Cyber threats: Definition and types

Cyber threats are a menace that impacts every type of organization. From the smallest companies to enterprise organizations and governments with massive cybersecurity teams, no organization is safe from them. The consequences of these attacks vary, ranging from data breaches that result in the compromise or theft of sensitive information to systems paralyzed with ransomware that encrypts critical information, making it unavailable.

What are cyber threats?

A cyber threat or cybersecurity threat is an attack that targets digital systems. Marked by malicious software and technology exploitations, cyber threats have varying agendas. In some cases, the objective is financial; in others, it is driven by ideology.

No matter the explicit motivation behind a cyber threat, digital systems are put in harm’s way, and data confidentiality, integrity, and availability (i.e., the CIA triad) are compromised. In the aftermath of a successful cyber threat campaign, organizations must contend with the implications of data security and data privacy breaches.

What is the Cybersecurity & Infrastructure Security Agency?

The Cybersecurity and Infrastructure Security Agency (CISA) is a group within the Department of Homeland Security (DHS) that is responsible for understanding, managing, and mitigating cyber and critical infrastructure security risks as well as ensuring resilience in the event of an incident. To support government and private-sector organizations, up-to-date information about high-impact security risks and analysis of emerging cyber threats is published regularly.

Among the resources that CISA makes publicly available are tools and educational material, including:

• Alerts and advisories
• Best practices and guidelines for securing networks
• Incident detection, response, and prevention
• Information sharing from partners across the world
• Malware, phishing, and ransomware information
• Updates on advanced persistent threats and nation-state cyber threat actors

Types of cyber threats

Advanced persistent threats (APTs)

Advanced persistent threats leverage advanced techniques to execute complex cyber attacks over long periods. Nation-state and organized cybercrime syndicates are usually behind APTs.

Corporate account takeover (CATO)

The CATO cyber threat targets businesses. Cybercriminals impersonate an authorized representative from a company and have financial institutions send unauthorized wire and ACH transactions.

Distributed denial-of-service (DDoS) attacks

DDoS attacks can disrupt or even completely shut down a network by flooding it with junk requests from botnets. This either slows traffic dramatically or prevents legitimate traffic requests from being fulfilled. There are several DDoS attack techniques, including:

• HTTP flood DDoS—junk Hypertext Transfer Protocol requests are used to overwhelm systems
• ICMP flood—a barrage of Internet Control Message Protocol Echo Request packets are sent, using up excessive inbound and outgoing bandwidth
• NTP amplification—large volumes of User Datagram Protocol (UDP) traffic are sent to targeted server Network Time Protocol (NTP) servers to overwhelm them
• SYN flood DDoS—exploits the synchronization (SYN) request and SYN-ACK sequence by sending a flood of SYN requests and not responding to SYN-ACK
• UDP flood DDoS—overwhelms remote host resources by sending a flood of UDP packets to random ports

Injection attacks

Injection attacks insert malicious code to compromise systems, services, and applications. Vectors used for injection attacks include:

• Code injection
• Cross-site scripting (XSS)
• Lightweight directory access protocol (LDAP) injection
• Operating system (OS) command injection
• Structured Query Language (SQL) injection
• Extensible Markup Language (XML) external entities (XXE) injection

Internet of things (IoT) vulnerabilities

IoT devices are notoriously vulnerable to and a regular target for cyber threats. The quantity and dispersion of IoT devices make it difficult to track their presence and nearly impossible to apply patches to known vulnerabilities.

Malware (malicious software) attacks

‍Malware is software that is designed to execute malicious programs on devices and networks, including exfiltrating data, corrupting files, taking control of systems, executing ransomware, and deploying worms and viruses. This is the most common type of cyber threat.

Cybercriminals use a variety of tactics to deploy malware, which are driven by the type. Examples of the many types of malware include:

• Adware tracks users’ browsing activity to collect data related to behavior patterns and interests. Unlike spyware, adware is not installed on user’s devices and is not always malicious. Cookies used by legitimate marketers are a form of adware, but users’ consent is granted before the information is collected so as not to compromise their privacy.
• Fileless malware edits native system files (e.g., Windows Management Instrumentation (WMI) and PowerShell) rather than installing software on an operating system. The edits change the native files, allowing them to infect the target system and execute malicious tasks. Fileless malware is difficult to detect because it is embedded in legitimate software.
• Keylogger malware is a type of spyware that records every keystroke that a user makes. It is used to capture sensitive information, such as login credentials and other personally identifiable information (PII).
• Ransomware is a type of malware that is spread through attachments or disguised as a legitimate link or app. Once it is activated, it spreads quickly and encrypts systems, making them unusable. A ransom message is then sent, demanding payment to decrypt the systems.
  
  Ransomware is considered to be the most dangerous type of cyber threat because of the potential scale of its impact. It is also very accessible. Ransomware attacks often leverage ransomware-as-a-service, which makes it accessible to cybercriminals who do not have the skills or resources to launch sophisticated cyber threats.
• Rootkits are collections of malicious software that are used to take over a device and deliver additional malware. They are usually deeply embedded, making them difficult to identify and remove.
• Spyware is used to gain unauthorized access to systems (e.g., browsers, applications, mobile devices, and workstations). It hides in the background, collecting sensitive information, such as passwords, account numbers, and other PII. The spyware gathers information from the connected host and exports it to the cyber attackers.
• Trojans are embedded in applications and attachments and appear to be a legitimate program. When it is downloaded, the Trojan is able to gain control of the system, creating backdoors, accessing information, or facilitating attacks. Unlike worms or viruses, Trojans cannot replicate.
• Viruses are bits of code that inject themselves into an application and execute a malicious task when the application runs. This type of cyber threat spreads quickly as it attaches itself to legitimate files and spreads through networks, performing malicious tasks when executed.
• Wipers are a type of malware that deletes or destroys access to data. This type of threat is usually used by nation-state threat actors, malicious insiders, or hacktivists who want to reap destruction and disruption in an organization.
• Worms are cyber threats that exploit software vulnerabilities and backdoors to gain access to an operating system. Worms can infect entire networks of devices and use them as launch pads for attacks, such as distributed denial of service (DDoS).

Man-in-the-middle attacks (MitMs)

With a MitM attack, communications between two points (e.g., a user and an application) are intercepted. The attacker eavesdrops on the communication, skimming sensitive information or, in some cases, altering the communication.

Examples of MitM attacks that use various approaches to trick users into scams that lead them to divulge sensitive or transfer money to the attacker include:

• DNS spoofing—attackers use spoofed domain name servers to direct users to disguised malicious sites
• Email hijacking—attackers spoof email addresses and use them to send messages that appear to come from legitimate senders
• HTTPS spoofing—attackers use the Hypertext Transfer Protocol Secure (HTTPS) prefix in a malicious URL to make it appear to be safe
• IP spoofing—attackers spoof internet protocol addresses to trick users into going to a malicious site
• Wi-Fi eavesdropping—attackers set up a fraudulent Wi-Fi connection and use it to monitor connected users and intercept transmissions

Social engineering attacks

Social engineering is a highly effective cyber threat, because it targets people who make mistakes that machines do not. This attack vector bypasses technical security controls by exploiting unwitting users and tricking them into granting access or information.

Examples of social engineering attacks include:

• Baiting has the attacker luring a user into a social engineering trap, usually with a promise of something attractive, such as a free gift or a cash prize.
• Pretexting is similar to baiting, but the attacker pressures the target into giving up information under false pretenses, such as by pretending to be an authority figure (e.g., an IRS agent or police officer) to compel the target to fall for the scam.
• Phishing is a type of cyber threat that uses email as an attack vector. There are several varieties of phishing, but in all cases, the emails include malicious links or attachments.
  
  Phishing attacks are not targeted, and emails are sent to large lists. Spear phishing is a more sophisticated type of phishing in which messages are sent from spoofed emails to make the recipients think it is from a trusted source, and it often has a customized message. Whale phishing emails target high-value individuals, such as CEOs.
• Piggybacking, also referred to as tailgating, is a physical facility cyber threat. With piggybacking, an unauthorized person creates a pretext to follow an authorized user into a restricted building, room, or area.
  
  Examples of tricks used for piggybacking are pretending to be a new employee without a badge or carrying a load of boxes and not having free hands to open a door or swipe a badge.
• Smishing (SMS phishing) is the same as phishing, except that cyber attackers use text messages instead of emails.
• Vishing (voice phishing) is the same as phishing, except that cyber attackers use phone calls or voice messages instead of emails.

Supply chain attacks

Supply chain attacks are usually used as a stepping stone to gain access to bigger organizations. Cybercriminals study third-party vendors in the supply chain of the target organization.

In some cases, the objective is to find an organization that has relatively weak security and could be compromised to gain access to the target.

Technology vendors in a supply chain are often targeted with the objective of infiltrating the software or firmware to embed malicious code (e.g., viruses or backdoors) that can be launched once it is installed at the primary target.

Sources of cyber threats

Cyber threat actors can be individuals or groups. Their motivations vary, but all threat actors exploit weaknesses to gain unauthorized access to systems, data, applications, and networks. Objectives range from fairly benign (e.g., siphoning processing power or embarrassing an organization) to very serious (e.g., exfiltration of sensitive information or extortion using ransomware).

Cyber threat actors also vary in sophistication, with those at the lower levels using simple, known attack techniques to highly organized groups (e.g., crime syndicates or nation-state cyber teams) that use zero-day attacks. Following are several of the common types of cyber threat actors.

Corporate spies and organized cybercrime syndicates

‍While their specific motivations are different, corporate spies and organized cybercrime syndicates are both highly sophisticated cyber threat actors and a serious risk to the organizations that they target. Both have access to the technology and resources necessary to carry out large-scale, coordinated attacks that can compromise even the most robust security systems.

Corporate spies tend to seek to steal trade secrets or other proprietary information (e.g., sales and customer data or product launch plans). They tend to focus on a single organization or small group.

Organized cybercrime syndicates generally focus on thefts that yield a profit, such as stealing sensitive information that can be used by the group or sold, as well as stealing money or executing a ransomware attack to extort money. Cyber threats presented by organized cybercrime syndicates are usually far-reaching, targeting many organizations with malware and social engineering attacks.

Nation-states

Nation-state cyber threat actors are hostile countries that launch cyber attacks against other governments’ institutions and organizations for a variety of reasons related to advancing their geopolitical agendas. These attacks have a number of objectives, including stealing money or sensitive information, creating disruptions and disorder, interrupting communications, and inflicting damage.

Like corporate spies and organized cybercrime organizations, nation-state threat actors are highly sophisticated and capable of carrying out large-scale attacks. They are considered to pose the most significant risks because they usually deploy the most sophisticated cyber attacks and have the resources to plan and execute attacks that can last for years.

These groups have dedicated resources and staff to run their programs and often engage state-sponsored cyber threat actors to run or support them. Nation-state threat actors are credited with many advanced persistent threats and creating legions of botnets (i.e., groups of computers infected with malware that are used to support attacks).

Terrorist organizations

Terrorists are particularly frightening cyber threat actors because their objectives can be so devastating. Sometimes, terrorist threat actors simply want to steal money or sensitive information to sell.

However, they also execute cyber attacks with the explicit intent to cause catastrophic harm, such as causing bodily harm to their targets, creating economic disruption, destroying critical infrastructure, spreading disinformation, or threatening national security. The sophistication of terrorist cyber threat actors varies widely, but their intent is always malevolent.

Hackers

Individuals who pose cyber threats fall under the category of hackers. They target organizations using a variety of attack techniques that are usually not very sophisticated, but can be effective, especially when they are a malicious insider.

Hackers tend to use existing cyber threat vectors to perpetrate their crimes. The motivations of hackers span the gamut of malicious drivers, including personal status improvement, revenge, and financial gain.

Malicious insiders

Malicious insiders pose a particularly menacing cyber threat because of their knowledge of an organization. Depending on their role, a cyber threat from a malicious insider can be devastating (e.g., if an information security administrator became a malicious insider).

The motivations of a malicious insider range from revenge to financial gain. Often, malicious insiders are disgruntled or have been compromised by an organized cybercrime syndicate.

Hacktivists

Hacktivists work individually as hackers and also in groups. Their cyber threats are directed at advancing ideologically motivated objectives.

Like hackers, hacktivists’ tactics are usually not very sophisticated, but can be effective, and they usually leverage existing attack vectors. Hacktivist cyber threats generally target organizations or governments with the objective of making a statement, damaging reputations, or disrupting services.

Natural disasters

‍Mother Nature presents a cyber threat that must be given serious attention. Natural disasters such as storms or earthquakes can cause significant disruptions to IT infrastructure.

Accidental insiders

Despite the fact that they do not intend to harm, an accidental insider can cause damage. These are authorized users who accidentally expose sensitive information or fall for a social engineering scam that grants threat actors access to networks or other systems.

Mistakes

Errors are another form of accidental threats. These can be anything from open ports to misconfigurations.

Mitigate cyber threats with a holistic approach

Cyber threats typically target organizations with multiple vectors, looking for the fastest, easiest point of access. To effectively mitigate the risks, cybersecurity programs need to utilize a holistic approach that includes all users.

Robust security systems and threat prevention frameworks should be complemented with extensive, regular security awareness training. Cybersecurity must be an organization-wide initiative in which all users understand how they can be targeted by cyber threats and how to defend against them (e.g., social engineering attacks and attempts to gain unauthorized physical access to facilities).