser where to find something online. If an attacker were to take over the DNS record (the individual site listing in a DNS server)—or the entire DNS server itself—then it could re-route the user to a completely different site that only looks and acts like the site the user wanted to go to.
Alternately, sophisticated MitM attacks can go even further than simply re-routing you to a fraudulent site. Instead of serving a user a site of their own, an attacker simply notes all the information being sent and received, but still passes data back and forth between the user and the real site.
For example, if a target went to their bank's website, they wouldn't see anything different at all. They would send their account number to the bank, which the attacker would intercept, save, and then pass on to the bank. The bank would send back the victim’s account information, which the attacker would save and then pass back to victim. The attacker now has a copy of all that information and can use it for whatever they want, without the target ever knowing how they got it. This type of attack is much more technically difficult to pull off, but is harder to detect and doesn’t require an attacker to maintain a fake site.
What is a Zero-Day Attack?
A zero-day attack (or day zero attack) exploits a security weakness present in a piece of software or device that the vendor has not found or fixed. The name comes from the idea that it’s been “zero days” since the vendor has known about the vulnerability. An attacker utilizes this gap in security to either gain access or inject malware. The longer the vendor is unaware of the security flaw, the more damage an attacker can do.
One of the best known instances of a zero day attack was Stuxnet, a worm that was developed to exploit four different zero-day flaws found in Siemens’ programmable logic controllers (PLCs), which are used in SCADA systems. Stuxnet appeared to be intended primarily to target the Iranian nuclear program, with 60% of the infected systems located in Iran. Once it had successfully exploited the security weakness in the PLCs, Stuxnet went on to steal information from the compromised systems. Though Stuxnet is still in the wild, Siemens has since released a detection and removal tool.
In order to minimize the amount of these zero-day attacks, many skilled cybersecurity professionals research and report flaws to Common Vulnerabilities and Exposures (CVE®), a public list of entries for known security vulnerabilities. Researchers also attempt to coordinate with the vendor, informing them of the vulnerability and verifying a patch or other type of fix if they create one.
What is an Injection Attack?
Injection attacks can be a type of zero-day attack, but are also used with known security flaws that haven’t been fixed or patched. These attack types change the execution of an application by injecting unauthorized input.
For example, SQL injections insert malicious SQL statements to manipulate queries to a web application database. Typically SQL injections are used to find and read, change, or delete sensitive information they wouldn’t otherwise have access to. Some attackers can even escalate their privileges to act as database administrator.
SQL injections are simple to perform and to execute, but so many web applications have vulnerabilities that it is still one of the most widely used attack methods today. For example, 23 million usernames and passwords were leaked from the online children’s game, Webkinz, with just an SQL injection. The attacker was also able to obtain hashed versions of email addresses.
These types of attacks are unfortunately incredibly common, as so many websites are not fully secure. Many large, well-known companies have suffered from XSS attacks, including Twitter and Facebook. Twitter has suffered two well known attacks. The first demonstrated benign changes like altering the color of tweets and annoying issues like users inadvertently triggering a tweet to be posted. The second attack posed enough of a threat to user security that Twitter had to temporarily shut down its social media dashboard, TweetDeck.
There are several other types of injection attacks. These include code injection, OS command injection, LDAP injection, CRLF injection, host and email header injection, and XPath injection.
What is a Supply Chain Attack?
Supply chain attacks target a vendor or supplier to gain access to a customer base. Inside the vendor's system, attackers can steal customer data, alter records, delete files, and install malware. This gives them access to the vendor's systems where they can monitor customers and change software and products. Doing so, their malware can spread from the vendor to the entire customer list. A supply chain attack can grow exponentially once a vendor's security is breached and affects everyone that uses this vendor's database.
How Do You Prevent Cyber Attacks?
Everyone is a potential target of a cyber attack. However, there are lots of actions you can take to help reduce your risk, including:
1. Limit Access.
The principle of least privilege, which mandates that users only have the access necessary to their job functions. Identity Governance & Administration ensures that users are operating within well-defined access policies and are not overprovisioned. It offers organizations increased visibility into the identities and access privileges of users, so they can better manage who has access to what systems, and when. Identity governance empowers organizations to do more with less, enhance their security posture, and meet increasing auditor demands, while also scaling for growth.
2. Keep your systems up to date and regularly test your environment.
Properly installing patches and updates—which usually means restarting the system to apply them—is an easy way to protects you from newly known vulnerabilities. You should also make sure your security portfolio is in good shape by regularly pen testing, which is a safe way to exploit vulnerabilities that may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-user adherence to security policies.
Red Teaming is another incredibly important security testing piece. Combining the right red team and the security tools and solutions they need to create a silent, long-term cybersecurity attack can be beneficial to finding your weaknesses and implementing a training practice for your blue team security professionals. Threat emulation with post-exploitation reporting and red teaming toolkits together can add that extra layer of security testing your organization needs.
Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network system managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.
3. Keep an eye on your environment.
IT organizations have put various systems in place to protect against intrusion and a host of different threats. The downside of these safeguards is they generate so much monitoring data that IT teams are then faced with the problem of interpreting it all to pinpoint actual problems. SIEM—or Security Information and Event Management—are solutions that monitor an organization's IT environment, relaying actionable intelligence and enabling security teams to manage potential vulnerabilities proactively. This software provides valuable insights into potential security threats through a centralized collection and analysis of normalized security data pulled from a variety of systems.
Cyber Attack Solutions from Core Security