Common Types of Cybersecurity Attacks


Understanding Cyberattacks

The numbers don’t lie: According to the 2020 Verizon Data Breach Report, cybersecurity attacks have more than doubled in the past year. Shielding your organization from cyberattacks begins with revisiting the fundamentals.

To borrow a truism from history, no two battles are exactly alike. That said, battles are typically fought with a set of known-to-be-successful strategies. In line with this, cybersecurity attack fundamentals aren’t a matter of fashion or inclination; they are time-tested strategies, proven in their effectiveness. After all, most criminals aren’t looking to reinvent the wheel, so why should you?

Whether you want to make sense of the latest data breach news headlines or protect your organization from potential incidents, it helps to understand the different approaches a malicious actor might take in order to cause harm. Read on for Rapid7’s overview of the types of attacks most commonly seen today and how you can defend against them. 

Phishing Attacks

What is phishing?

Phishing emails are disguised as messages from familiar sources, such as friends, business contacts, or trusted organizations (e.g., banks, mortgage investment firms, or social media sites). These campaigns usually aim to capture sensitive information, often by attempting to install malware on your device or getting respondents to click on “spoofed” links.

The good news is the majority of phishing scams do provide clues as to their malicious intent. Since most reputable organizations invest in professional marketing, unpolished communications are frequently a sign of a phishing attempt. Look for these phishing red flags:

  • Uneven or even strident tone (e.g., “Immediate action required!”)
  • Messaging that appeals to a sense of urgency, greed, or fear
  • An all-caps subject line
  • Gratuitous use of exclamation points
  • Spelling errors
  • Grammatical mistakes
  • Poor formatting
  • Messy or “cartoonish” graphic design

Combating phishing attacks

When it comes to combating phishing attempts, your employees can be your greatest vulnerability or your first line of defense. Train your staff on phishing protocols and encourage them to report phishing attempts to IT immediately.

Stay proactive, and get started with these tips:

  • Update email filter settings
  • Pre-scan emails for suspicious attachments and URLs
  • Avoid clicking on hyperlinks in text, buttons, images—including unsubscribe links
  • Never download attachments
  • Don’t provide personal information
  • Don’t confirm or reset passwords
  • Verify organizations through an independent browser search
  • Set up multi-factor authentication
  • Use strong passwords that contain no personal information

The key is to remain vigilant about where, how, and with whom personal data is shared.

Detect phishing attacks in your environment with Rapid7 InsightIDR, and minimize their potential impact with Rapid7 InsightVM.

SQL Injection Attacks

Structured Query Language (SQL) is a language intentionally designed to be used with databases in order to store and manage data, including data that may be sensitive. Many commercial and open source databases have incorporated SQL into their design.

SQL injection (SQLi) is a type of cybersecurity attack that targets databases using specifically crafted SQL statements. These statements trick the systems into behaving unexpectedly. SQL injections can be powerfully detrimental, and once any business or individual data is compromised, it can be difficult to fully recover.

Features of SQL attacks

SQL attackers begin by bypassing authentication typical of users interacting within a system. This allows them to operate internally undetected, making it easier to exfiltrate or corrupt data. Attackers input system commands under the guise of legitimate information-sharing, allowing them to tamper with or delete data, corrupt the database, or even gain root access to the system environment. Data theft, and to a lesser extent, data loss and corruption, worry companies most.

Preventing SQL attacks

Guarding against SQL attacks begins with helping systems recognize information as information and forgo execution.

Switch from dynamic SQL to stored procedures
Don’t place user-provided input directly into SQL statements, since these could more easily be converted into commands. Opt for stored procedures, prepared statements, and parameterized queries to stay safer.

Sanitize user inputs
Verify that data input matches expected data, and avoid undesirable characters. Encrypt confidential data—don’t keep it in plaintext!—so that even if data is exfiltrated, it has an extra layer of protection.

Limit database permissions and privileges
To prevent attackers from performing harmful functions, set database capabilities to the bare minimum. This will limit potential damage if attackers gain access. Don’t display database errors to further limit information-sharing.

Implement a web application firewall (WAF)
Protect web-facing applications with a WAF, which can help you identify SQL injection attempts as well as prevent attempts from accessing the application or database.

Test for SQL injection in your web apps with Rapid7 InsightAppSec, and detect and block attacks in real time with tCell by Rapid7.

Cross-Site Scripting Attacks

Cross-site scripting (XSS) is an indirect code-injection security attack, occurring through a web application vulnerability, that delivers malicious client-side scripts to a user’s web browser for execution. This can result in data exposure, compromised online accounts, malicious uploads, and harmful web page redirects.

Types of XSS attacks

Reflected XSS
Reflected XSS attacks involve a vulnerable website accepting (but not storing) data, usually in the form of malicious scripts. For instance, the attacker may include a small, malicious script in query parameters for a website’s search page. When the target visits the URL from their browser, they expect to find something of interest in the search query, but in reality, the malicious script is injected into the web page and executed by the target’s browser.

Persistent XSS
As the name suggests, persistent XSS attacks are stored on the vulnerable server itself. These often occur when an attacker posts social media or forum messages to vulnerable servers. When users interact with the posted content, they execute the malicious script. All forum users become targets in persistent types of attacks.

DOM-based XSS
XSS vulnerabilities aren’t limited to server-side software, and DOM-based XSS attacks demonstrate that fact. Attackers solicit potential targets via URLs with malicious scripts, much like reflected XSS. Even though the site’s backend does process query parameters of submitted malicious scripts, the site itself does not generate a web page with the injected malicious script. Rather, the site’s vulnerable client-side scripts locally target the user’s browser, which then executes the attacker’s script.

How to prevent XSS attacks

  • Clean up user input: Validate user-provided input and scan for malicious scripts. Limit user-provided data only to what’s necessary.
  • Encode output: This prevents user input from triggering browsers from loading and executing automatically.
  • Scan for vulnerabilities regularly: Since XSS remains a threat, be sure to use a web application scanning tool to check for vulnerabilities regularly.

Test for XSS attacks in your web apps with Rapid7 InsightAppSec, and detect and block attacks in real time with tCell by Rapid7.

Man-in-the-Middle (MiTM) Attacks

Man-in-the-middle (MiTM) attacks are a type of cybersecurity threat that allows an attacker to overhear legitimate communications between two hosts. Often, the attacker will masquerade as the other host to disguise their identity from one or both participants, and even proceed to hijack the conversation.

Types of MiTM attacks

Rogue access point
In this scenario, attackers set up independent wireless access points (with a seemingly strong signal) to trick physically proximate devices to automatically connect. The victim’s network traffic can now be manipulated by the attacker, who need not be a “trusted” source.

Address Resolution Protocol (ARP) spoofing
ARP resolves IP addresses to physical media access control (MAC) addresses in a local area network (LAN). Since hosts reference an ARP cache to help identify other hosts with a given IP address, ARP spoofing permits attackers to disguise MAC addresses. Attackers can also “sniff” private traffic between hosts, use SSL stripping to intercept data packets, and even gain access to application accounts via pilfered information, such as exchange of session tokens.

DNS spoofing
Much like how ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. Attackers can introduce corrupt DNS cache information and further the attempt to secure access to another host, resulting in the victim sharing sensitive information.

Best practices for preventing MiTM attacks

  • Encrypt WPA/WPA2 access points
  • Create and rotate Wi-Fi passwords
  • Strengthen router login credentials
  • Use VPNs
  • Install browser plugins to enforce HTTPs
  • Layer your stack with RSA or other public key pair-based authentication

Detect MiTM attacks in your environment with Rapid7 InsightIDR.

Malware Attacks

One of the most common types of exploitative attacks, malware is a virus or other malicious software deployed to execute unauthorized actions on a victim’s system. This can take many forms—ransomware, spyware, command and control, and more—and can be used to exfiltrate data, disrupt organizational operations, and extort money.

Malware deployments can cause massive disruptions that get splashed across the news, as was the case with the WannaCry ransomware attack

Types of malware attacks

Trojan horse
By appearing to be one thing, such as a game or application, a Trojan horse serves as a delivery mechanism for malware. Users download software and run it on the target.

A virus is a type of malware that infects other files and programs (or even parts of the operating system) through a targeted code injection. Viruses are self-propagating and spread through existing programs, files, and operating systems located on the infected target.

A worm is a type of malware designed to propagate itself into other systems. While a virus or Trojan horse remains localized to one target system, a worm actively seeks to infect other targets—sometimes without any user interaction.

How to detect and prevent malware attacks

  1. Invest in reputable A/V software: This will help monitor for potential malware installations while your system is running.
  2. Secure your networks: Create a secure system environment using firewalls, IPS, IDS, and VPN remote access.
  3. Perform web audits: Establish regular scans to detect abnormalities such as known software bugs or application misconfigurations.
  4. Create verified data backups: Storing recent backups offline can smooth the path toward system recovery, if needed.
  5. Train users in attack defense: Educate users on best practices and good cyber-hygiene (don’t download unknown attachments, etc.).

Detect malware attacks in your environment with Rapid7 InsightIDR and minimize their potential impact with Rapid7 InsightVM.

Denial-of-Service Attacks

Denial-of-service (DoS) attacks are designed to disrupt normal network or service operations through the use of intentionally crafted messages or flooding with artificial traffic. A DoS attack prevents legitimate users from accessing websites, applications, or other resources. Activist groups may use DoS attacks to “make a statement” by disrupting service, while state actors attack to punish foes. Criminal enterprises may use DoS attacks as a means of extorting money.

Types of DoS attacks

Distributed denial-of-service (DDoS) 
Distributed denial-of-service (DDoS) is a type of coordinated attack between numerous systems all under the attacker’s control. This can involve even hundreds of thousands of systems, and is often the mechanism of choice when carrying out the other attack types listed below. 

Network-targeted DoS
A type of bandwidth consumption attack, network-targeted DoS floods available network bandwidth so legitimate traffic can no longer pass between targeted systems. Attackers may also trick unwitting systems into increasing network traffic instead; this is called a distributed reflection denial-of-service (DRDoS) attack, and it creates similar DoS results without the need for flooding.

System-targeted DoS
System-targeted DoS attacks seek to undermine system usability, commonly by draining resources (e.g., memory, CPU, disk space). Attackers intentionally eat up or overtax resources, causing operational capacity to be crippled, physical damages, and system crashes.

Application-targeted DoS
A popular attack vector, this type of DoS attack targets applications. For instance, victims may be locked out of their accounts, or cause other users to be denied service. This occurs when attackers make requests that may mimic existing user behavior, but ends up stressing an integral or vulnerable application component, such as a central database. Application-targeted DoS may trigger errors or system crashes.

How you can subdue DoS attacks 

  • Review application implementation to prevent overconsumption of components and maximally distribute system resources
  • Monitor and create alerts for:
    • Sudden network traffic increases
    • System and application health
    • Task completion audits, ensuring timeliness and responsiveness
  • Consider creating a mitigation plan with your cloud provider

Detect DoS attacks in your environment with Rapid7 InsightIDR, and minimize their potential impact with Rapid7 InsightVM.

Brute-Force and Dictionary Attacks

What are brute-force and dictionary attacks?

Brute-force attacks are trial-and-error attempts to hack login credentials, including passwords and personal identification numbers. They may utilize software to automate the process and rotate through more potential combinations.  

Dictionary attacks are a type of brute-force attack that rotates through common “dictionary” passwords. Keep in mind these attempts are not limited to English words. System administrators and other experts generally don’t favor brute-force attacks, and tend to prefer more sophisticated means of gaining entry than trial-and-error.

How to prevent brute-force and dictionary attacks

  • Use strong, uncommon passwords
  • Slow or delay repeated login attempts
  • Implement captchas for an added layer of security
  • Configure accounts to lock automatically after multiple failed login attempts
  • Require multi-factor authentication on all accounts
  • Monitor for unusual activity

Detect brute-force and dictionary attacks in your environment with Rapid7 InsightIDR and tCell by Rapid7.

Spoofing Attacks

A spoofing attack disguises an attacker’s identity or communications in order to appear to come from a trusted or verified source. This commonly occurs via email or caller ID (e.g., phishing campaigns), as well as more technical components such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service.

Spoofing attacks generally occur with the aim of committing fraud. For example, an attacker may impersonate a manager to get an employee to send money to a hacker's account or otherwise harvest sensitive data. The organization might then face legal repercussions, lose consumer confidence, or suffer damage to its reputation.

Signs and “tells” of spoofing attacks

  • Awkward communications messaging
  • Poor spelling and grammatical errors
  • Emails and URLs misspelled or misattributed
  • Content conveys a tone of panic and urgency
  • Requests for an immediate response or action

Preventing spoofing attacks

If you suspect a spoofed message, whether it’s through email, text, or other channels, do not click on any links or attachments. Do not share login credentials or sensitive information. Instead, be sure to:

  • Develop strong spam filters
  • Implement packet filtering
  • Reach out to the sender through independently verified channels

Detect spoofing attacks in your environment with Rapid7 InsightIDR. Learn more here.