What are Cyber Attacks?

A cyber attack is any type of assault made in an attempt to disable, steal information, destroy data, or make unauthorized use of a computer, network, or any other digital asset.

Cyber attacks can be performed by anyone: hired individuals, criminal organizations, state sponsored groups, etc. Depending on the skills of the cybercriminal, attacks vary largely in terms of sophistication. For example, an individual can purchase a malware strain from the dark web that simply has to be attached to an email or a hacking group may commit a large scale breach of an organization. Cyber attacks can even be used as tools of cyberwarfare and cyberterrorism.

Image
Cyber-Attacker

What’s the Difference Between Outsider vs Insider Threats?

Text

Attacks can be distinguished by their point of origin. An outside attack begins outside of the security perimeter and is committed by an individual or group that is seeking to gain access to the environment’s data or functionality. Insider attacks are initiated from inside the security perimeter by those that already have access of some kind, like an employee, contractor, or someone who has stolen credentials.

Read more>

Malicious insiders are typically dissatisfied or opportunistic employees that use their access to sensitive information or valuable assets for their own gain. Other times, resentful ex-employees who have just been let go pose a unique risk given their knowledge of the organization and their vengeful motivations. Many businesses fall victim to malicious insider attacks by not following the principle of least privilege, which limits users to only the access they need. Others fail to have protocols in place for ensuring that departing employees are immediately stripped of any privileges, from user accounts to building keys.

Read more>

A negligent or accidental insider threat is an example of when a successful outside attack can pivot into an insider attack. There are many types of inadvertent insiders—well-meaning employees who are often at fault when it comes to misconfigured servers, networks, and databases, users susceptible to phishing attacks, or other careless behavior—that allow an outsider to gain entry.

Read more>

What Are The Different Types of Cyber Attacks?

Cyber attacks are typically divided into two categories: active and passive. Active cyber attacks interrupt or alter normal system operations. Though it is possible to maintain stealth, these attacks can often be disruptive, with the victim becoming aware of the breach during or shortly after the attack is complete. They also typically have more destructive goals, like locking users out, deleting data, or leaching power. Examples include ransomware, DOS attacks, or cryptojacking.

Passive cyber attacks tend not to affect system resources. Their intent is to gather intelligence, which can often go unnoticed by victims. Once access is gained, passive attacks monitor systems and find sensitive information. This data can be collected through various means, including copying files, or eavesdropping on and recording communications through methods like keystroke logging.

Over the years, multiple types of attacks methods have emerged. Different approaches suit certain goals better than others based on their requirements. While some attack types are flexible, others are solely intended for gaining access, disabling systems, controlling systems, extracting information, blocking access, etc. Additionally, attackers must choose what best suits their needs depending on their level of skill, the type of access needed, whether stealth is desired, etc.

Oftentimes, attackers can’t achieve all of their goals with one type of attack. Advanced threat actors are able to chain attacks together in order, ultimately gaining control of the entire domain.

Read more>

Text
Image
Types of Threats

What are Malware Attacks?

Text

Malware is the broad term that covers every type of software that is created to disable or damage computer systems. Some common pieces of malware include:

Virus

Card image cap

Though people often use virus as the generic term for malicious software, a virus is actually just one type of malware. Viruses infect an environment, replicating themselves and inserting their own malicious code into preexisting applications and software. In order to spread to other systems, a virus must be attached to a file or executable program, and only infects a system when opened. Read more>

While some viruses cause merely minor annoyances, like repetitive popups, others can be extremely destructive, wiping hard drives or even causing complete crashes. For example, the Melissa virus, which began appearing as an email attachment in 1999, replicated and sent itself to 50 of the recipient’s contacts when opened. Though seemingly harmless, enough people opened the attachment to cause a massive amount of traffic, slowing email servers to a crawl, even bringing some to a standstill. 

What are DOS and DDOS Attacks?

Text

A denial-of-service (DoS) attack interrupts normal operation of a system or device (typically network servers), forcing it to deny access and or cause downtime. This is usually accomplished by bombarding the target with traffic so no regular traffic can get through. This often results in a slow down of service or a complete crash. In a DoS attack, the flood of traffic comes from a single source, but a distributed-denial-of-service attack (DDoS) is at a much larger scale, since the influx of traffic comes from multiple sources. This makes recovery significantly more challenging, since the attack is multi-faceted, the origin is difficult to pinpoint, and can result in much longer periods of downtime.

Read more>

Botnets are also often used for executing DDoS attacks. A botnet is a group of internet connected devices like computers, servers, or smartphones that have all been compromised and are now controlled by the attacker. Each device serves as a bot, and the threat actor uses this group of devices—a botnet—to execute tasks. Since there are so many devices that make up a botnet, they are ideal for flooding targets with traffic. For example, DNS provider Dyn was hit by a massive botnet, which was made up of over 100,000 bots. After the botnet used Mirai malware to cause outages for sites like Amazon, Netflix, Reddit, and Twitter, Dyn’s reputation plummeted, and thousands of domains dropped from their service.

Read more>

Attackers don’t even need to create their own botnet to strike—those that do have them are now renting out their botnets to other parties for similar purposes. For example, a threat actor that goes by the code name “Greek helios” has been promoting their botnet dark nexus, which is made up of over 1300 bots, on YouTube for as little as $18.50 a month. 

What is Phishing?

Phishing is an attack strategy that uses deception to get malware past the perimeter or access credentials. This is typically accomplished through malicious links or attachments embedded in emails. Although phishing is almost as old as email, it has become increasingly more sophisticated, often evading spam filters and human detection.

Though there are still emails with obviously fake email addresses, riddled with spelling errors, an increasing number are nearly impossible to tell from the real thing. Many lead to websites prompting credentials that look almost identical to the site they are imitating. Spear phishing uses targeted attacks against a specific person or organization. A threat actor does research in order to learn personal information to tailor emails accordingly. For example, phish could be created to look like an individual’s specific bank, or an organization may be phished with emails that appear to be from those working in human resources. Since spear phish are from familiar names or organizations, and often look more realistic, users are much more likely to open them.

Phishing campaigns can be remarkably effective. Whether it’s a convincing presentation or a distracted user, anyone can fall victim. In fact, even the SANS Institute, who provides cybersecurity training, suffered an attack. Around 28,000 pieces of sensitive, personally identifiable information were lost after a single employee was phished.

Read more>

Image
What is Phishing

What is a Man-in-the-Middle Attack?

Text

A Man-in-the-Middle attack (MITM) is when a threat actor is able to obtain sensitive information by secretly serving as the relay during communication between two entities. An attacker can intercept and alter the communication before relaying it to the other party, or simply eavesdrop. Typically, these attacks are essentially one website stepping in-between the user and a legitimate website so that whatever the user does on the legitimate website can be seen and stolen by the attacker who owns the site in the middle. 

There are two common ways an attacker can achieve this: First, an attacker could take over the Domain Name System (DNS) server that tells a user’s browser where to find something online. If an attacker were to take over the DNS record (the individual site listing in a DNS server)—or the entire DNS server itself—then it could re-route the user to a completely different site that only looks and acts like the site the user wanted to go to. 

Alternately, sophisticated MitM attacks can go even further than simply re-routing you to a fraudulent site. Instead of serving a user a site of their own, an attacker simply notes all the information being sent and received, but still passes data back and forth between the user and the real site. 

For example, if a target went to their bank's website, they wouldn't see anything different at all. They would send their account number to the bank, which the attacker would intercept, save, and then pass on to the bank. The bank would send back the victim’s account information, which the attacker would save and then pass back to victim. The attacker now has a copy of all that information and can use it for whatever they want, without the target ever knowing how they got it. This type of attack is much more technically difficult to pull off, but is harder to detect and doesn’t require an attacker to maintain a fake site.

Read more>

What is a Zero-Day Attack?

Text
Image
Zero-day attack

A zero-day attack (or day zero attack) exploits a security weakness present in a piece of software or device that the vendor has not found or fixed. The name comes from the idea that it’s been “zero days” since the vendor has known about the vulnerability. An attacker utilizes this gap in security to either gain access or inject malware. The longer the vendor is unaware of the security flaw, the more damage an attacker can do.

One of the best known instances of a zero day attack was Stuxnet, a worm that was developed to exploit four different zero-day flaws found in Siemens’ programmable logic controllers (PLCs), which are used in SCADA systems. Stuxnet appeared to be intended primarily to target the Iranian nuclear program, with 60% of the infected systems located in Iran. Once it had successfully exploited the security weakness in the PLCs, Stuxnet went on to steal information from the compromised systems. Though Stuxnet is still in the wild, Siemens has since released a detection and removal tool.

In order to minimize the amount of these zero-day attacks, many skilled cybersecurity professionals research and report flaws to Common Vulnerabilities and Exposures (CVE®), a public list of entries for known security vulnerabilities. Researchers also attempt to coordinate with the vendor, informing them of the vulnerability and verifying a patch or other type of fix if they create one.

Read more>

What is an Injection Attack?

Injection attacks can be a type of zero-day attack, but are also used with known security flaws that haven’t been fixed or patched. These attack types change the execution of an application by injecting unauthorized input.

For example, SQL injections insert malicious SQL statements to manipulate queries to a web application database. Typically SQL injections are used to find and read, change, or delete sensitive information they wouldn’t otherwise have access to. Some attackers can even escalate their privileges to act as database administrator.

SQL injections are simple to perform and to execute, but so many web applications have vulnerabilities that it is still one of the most widely used attack methods today. For example, 23 million usernames and passwords were leaked from the online children’s game, Webkinz, with just an SQL injection. The attacker was also able to obtain hashed versions of email addresses.

Another widely used injection attack is cross site scripting (XSS), which injects unauthorized client-side scripts (typically JavaScript) into vulnerable web applications, which are then embedded on a trusted web page. When a user visits or interacts with the site, the malicious script is executed, which provides multiple attack opportunities. A threat actor could change the appearance of the site, get access to sensitive page content, or redirect the user to another page or site. They could be able to steal a  user’s session cookie, which they could use to gain control of the session or user account. They may also have the ability to install and launch Trojan attacks.

 

These types of attacks are unfortunately incredibly common, as so many websites are not fully secure. Many large, well-known companies have suffered from XSS attacks, including Twitter and Facebook. Twitter has suffered two well known attacks. The first demonstrated benign changes like altering the color of tweets and annoying issues like users inadvertently triggering a tweet to be posted. The second attack posed enough of a threat to user security that Twitter had to temporarily shut down its social media dashboard, TweetDeck.

There are several other types of injection attacks. These include code injection, OS command injection, LDAP injection, CRLF injection, host and email header injection, and XPath injection. 

Image
Injection Attacks

How Do You Prevent Cyber Attacks?

Text

Everyone is a potential target of a cyber attack. However, there are lots of actions you can take to help reduce your risk, including:

1. Limit Access.

The principle of least privilege, which mandates that users only have the access necessary to their job functions. Identity Governance & Administration ensures that users are operating within well-defined access policies and are not overprovisioned. It offers organizations increased visibility into the identities and access privileges of users, so they can better manage who has access to what systems, and when. Identity governance empowers organizations to do more with less, enhance their security posture, and meet increasing auditor demands, while also scaling for growth.

Read more>

2. Keep your systems up to date and regularly test your environment.

Properly installing patches and updates—which usually means restarting the system to apply them—is an easy way to protects you from newly known vulnerabilities. You should also make sure your security portfolio is in good shape by regularly pen testing, which is a safe way to exploit vulnerabilities that may exist in operating systems, services and application flaws, improper configurations or risky end-user behavior. Such assessments are also useful in validating the efficacy of defensive mechanisms, as well as end-user adherence to security policies.

Information about any security vulnerabilities successfully exploited through penetration testing is typically aggregated and presented to IT and network system managers to help those professionals make strategic conclusions and prioritize related remediation efforts. The fundamental purpose of penetration testing is to measure the feasibility of systems or end-user compromise and evaluate any related consequences such incidents may have on the involved resources or operations.

Read more>

3. Keep an eye on your environment.

IT organizations have put various systems in place to protect against intrusion and a host of different threats. The downside of these safeguards is they generate so much monitoring data that IT teams are then faced with the problem of interpreting it all to pinpoint actual problems. SIEM—or Security Information and Event Management—are solutions that monitor an organization's IT environment, relaying actionable intelligence and enabling security teams to manage potential vulnerabilities proactively. This software provides valuable insights into potential security threats through a centralized collection and analysis of normalized security data pulled from a variety of systems.

Read more>

How Do You Detect Cyber Attacks?

Text

While prevention remains critical, with so many cyber threats, it is widely accepted that any available perimeters are being, and will continue to be, breached. Organizations must also layer their defenses with active threat detection tools that work to monitor your network for malicious activity, alerting your security team the moment an infection is uncovered. These solutions help prioritize risk, providing vital information to enable a rapid response which can be the difference between maintaining security across the enterprise and a devastating breach that may cripple your organization.

For example, advanced threat detection tools, like Network Traffic Analysis (NTA), find advanced malware, APTs, or signs of APTs, and alert security teams of their presence. Instead of monitoring the network, these solutions monitor the traffic, looking for and confirming malicious activity, ensuring that action can be taken the moment it is identified. These solutions allow your environment to be monitored without disruption. 

The goal of these solutions is to swiftly detect infections before the attack cycle is complete, so that security analysts can both eliminate the threat and minimize damage, enabling rapid recovery and remediation. Discovering threats as soon as possible is the best way to minimize damage.

Read more>

Text

Cyber Attack Solutions from Core Security


 

Cyber Threat Solutions

Ensure the security of your assets in a constantly-shifting threat landscape with cyber threat intelligence.

Learn More > 

Identity Governance & Administration

Minimize risk, streamline operations, and reduce cost with identity management.

Learn More >