Olivier Le Moal - stock.adobe.co
Cybercrime is a clear and present risk to governments, businesses and individuals; according to the World Economic Forum Global Risks Report 2020, cyber attacks rank first among global human-caused risks.
The motivation behind cyber attacks has become more varied over the past few years, with disinformation and disruption joining the regular drivers of data theft, extortion and vandalism, and the challenges they present have many security teams on the back foot.
Cyber attacks hit organizations every day: Just in the network activity of its own customers, CrowdStrike detected around 41,000 potential attacks between January and June this year compared with 35,000 for all of last year, while IT Governance reported 586,771,602 leaked records in November 2020 alone.
RiskIQ predicted that, by 2021, cybercrime will cost the world $11.4 million every minute. These costs are both tangible and intangible, including not only direct loss of assets, revenue and productivity, but also loss of business confidence, trust and reputational damage.
Cybercrime is built around the efficient exploitation of vulnerabilities, and security teams are always at a disadvantage because they must defend all possible entry points, while an attacker only needs to find and exploit one weakness or vulnerability. This asymmetry highly favors any attacker, with the result that even large enterprises struggle to prevent cybercriminals from monetizing access to their networks -- networks that typically must maintain open access and connectivity while trying to protect enterprise resources.
Not only large organizations are at risk of cyber attack; cybercriminals will use any internet-connected device as a weapon, a target or both, and SMBs tend to deploy less sophisticated cybersecurity measures.
So, which are the most damaging cyber attacks, and how do they work? Here are the six most damaging types of cyber attacks.
Malware, or malicious software, is an umbrella term used to refer to a hostile or intrusive program or file that is designed to exploit devices at the expense of the user and to the benefit of the attacker. There are various types of malware, but they all use evasion and obfuscation techniques designed to not only fool users, but also evade security controls so they can install themselves on a system or device surreptitiously without permission. Here are some of the most common types of malware:
Ransomware. Currently, the most feared form of malware is ransomware -- a program designed to encrypt a victim's files and then demand a ransom in order to receive the decryption key. There have been several noticeable ransomware attacks in 2020. The Clop ransomware has been implicated in major breaches of biopharmaceutical firm ExecuPharm, Indian business group Indiabulls, the U.K.'s EV Cargo Logistics and Germany's Software AG, where the ransom was allegedly $20 million to be paid in bitcoins. If the ransom is not paid, the hackers usually post stolen data online. At the time of writing, the PLEASE_READ_ME ransomware had breached at least 85,000 servers worldwide and had put up for sale at least 250,000 stolen databases.
Trojans. A Trojan horse is a program downloaded and installed on a computer that appears harmless but is, in fact, malicious. Typically, this malware is hidden in an innocent-looking email attachment or free download. When the user clicks on the email attachment or downloads the free program, the hidden malware is transferred to the user's computing device. Once inside, the malicious code executes whatever task the attacker designed it to perform. Often, this is to launch an immediate attack, but they can also create a backdoor for the hacker to use in future attacks.
Spyware. Once installed, spyware monitors the victim's internet activity, tracks login credentials and spies on sensitive information -- all without the user's consent or knowledge. The primary goal is usually to obtain credit card numbers, banking information and passwords, which are sent back to the attacker. Recent victims include Google Play users in South and Southeast Asia, but spyware is also used by government agencies: Human rights activists and journalists in India and Uzbekistan and Pakistani government officials were all targeted in 2020.
A distributed denial-of-service (DDoS) attack is an attack in which multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource. The flood of incoming messages, connection requests or malformed packets to the target system forces it to slow down or even crash and shut down, thereby denying service to legitimate users or systems.
Some 4.8 million DDoS attacks took place in the first half of 2020, a 15% increase over 2019, with the month of May's 929,000 DDoS attacks marking the largest number of attacks ever seen in a month. Attackers are also harnessing the power of AI to understand what kinds of attack techniques work best and to direct their botnets -- slave machines used to perform DDoS attacks -- accordingly. Worryingly, AI is being used to enhance all forms of cyber attack.
A phishing attack is a form of fraud in which an attacker masquerades as a reputable entity, such as a bank, tax department, or person in email or in other forms of communication, to distribute malicious links or attachments to trick an unsuspecting victim into handing over valuable information, such as passwords, credit card details, intellectual property and so on. It is easy to launch a phishing campaign, and they are surprisingly effective.
Spear phishing attacks are directed at specific individuals or companies, while whaling attacks are a type of spear phishing attack that specifically targets senior executives within an organization. One type of whaling attack is the business email compromise (BEC), where the attacker targets specific employees who have the ability to authorize financial transactions in order to trick them into transferring money into an account controlled by the attacker. A 2019 FBI cybercrime report indicated that losses from BEC attacks were approximately $1.7 billion.
4. SQL injection attacks
Any website that is database-driven -- and that is the majority of websites -- is susceptible to SQL injection attacks. An SQL query is a request for some action to be performed on a database, and a carefully constructed malicious request can create, modify or delete the data stored in the database, as well as read and extract data such as intellectual property, personal information of customers, administrative credentials or private business details. A SQL injection attack this year was used to steal the emails and password hashes of 8.3 million Freepik and Flaticon users.
XSS enables an attacker to steal session cookies, allowing the attacker to pretend to be the user, but it can also be used to spread malware, deface websites, create havoc on social networks, phish for credentials and -- in conjunction with social engineering techniques -- perpetrate more damaging attacks. XSS has been a constant attack vector used by hackers and tops the 2020 list of the 25 most dangerous software weaknesses compiled by Common Weakness Enumeration.
A botnet comprises a collection of internet-connected computers and devices that are infected and controlled remotely by cybercriminals. They are often used to send email spam, engage in click fraud campaigns, and generate malicious traffic for DDoS attacks. The objective for creating a botnet is to infect as many connected devices as possible and to use the computing power and resources of those devices to automate and magnify the malicious activities. IoT botnet threats were one of the fastest growing categories of threats in the first half of 2020, according to a report by Nozomi Networks Labs.
While these cyber attacks continue to plague and damage organizations of all sizes, there are plenty of others that security teams need to defend against, such as man-in-the-middle and eavesdropping attacks, where an attacker intercepts the communication between two parties in an attempt to steal or alter it.
As most email and chat systems now use end-to-end encryption and employees use a VPN to access company networks, these attacks are becoming less effective. However, security teams need to ensure DNS traffic is monitored for malicious activity to prevent DNS tunneling attacks, where hackers "tunnel" malware into DNS queries to create a persistent communication channel that most firewalls are unable to detect.
Links to the cybersecurity research reports cited in this article
- World Economic Forum: The Global Risks Report 2020
- CrowdStrike: 2020 Threat Hunting Report: Insights from the CrowdStrike OverWatch Team
- RiskIQ: The Evil Internet Minute 2020
- Common Weakness Enumeration: 2020 CWE Top 25 Most Dangerous Software Weaknesses
- Nozomi Networks Labs: What IT Needs to Know about OT/IoT Security Threats in 2020
How to prevent common types of cyber attacks
The more people and devices a network connects, the greater the value of the network, which makes it harder to raise the cost of an attack to the point where hackers will give up. Metcalfe's Law asserts that the value of a network is proportional to the square of its connected users. So, security teams have to accept that their networks will be under constant attack, but by understanding how different types of cyber attacks work, mitigating controls and strategies can be put in place to minimize the damage they can do. Here are the main points to keep in mind:
- Hackers, of course, first need to gain a foothold in a network before they can achieve whatever objectives they have, so they need to find and exploit one or more vulnerabilities or weaknesses in their victim's IT infrastructure.
- Vulnerabilities are either human- or technology-based, and according to data from the U.K. Information Commissioner's Office, human error was the cause of approximately 90% of data breaches in 2019, with phishing as the primary cause.
- Errors can be either unintentional actions or lack of action, from downloading a malware-infected attachment to failing to use a strong password. This makes security awareness training a top priority in the fight against cyber attacks, and as attack techniques are constantly evolving, training needs to be constantly updated as well to ensure users are alerted to the latest types of attack. A cyber attack simulation campaign can assess the level of cyber awareness among employees with additional training where there are obvious shortcomings.
- While security-conscious users can reduce the success rate of most cyber attacks, a defense-in-depth strategy is also essential. These should be tested regularly via vulnerability assessments and penetration tests to check for exploitable security vulnerabilities.
- Finally, to deal with zero-day exploits, where cybercriminals discover and exploit a previously unknown vulnerability before a fix becomes available, enterprises need to consider adding content disarm and reconstruction to their threat prevention controls as it assumes all content is malicious so it doesn't need to try to detect constantly evolving malware functionality.
Security strategies and budgets need to build in the ability to adapt and deploy new security controls if the connected world is going to survive the never-ending battle against cyber attacks.