A cyber attack is any unauthorized access of computer systems, digital devices, or networks that explicitly intends to alter, block, control, delete, destroy, disable, disrupt, expose, manipulate, or steal data, applications, or other digital assets. There are many motives for a cyber attack and even more types of cyber attacks. The commonality is that cyber attacks have existed nearly as long as digital systems, and as the use of these systems has grown, so has the volume, velocity, and sophistication of cyber attacks.
Why cyber attacks happen
Cyber attacks are designed to cause damage, but the objectives vary based on the target organization and the perpetrator. Among the most common motivations for a cyber attack are:
- Corporate espionage
- Cyberwarfare or cyber espionage against another nation-state
- Financial gain
- Hacktivism, which can be motivated by politics, a cause, or to make a point
- Recognition and achievement (i.e., to show off)
- Retribution by an insider related to a grievance
Who commits cyber attacks?
Representatives from these categories carry out most cyber attacks:
- Criminal organizations
- Government-sponsored groups
- Individuals acting alone
- Malicious insiders
Who is targeted in cyber attacks?
A cyber attack almost always has a specific goal. A cyber attack is often launched to acquire something of value to the perpetrator, such as:
- Financial data
- Client lists
- Customer data (e.g., personally identifiable information (PII), and other sensitive data)
- Disruption (e.g., to create a distraction while committing another crime, retribution)
- Email addresses
- Intellectual property (e.g., trade secrets or product designs)
- Login credentials
- Money
Based on the objective of the cyber attack, the perpetrator selects a target. Once a target organization is selected, the attack is directed at individuals.
Perpetrators of cyber attacks seek out individuals who are deemed easy to compromise, such as those with easily discovered identities (for example, individuals with contact details publicly available, e.g., on blog posts, corporate websites, or social media platforms).
It is worth noting that people who are attacked are often not an organization’s leaders (e.g., C-level executives or directors), but rather those with access to leaders, such as a senior executive’s assistant.
The organizations most commonly targeted with a cyber attack fall into a variety of industry sectors, including:
- Critical infrastructure
- Education
- Energy and utility companies
- Financial institutions
- Government and military agencies
- Healthcare and medical organizations
How are organizations affected by cyber attacks?
Although the short-term impacts of a cyber attack on an organization can be significant, the long-term impact can be even worse. If successful, cyber attacks can inflict major damage to an organization in many areas, including the following.
Disruption of operations
Disrupted operations due to a cyber attack cause downtime and delayed service that can have serious ripple effects across an organization—impacting productivity, causing financial losses, and, in some cases, putting lives at risk.
Financial loss
Financial losses for organizations in the event of a cyber attack can include:
- Theft of sensitive financial information
- Execution of fraudulent transactions
- Demand for ransom payments to unlock encrypted data as well as related fines and legal expenses
- Expenditure of time and money to investigate and mitigate a cyber attack
Loss of intellectual property
Cyber attacks commonly target intellectual property (IP), such as proprietary information, research, data, and trade secrets. Not only can this compromise an organization’s competitive advantage and market position, but it can cause impacts ranging from wasted project investments to lost revenue opportunities.
Legal and regulatory compliance consequences
Organizations are at risk of serious legal and regulatory consequences as a result of a cyber attack. If a cyber attack is deemed to be the result of security failure, an organization can find itself in violation of data protection and privacy laws, industry regulations, and contractual obligations. Each of these can bring fines, legal liabilities, and lawsuits.
National security risks
National security can be at risk when a cyber attack targets a government agency. For instance, a cyber attack could expose sensitive information, disrupt essential services, or compromise national defense capabilities if critical infrastructure, government systems, or military operations are breached.
Reputational damage
A cyber attack, especially a data breach, often results in significant reputational damage to governments and organizations, such as:
- Lack of trust among customers, partners, and the public
- Loss of customers, partners, and business opportunities
- Negative publicity and damage to brand reputation
Types of cyber attacks
Cyber attacks are classified into several categories. The first is an active cyber attack versus a passive cyber attack.
An active cyber attack seeks to impact a system’s Confidentiality, Integrity, or Availability (i.e., the CIA triad model that forms the basis for cybersecurity systems). A passive cyber attack does not impact systems, but focuses on accessing data.
Another way that a cyber attack can be classified is as syntactic or semantic. A syntactic cyber attack refers to malicious software that infects a computer through various channels. Malicious software can block access to files, destroy data, disrupt system operations, render systems inoperable, or steal information.
A semantic cyber attack takes a more subtle approach, manipulating the behavior of the target. Malicious software can be used, but there is less focus on the software. The emphasis is on tricking a target into taking a desired action to facilitate the attack. For example, phishing and ransomware combine a syntactic cyber attack with a semantic cyber attack approach.
Examples of syntactic cyber attack vectors
Cross-site scripting
A cross-site scripting or XSS cyber attack adds malicious code to a legitimate web page or application. When a user visits the compromised site or application, the malicious code automatically runs in the user’s web browser. Cross-site scripting is usually used to steal sensitive information entered into the legitimate site’s forms or redirect the visitor to a spoofed, malicious website.
Denial-of-service
A distributed denial-of-service (DDoS) attack is an approach that floods a target’s server with an overwhelming number of simultaneous data requests. This bogus traffic is often generated by botnets, which are a network of compromised devices (e.g., Internet of Things (IoT) devices, mobile devices, and laptops) that have been infected with malware.
This malware gives a cybercriminal access to the computer power needed to launch a DDoS cyber attack. The volume and velocity of traffic make it impossible for the servers to process legitimate requests, which disrupts normal operations. Often, a DDos attack is used to distract security teams from another attack vector.
Domain name system spoofing
DNS spoofing or DNS poisoning surreptitiously changes DNS records, replacing a legitimate website’s IP (internet protocol) address with one that redirects them to a malicious version of that site. From the malicious site, cybercriminals steal data or spread malware.
DNS tunneling
DNS tunneling is a sophisticated syntactic cyber attack. Cybercriminals establish persistent system access (i.e., a tunnel) to targets’ systems, providing a point of entry that bypasses firewalls and other security measures.
Then, malicious traffic is delivered in packets through the DNS tunnel. DNS tunneling is also used as a point for secretly extracting data or creating connections between malware and a command-and-control server.
Drive-by
Cybercriminals often infect legitimate websites with malware. When a user visits an infected site, the user’s system is also infected.
Fileless
A fileless cyber attack exploits vulnerabilities in legitimate software to insert malicious code into a system’s memory. Fileless cyber attacks usually change system configurations or steal passwords.
Trojans
These are named after the Trojan horse used by the Greeks in the Trojan War. In terms of a cyber attack, a Trojan looks benign, but carries a malicious payload.
Trojans are used for a number of types of cyber attacks; they are disguised as applications or embedded into legitimate software to trick users into installing them.
Remote access trojans
A remote access trojan or RAT creates a secret backdoor on the target’s system and then uses it to gain access to an unsuspecting system and a Trojan. The cyber attack is executed by the Trojan that installs additional malware.
Spyware
Spyware is delivered to a system using another type of malicious software (e.g., worm, virus, or Trojan). A spyware cyber attack mostly happens in the background, with systems’ users unaware of its presence. Spyware secretly collects data (e.g., credit card numbers, usernames, and passwords) from systems and sends this information back to the cybercriminal that launched the attack.
SQL injection
An SQL (structured query language) injection is an attempt to take control of and usually exfiltrate information. The malicious code is injected into a website’s or application’s backend database.
Once the code is in place, cybercriminals can exploit vulnerabilities in data-driven applications. For instance, they can input the commands through user-facing fields like search bars and login windows, which are passed to the database, which sends back the desired sensitive information (e.g., credit card numbers or customers’ personal data).
Viruses
A virus is a type of malicious software that is self-replicating and can attach itself to another file or program to propagate itself. A commonly used cyber attack vector, viruses are often found in file downloads and email attachments. Once a download is initiated, the virus is activated and replicates, spreading to other users and systems.
Worms
Worms are considered the most frequently used malicious software for syntactic cyber attacks. They are self-replicating and can quickly spread across applications and devices.
Like viruses, worms are commonly delivered through file downloads and attachments. Unlike viruses, worms are self-running and do not rely on another file to propagate themselves. A fairly sophisticated type of malicious software, worms can gather and transmit data to a specified location using the network that they have compromised.
Examples of semantic cyber attack vectors and approaches
Credential-based
A credential-based cyber attack is when cybercriminals steal credentials to access and manage systems to take sensitive data or disrupt an organization’s operations. One type of credential-based cyber attack is credential stuffing, which occurs when cybercriminals use stolen credentials to access other systems. Another type of credential-based attack is a brute-force attack, where attackers use trial and error to attempt to guess access credentials (e.g., user names, passwords, and encryption keys).
Man-in-the-middle
With a man-in-the-middle attack, cybercriminals gain system access by intercepting communications between two people or between a user and a server. Once access has been established, the cybercriminal can steal data, spread malware, or move to other systems.
Phishing
Phishing is a type of social engineering in which email messages are crafted to trick recipients into opening them, clicking malicious links, going to a compromised or spoofed website, downloading and opening an attachment, or sharing sensitive information. One of the most pervasive semantic cyber attack vectors, phishing continues to be an effective tool for cybercriminals.
SMiShing
SMiShing, also called SMS phishing, takes the concept of phishing and applies it to text messaging. Just as with phishing, targets receive messages written to trick them into clicking a malicious link or opening an infected file.
Ransomware
One of the most feared semantic cyber attacks is ransomware. A combination of malware and human interaction, ransomware usually encrypts files and folders on local drives, attached drives, and networked computers.
Cybercriminals then offer the target an option to pay a ransom to regain their data. In some cases, the threat is that the files will remain encrypted and inaccessible. In other cases, the threat is that sensitive information will be publicly exposed.
Scareware
Another type of social engineering, scareware uses fake messages to frighten targets into performing a desired action, such as going to a spoofed site, downloading malicious software, or revealing sensitive information. For instance, a cybercriminal will send a message that appears to come from law enforcement and claims that the recipient must do something to avoid serious, albeit fake, consequences.
Supply chain
A supply chain cyber attack is aimed at third parties with connections to a target organization. Often these third parties have less robust security than the target organization, making them easier to compromise. Cybercriminals exploit these vulnerabilities as entry points to launch their attack on the target.
Detecting cyber attacks
A cyber attack attempt is impossible to prevent, but being aware of the indications can help stop cybercriminals from being successful. Tools and approaches that experts recommend to detect a cyber attack include:
- Antivirus and antimalware software
- Cyber threat intelligence
- Cybersecurity analytics
- Endpoint threat detection
- Flagging usual emails
- Intruder traps or honeypots
- Network threat detection
- Noting unusual login activity
- Penetration testing
- Proactive threat hunting
- Reporting a slower-than-normal network
- Security event detection technology
- Security information and event management (SIEM) systems enriched with threat intelligence data
- Threat detection tools
- User and entity behavior analytics (UEBA)
Responding to cyber attacks
Rapid response is the most effective way to minimize damage and disruption in the event of a cyber attack. The following eight steps are recommended as a basic cyber attack response plan framework.
- Prepare
Have a plan for handling the types of cyber attacks that could hit the organization. - Detect and analyze
Use tools to enable early detection of suspicious activity that could be a sign of a cyber attack. In the event that an attack has already started, analyze the available information, analyzing computer and network logs to identify the source and scope of the attack. - Contain the attack
Containment is critical as malware can spread quickly across systems and networks. - Eradicate the malicious software and close the breach points
Once the attack vector has been identified and contained, it should be neutralized and destroyed. Gaps should be closed and related vulnerabilities eliminated. - Assess the scope of damage
The assessment phase can provide valuable information for the security team to use to identify any outstanding vulnerabilities. This is also important as the types of data and systems that are compromised can determine what follow-up disclosures are required to adhere to legal and compliance requirements. - Consulting the organization’s legal and compliance teams
It is important to clearly and thoroughly understand the disclosure requirements for a cyber attack. Depending on the scope, scale, and content related to the cyber attack, requirements can differ, and some are mandated. - Alert affected parties
Once impacted parties that require notification have been identified, they must be contacted in a timely manner. Having drafts of these communications ready in advance of an incident helps ensure a smooth notification process and can help control the message to minimize reputational damage. - Recover and restore
As quickly as possible, normal operations should be restored, and any lost or damaged data recovered from backups.
Preventing cyber attacks
While cyber attacks are pervasive and often effective, there are many methods that make launching them more difficult. Commonly deployed cyber attack prevention solutions and tactics include:
- Back up data consistently.
- Conduct regular penetration testing.
- Keep systems and applications updated with the latest patches and versions.
- Closely manage and monitor user identities.
- Learn from past cyber attack attempts.
- Provide security awareness training.
- Require multi-factor authentication and strong passwords.
- Restrict access to systems and data, adopting a zero trust approach.
- Review and test cyber attack incident response plans regularly.
- Use proven solutions, such as:
- Antivirus and antimalware
- Attack surface management (ASM)
- Extended detection and response (XDR)
- Firewalls
- Identity and access management (IAM)
- Security orchestration, automation, and response (SOAR)
- Unified endpoint management (UEM)
Mitigating cyber attack risk
This review of cyber attacks is a start to understanding them. Take time to conduct a thorough analysis and assess what your organization does to defend against a cyber attack attempt, as well as evaluate the response processes that are in place. While prevention is ideal, cybercriminals are sophisticated and cunning and continue to find ways around even the best defenses, so it’s critical to be ready to detect and contain an attack to minimize damage.
