Learn the definition of a cybersecurity attack and types of threats.
InsightDR ProductA cyberattack – also known as a cybersecurity attack – is any form of malicious activity targeting IT systems and/or the people using them to gain unauthorized access to systems and data they contain.
Criminals typically are looking to exploit an attack for financial gain, but in other cases the aim is to disrupt operations by disabling access to IT systems. Threat actors can be anyone from a single person attempting to obtain stolen credentials and hold them for ransom to a state-sponsored contingent looking to disrupt operations on foreign soil. Whatever the motivations, most IT networks – and the people that maintain them – will experience some type of attack over the course of their lives and must be prepared.
If you've ever studied famous battles in history, you'll know that no two are exactly alike. But there are strategies that, over time, have proven to be effective. Similarly, when a criminal is trying to hack an organization, they won't try something novel unless absolutely necessary. They draw upon common hacking techniques that are known to be highly effective, such as malware, phishing, or cross-site scripting (XSS).
Whether you're trying to make sense of the latest data-breach headline in the news or analyzing an incident in your own organization, it helps to understand different attack vectors. Let's take a look at some of the most common types of cyberattacks seen today.
Malware refers to various forms of harmful software, such as viruses and ransomware. Once malware is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an email attachment that may look harmless (like a document or PDF), but actually contains a hidden malware installer.
In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there may be an attachment to open or a link to click.
Upon opening the malicious attachment, you'll unknowingly install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks you to log in to access an important file – except the website is actually a trap used to capture your credentials. To combat phishing attempts, it’s essential to understand the importance of verifying email senders and attachments or links.
An SQL injection attack specifically targets servers storing critical website and service data using malicious code to get the server to divulge information it normally wouldn’t. SQL (structured query language) is a programming language used to communicate with databases, and can be used to store private customer information such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information (PII) – all tempting and lucrative targets for an attacker.
An SQL injection attack works by exploiting any one of the known SQL vulnerabilities that allow the SQL server to run malicious code. For example, if an SQL server is vulnerable to an injection attack, it may be possible for an attacker to go to a website's search box and type in code that would force the site's SQL server to dump all of its stored usernames and passwords.
Cross-site scripting (XSS) attacks also involve injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code only runs in the user's browser when they visit the attacked website, where it directly targets the visitor.
One of the most common ways an attacker can deploy an XSS attack is by injecting malicious code into a comment or a script that could automatically run. For example, they could embed a link to a malicious JavaScript in a comment on a blog. Cross-site scripting attacks can significantly damage a website's reputation by placing users' information at risk without indication anything malicious has occurred.
Denial-of-service (DoS) attacks flood a website with more traffic than it’s built to handle, thereby overloading the site’s server and making it near-impossible to serve content to visitors. It’s possible for a denial-of-service to occur for non-malicious reasons. For example, if a massive news story breaks and a news organization’s site is overloaded with traffic from people trying to learn more about the story.
Often though, this kind of traffic overload is malicious, as an attacker floods a website with an overwhelming amount of traffic to essentially shut it down for all users. In some instances, these DoS attacks are performed by many computers at the same time. This scenario of attack is known as a distributed denial-of-service attack (DDoS).
Session hijacking occurs when an attacker hijacks a session by capturing the unique – and private – session ID and poses as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server. If everything goes as it should during any internet session, web servers should respond to your various requests by giving you the information you're attempting to access.
However, there are a number of methods an attacker can use to steal the session ID, such as a cross-site scripting attack used to hijack session IDs. An attacker can also opt to hijack the session to insert themselves between the requesting computer and the remote server, pretending to be the other party in the session. This allows them to intercept information in both directions and is commonly called a man-in-the-middle (MITM) attack.
Credential reuse occurs when someone uses the same credentials on multiple websites. It can make life easier in the moment, but can come back to haunt that user later on. Even though security best practices universally recommend unique passwords for all applications and websites, many people still reuse their passwords – a fact attackers will readily exploit.
Once attackers have a collection of compromised credentials from a breached website or service (easily acquired on any number of black market websites on the internet), they know there’s a good chance they’ll be able to use those credentials somewhere online. When it comes to credentials, variety is essential. Password managers are available and can be helpful when it comes to generating and managing unique passwords for every corner of the internet.
We could cover thousands of tactics and tips for preventing cyberattacks at scale, but let's zoom in an take a look at some key examples:
Phishing awareness training: Educate employees on why phishing is harmful and empower them to detect and report phishing attempts. This type of training includes email simulated phishing campaigns to employees, monitoring results, reinforcing training, and improving on simulation results.
Compromised credentials detection: Leverage user behavior analytics (UBA) to create a baseline for normal activity on your network. Then, monitor how administrator and service accounts are being used, which users are inappropriately sharing credentials, and whether an attacker is already expanding from initial compromise on your network.
Ransomware prevention: Create a three-point plan to prevent ransomware attacks. This includes minimizing an attack surface, mitigating potential impact once exposure has been detected, and debriefing to pinpoint existing plan gaps. From there, teams can rebuild systems, quarantine endpoints, change credentials, and lock compromised accounts.
XSS attack prevention: Institute a filtering policy through which external data will pass. This will help to catch malicious scripts before they can become a problem. This leads into creating a wider content security policy that can leverage a list of trusted sources that are able to access your web applications.
Threat intelligence program: Create a central hub that feeds all security-organization functions with knowledge and data on the highest-priority threats. Organizations rely heavily on automation to help scale a threat intelligence program by continuously feeding data into security devices and processes, without the need for human intervention.