Learn about specific types of attacks and threats.
GARTNER® THREAT EXPOSURE RESEARCHA cyberattack – also known as a cybersecurity attack – is any form of malicious activity targeting IT systems and/or the attackers or threat actors using them to gain unauthorized access to systems and data they contain.
Criminals typically are looking to exploit an attack for financial gain, but in other cases the aim is to disrupt operations by disabling access to IT systems. Threat actors can be anyone from a single person attempting to obtain stolen credentials and hold them for ransom to a state-sponsored contingent looking to disrupt operations on foreign soil.
Whatever the motivations, most IT networks – and the people that maintain them – will experience some type of attack over the course of their lives and must be prepared.
Before diving into specific types of cyberattacks, let's first discuss some of the motivations behind why threat actors would look to wreak havoc on a security organization.
This category includes efforts by threat actors to profit from malicious attacks, and can be subcategorized into actions like direct financial theft, use of stolen credit card information, dark-web marketplaces for information obtained via data breach, or even hijacking computing resources for activities like crypto-jacking to mine cryptocurrencies.
This category includes attempts to disrupt the operations of organizations by attacking their IT and operational technology (OT) infrastructure to damage it, temporarily shut it down, or hold it for ransom.
This category includes cyberattacks backed by state agencies that are part of broader intelligence and/or military activities. This can cover actions like spying on a foreign government to steal confidential data to further strategic or financial advantages.
According to the Cybersecurity & Infrastructure Security Agency (CISA), this category includes:
Often there is considerable overlap between these top-level categories. For example, state-based operatives frequently hand over newly obtained documents or discovered vulnerabilities to cybercriminals to use in malware, ransomware, and other cyberattacks.
When a criminal is trying to hack an organization, they won't try something novel unless absolutely necessary. They draw upon common hacking techniques that are known to be highly effective, such as malware or phishing.
Whether you're trying to make sense of the latest data-breach headline in the news or analyzing an incident in your own organization, it helps to understand different cyberattack vectors.
Malware refers to various forms of harmful software, such as viruses and ransomware. Once it is in your computer, it can wreak all sorts of havoc, from taking control of your machine, to monitoring your actions and keystrokes, to silently sending all sorts of confidential data from your computer or network to the attacker's home base.
Attackers will use a variety of methods to get malware into your computer, but at some stage it often requires the user to take an action to install the malware. This can include clicking a link to download a file, or opening an email attachment that may look harmless (like a document or PDF), but actually contains a hidden malware installer.
Ransomware is a form of malware that encrypts data on infected IT systems. It demands a ransom in exchange for a code that will – hopefully – decrypt the infected system. The ransom payment usually goes to an anonymous address using Bitcoin.
Adware is a type of malware that displays unwanted ads on end-user devices to generate revenue from advertisers. It often will be installed on user devices after tricking people into clicking a link. Adware then displays the ads and simulates user clicks to defraud advertisers into thinking that legitimate users are interacting with their ads. They then pay the cybercriminals for these clicks.
Crypto-jacking is a type of malware that uses the resources of the infected IT systems to “mine” for cryptocurrencies. This steals the attacked system's computing resources by running at a high load to generate income for the remote attackers. They’ll then make money from the sale of the cryptocurrencies generated on the infected system.
In a phishing attack, an attacker may send you an email that appears to be from someone you trust, like your boss or a company you do business with. The email will seem legitimate, and it will have some urgency to it (e.g. fraudulent activity has been detected on your account). In the email, there may be an attachment to open or a link to click.
Upon opening the malicious attachment, you'll unknowingly install malware in your computer. If you click the link, it may send you to a legitimate-looking website that asks you to log in to access an important file – except the website is actually a trap used to capture your credentials.
Spear phishing is a highly targeted variant of phishing that uses a fake email or message from a supposedly important individual to trick a person within the same organization or a partner organization. Spear phishing attempts hope to use the extra authenticity – albeit imposter authenticity – of the sender to trick people into providing information they shouldn't.
A structured query language (SQL) injection attack specifically targets servers storing critical website and service data. It uses malicious code to get the server to divulge information it normally wouldn’t. SQL is a programming language used to communicate with databases, and can be used to store private customer information such as credit card numbers, usernames and passwords (credentials), or other personally identifiable information (PII) – all tempting and lucrative targets for an attacker.
Cross-site scripting (XSS) attacks also involve injecting malicious code into a website, but in this case the website itself is not being attacked. Instead, the malicious code only runs in the user's browser when they visit the attacked website, where it directly targets the visitor.
One of the most common ways an attacker can deploy an XSS attack is by injecting malicious code into a comment or a script that could automatically run.
Botnets are widespread groups of devices that have been compromised and hijacked by cybercriminals. The threat actors use them to target IT systems with distributed DoS attacks or other attack types.
Denial-of-service (DoS) attacks flood a website with more traffic than it’s built to handle, thereby overloading the site’s server and making it near-impossible to serve content to visitors. It’s possible for a denial-of-service to occur for non-malicious reasons. For example, if a massive news story breaks and a news organization’s site is overloaded with traffic from people trying to learn more about the story.
A man in the middle (MITM) attack occurs when cybercriminals intercept and alter network traffic flowing between IT systems. The MITM attack impersonates both senders and receivers on the network. It aims to trick both into sending unencrypted data that the attacker intercepts and can use for further attacks or financial gain.
Session hijacking occurs when an attacker hijacks a session by capturing the unique – and private – session ID and poses as the computer making a request, allowing them to log in as an unsuspecting user and gain access to unauthorized information on the web server. If everything goes as it should during any internet session, web servers should respond to your various requests by giving you the information you're attempting to access.
Credential reuse occurs when someone uses the same credentials on multiple websites. It can make life easier in the moment, but can come back to haunt that user later on. Even though security best practices universally recommend unique passwords for all applications and websites, many people still reuse their passwords. This is a fact attackers will readily exploit, thereby turning those reused passwords into compromised credentials.
Not all cyber threats originate from external sources. Data and other sensitive information like login credentials can leak from inside organizations. This can occur via malicious staff activity or – more frequently – due to an unintended action. An example of such a mistake could be sending an email containing an unencrypted attachment to the wrong recipient.
We could cover thousands of tactics and tips for preventing cyberattacks at scale, but let's zoom in and take a look at some key examples:
Educate employees on why phishing is harmful and empower them to detect and report phishing attempts. This type of training includes emailing simulated phishing campaigns to employees, monitoring results, reinforcing training, and improving on simulation results. Ongoing security awareness training for staff is also vital, so they know how to spot the most recent versions of suspicious emails, messages, or websites.
All data at rest on servers or devices and in transit over the network should be encrypted. If an attacker does get access to data or intercepts it, strong encryption should render it unreadable.
Leverage user and entity behavior analytics (UBA) to create a baseline for normal activity on your network. Then, monitor how administrator and service accounts are being used, which users are inappropriately sharing credentials, and whether an attacker is already expanding from initial network compromise to move around and infiltrate other systems.
Implementing multi-factor authentication (MFA) for all systems is a crucial best practice. Requiring an additional piece of information in combination with a username and password protects systems if login details are exposed to cybercriminals. Additional tokens, specific device requirements, and biometrics are all examples of MFA that can be leveraged when logging into IT systems.
Create a three-point plan to prevent ransomware attacks. This includes minimizing an attack surface, mitigating potential impact once exposure has been detected, and debriefing to pinpoint existing plan gaps. From there, teams can rebuild systems, quarantine endpoints, change credentials, and lock compromised accounts.
End-users are frequent targets for cybercriminals, both on their devices and via social-engineering attacks. All end-user devices should have endpoint security protection software deployed. This should integrate with a wider security information and event management (SIEM) tool that allows for organization-wide monitoring and analyses of threats.
Institute a filtering policy through which external data will pass. This will help to catch malicious scripts before they can become a problem. This leads into creating a wider content security policy that can leverage a list of trusted sources that are able to access your web applications.
Create a central hub that feeds all security-organization functions with knowledge and data on the highest-priority threats. Organizations rely heavily on automation to help scale a threat intelligence program by continuously feeding data into security devices and processes, without the need for human intervention.
Deception technologies implement onto a network “dummy” applications, databases, and other IT systems. Any cyberattackers who breach the external firewalls will be tricked into thinking they have access to internal systems. In reality, the dummy systems are intended as honeypots to allow security teams to monitor the attacker's activities and gather data without exposing the production systems.
A lot of business activity now happens on laptops, smartphones, and tablets. Plus, many people use laptops for their work. The mobile nature of all these devices means they are at high risk for being lost and/or stolen. All mobile devices (including laptops) should be enrolled and managed in a mobile device management (MDM) solution. If a device is lost or stolen, it can be quickly wiped so that unauthorized users cannot access any data.