Types of Cybersecurity Attacks

Learn about specific types of attacks and threats.


What is a Cyberattack? 

A cyberattack – also known as a cybersecurity attack – is any form of malicious activity targeting IT systems and/or the attackers or threat actors using them to gain unauthorized access to systems and data they contain. 

Criminals typically are looking to exploit an attack for financial gain, but in other cases the aim is to disrupt operations by disabling access to IT systems. Threat actors can be anyone from a single person attempting to obtain stolen credentials and hold them for ransom to a state-sponsored contingent looking to disrupt operations on foreign soil.

Whatever the motivations, most IT networks – and the people that maintain them – will experience some type of attack over the course of their lives and must be prepared.

Cybersecurity Threat Categories

Before diving into specific types of cyberattacks, let's first discuss some of the motivations behind why threat actors would look to wreak havoc on a security organization.


This category includes efforts by threat actors to profit from malicious attacks, and can be subcategorized into actions like direct financial theft, use of stolen credit card information, dark-web marketplaces for information obtained via data breach, or even hijacking computing resources for activities like crypto-jacking to mine cryptocurrencies.


This category includes attempts to disrupt the operations of organizations by attacking their IT and operational technology (OT) infrastructure to damage it, temporarily shut it down, or hold it for ransom. 


This category includes cyberattacks backed by state agencies that are part of broader intelligence and/or military activities. This can cover actions like spying on a foreign government to steal confidential data to further strategic or financial advantages.

Unintentional Threats

According to the Cybersecurity & Infrastructure Security Agency (CISA), this category includes: 

  • "Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization. Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches.
  • Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment in a phishing email that contains a virus, or improperly disposing of sensitive documents.”

Often there is considerable overlap between these top-level categories. For example, state-based operatives frequently hand over newly obtained documents or discovered vulnerabilities to cybercriminals to use in malware, ransomware, and other cyberattacks.

Common Types of Cyberattacks

When a criminal is trying to hack an organization, they won't try something novel unless absolutely necessary. They draw upon common hacking techniques that are known to be highly effective, such as malware or phishing.

Whether you're trying to make sense of the latest data-breach headline in the news or analyzing an incident in your own organization, it helps to understand different cyberattack vectors. 


Malware refers to various forms of harmful software, such as viruses and ransomware. Once it is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base. 

Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an email attachment that may look harmless (like a document or PDF), but actually contains a hidden malware installer.


Ransomware is a form of malware that encrypts data on infected IT systems. It demands a ransom in exchange for a code that will – hopefully – decrypt the infected system. The ransom payment usually goes to an anonymous address using Bitcoin.


Adware is a type of malware that displays unwanted ads on end-user devices to generate revenue from advertisers. It often will be installed on user devices after tricking people into clicking a link. Adware then displays the ads and simulates user clicks to defraud advertisers into thinking that legitimate users are interacting with their ads. They then pay the cybercriminals for these clicks.


Crypto-jacking is a type of malware that uses the resources of the infected IT systems to “mine” for cryptocurrencies. This steals the attacked system's computing resources by running at a high load to generate income for the remote attackers. They’ll then make money from the sale of the cryptocurrencies generated on the infected system.


In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there may be an attachment to open or a link to click. 

Upon opening the malicious attachment, you'll unknowingly install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks you to log in to access an important file – except the website is actually a trap used to capture your credentials.

Spear Phishing

Spear phishing is a highly targeted variant of phishing that uses a fake email or message from a supposedly important individual to trick a person within the same organization or a partner organization. Spear phishing attempts hope to use the extra authenticity – albeit imposter authenticity – of the sender to trick people into providing information they shouldn't. 

SQL Injection Attack 

A structured query language (SQL) injection attack specifically targets servers storing critical website and service data. It uses malicious code to get the server to divulge information it normally wouldn’t. SQL is a programming language used to communicate with databases, and can be used to store private customer information such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information (PII) – all tempting and lucrative targets for an attacker.

Cross-Site Scripting (XSS) 

Cross-site scripting (XSS) attacks also involve injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code only runs in the user's browser when they visit the attacked website, where it directly targets the visitor. 

One of the most common ways an attacker can deploy an XSS attack is by injecting malicious code into a comment or a script that could automatically run.


Botnets are widespread groups of devices that have been compromised and hijacked by cybercriminals. The threat actors use them to target IT systems with distributed DoS attacks or other attack types.

Denial-of-Service (DoS) 

Denial-of-service (DoS) attacks flood a website with more traffic than it’s built to handle, thereby overloading the site’s server and making it near-impossible to serve content to visitors. It’s possible for a denial-of-service to occur for non-malicious reasons. For example, if a massive news story breaks and a news organization’s site is overloaded with traffic from people trying to learn more about the story.

Man In The Middle Attack

A man in the middle (MITM) attack occurs when cybercriminals intercept and alter network traffic flowing between IT systems. The MITM attack impersonates both senders and receivers on the network. It aims to trick both into sending unencrypted data that the attacker intercepts and can use for further attacks or financial gain.

Session Hijacking 

Session hijacking occurs when an attacker hijacks a session by capturing the unique – and private – session ID and poses as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server. If everything goes as it should during any internet session, web servers should respond to your various requests by giving you the information you're attempting to access.

Credential Reuse

Credential reuse occurs when someone uses the same credentials on multiple websites. It can make life easier in the moment, but can come back to haunt that user later on. Even though security best practices universally recommend unique passwords for all applications and websites, many people still reuse their passwords. This is a fact attackers will readily exploit, thereby turning those reused passwords into compromised credentials.

Insider Threats

Not all cyber threats originate from external sources. Data and other sensitive information like login credentials can leak from inside organizations. This can occur via malicious staff activity or – more frequently – due to an unintended action. An example of such a mistake could be sending an email containing an unencrypted attachment to the wrong recipient. 

How to Prevent Cyberattacks

We could cover thousands of tactics and tips for preventing cyberattacks at scale, but let's zoom in and take a look at some key examples: 

Phishing Awareness Training

Educate employees on why phishing is harmful and empower them to detect and report phishing attempts. This type of training includes emailing simulated phishing campaigns to employees, monitoring results, reinforcing training, and improving on simulation results. Ongoing security awareness training for staff is also vital, so they know how to spot the most recent versions of suspicious emails, messages, or websites.

Encrypt Data

All data at rest on servers or devices and in transit over the network should be encrypted. If an attacker does get access to data or intercepts it, strong encryption should render it unreadable. 

Compromised Credentials Detection

Leverage user and entity behavior analytics (UBA) to create a baseline for normal activity on your network. Then, monitor how administrator and service accounts are being used, which users are inappropriately sharing credentials, and whether an attacker is already expanding from initial network compromise to move around and infiltrate other systems.

Use Multi-Factor Authentication

Implementing multi-factor authentication (MFA) for all systems is a crucial best practice. Requiring an additional piece of information in combination with a username and password protects systems if login details are exposed to cybercriminals. Additional tokens, specific device requirements, and biometrics are all examples of MFA that can be leveraged when logging into IT systems.

Ransomware Prevention

Create a three-point plan to prevent ransomware attacks. This includes minimizing an attack surface, mitigating potential impact once exposure has been detected, and debriefing to pinpoint existing plan gaps. From there, teams can rebuild systems, quarantine endpoints, change credentials, and lock compromised accounts.

Use Endpoint Protection

End-users are frequent targets for cybercriminals, both on their devices and via social-engineering attacks. All end-user devices should have endpoint security protection software deployed. This should integrate with a wider security information and event management (SIEM) tool that allows for organization-wide monitoring and analyses of threats.

XSS Attack Prevention

Institute a filtering policy through which external data will pass. This will help to catch malicious scripts before they can become a problem. This leads into creating a wider content security policy that can leverage a list of trusted sources that are able to access your web applications.

Threat Intelligence Program

Create a central hub that feeds all security-organization functions with knowledge and data on the highest-priority threats. Organizations rely heavily on automation to help scale a threat intelligence program by continuously feeding data into security devices and processes, without the need for human intervention.

Implement Network Deception Technologies

Deception technologies implement onto a network “dummy” applications, databases, and other IT systems. Any cyberattackers who breach the external firewalls will be tricked into thinking they have access to internal systems. In reality, the dummy systems are intended as honeypots to allow security teams to monitor the attacker's activities and gather data without exposing the production systems.

Mobile Device Management Solution

A lot of business activity now happens on laptops, smartphones, and tablets. Plus, many people use laptops for their work. The mobile nature of all these devices means they are at high risk for being lost and/or stolen. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. If a device is lost or stolen, it can be quickly wiped so that unauthorized users cannot access any data.

Read More

Attack Surface Security: Latest Rapid7 Blog Posts