The numbers don’t lie: According to the 2020 Verizon Data Breach Report, cybersecurity attacks have more than doubled in the past year. Shielding your organization from cyberattacks begins with revisiting the fundamentals.
To borrow a truism from history, no two battles are exactly alike. That said, battles are typically fought with a set of known-to-be-successful strategies. In line with this, cybersecurity attack fundamentals aren’t a matter of fashion or inclination; they are time-tested strategies, proven in their effectiveness. After all, most criminals aren’t looking to reinvent the wheel, so why should you?
Whether you want to make sense of the latest data breach news headlines or protect your organization from potential incidents, it helps to understand the different approaches a malicious actor might take in order to cause harm. Read on for Rapid7’s overview of the types of attacks most commonly seen today and how you can defend against them.
Phishing emails are disguised as messages from familiar sources, such as friends, business contacts, or trusted organizations (e.g., banks, mortgage investment firms, or social media sites). These campaigns usually aim to capture sensitive information, often by attempting to install malware on your device or getting respondents to click on “spoofed” links.
The good news is the majority of phishing scams do provide clues as to their malicious intent. Since most reputable organizations invest in professional marketing, unpolished communications are frequently a sign of a phishing attempt. Look for these phishing red flags:
When it comes to combating phishing attempts, your employees can be your greatest vulnerability or your first line of defense. Train your staff on phishing protocols and encourage them to report phishing attempts to IT immediately.
Stay proactive, and get started with these tips:
The key is to remain vigilant about where, how, and with whom personal data is shared.
Structured Query Language (SQL) is a language intentionally designed to be used with databases in order to store and manage data, including data that may be sensitive. Many commercial and open source databases have incorporated SQL into their design.
SQL injection (SQLi) is a type of cybersecurity attack that targets databases using specifically crafted SQL statements. These statements trick the systems into behaving unexpectedly. SQL injections can be powerfully detrimental, and once any business or individual data is compromised, it can be difficult to fully recover.
SQL attackers begin by bypassing authentication typical of users interacting within a system. This allows them to operate internally undetected, making it easier to exfiltrate or corrupt data. Attackers input system commands under the guise of legitimate information-sharing, allowing them to tamper with or delete data, corrupt the database, or even gain root access to the system environment. Data theft, and to a lesser extent, data loss and corruption, worry companies most.
Guarding against SQL attacks begins with helping systems recognize information as information and forgo execution.
Switch from dynamic SQL to stored procedures
Don’t place user-provided input directly into SQL statements, since these could more easily be converted into commands. Opt for stored procedures, prepared statements, and parameterized queries to stay safer.
Sanitize user inputs
Verify that data input matches expected data, and avoid undesirable characters. Encrypt confidential data—don’t keep it in plaintext!—so that even if data is exfiltrated, it has an extra layer of protection.
Limit database permissions and privileges
To prevent attackers from performing harmful functions, set database capabilities to the bare minimum. This will limit potential damage if attackers gain access. Don’t display database errors to further limit information-sharing.
Implement a web application firewall (WAF)
Protect web-facing applications with a WAF, which can help you identify SQL injection attempts as well as prevent attempts from accessing the application or database.
Cross-site scripting (XSS) is an indirect code-injection security attack, occurring through a web application vulnerability, that delivers malicious client-side scripts to a user’s web browser for execution. This can result in data exposure, compromised online accounts, malicious uploads, and harmful web page redirects.
Reflected XSS attacks involve a vulnerable website accepting (but not storing) data, usually in the form of malicious scripts. For instance, the attacker may include a small, malicious script in query parameters for a website’s search page. When the target visits the URL from their browser, they expect to find something of interest in the search query, but in reality, the malicious script is injected into the web page and executed by the target’s browser.
As the name suggests, persistent XSS attacks are stored on the vulnerable server itself. These often occur when an attacker posts social media or forum messages to vulnerable servers. When users interact with the posted content, they execute the malicious script. All forum users become targets in persistent types of attacks.
XSS vulnerabilities aren’t limited to server-side software, and DOM-based XSS attacks demonstrate that fact. Attackers solicit potential targets via URLs with malicious scripts, much like reflected XSS. Even though the site’s backend does process query parameters of submitted malicious scripts, the site itself does not generate a web page with the injected malicious script. Rather, the site’s vulnerable client-side scripts locally target the user’s browser, which then executes the attacker’s script.
Man-in-the-middle (MiTM) attacks are a type of cybersecurity threat that allows an attacker to overhear legitimate communications between two hosts. Often, the attacker will masquerade as the other host to disguise their identity from one or both participants, and even proceed to hijack the conversation.
Rogue access point
In this scenario, attackers set up independent wireless access points (with a seemingly strong signal) to trick physically proximate devices to automatically connect. The victim’s network traffic can now be manipulated by the attacker, who need not be a “trusted” source.
Address Resolution Protocol (ARP) spoofing
ARP resolves IP addresses to physical media access control (MAC) addresses in a local area network (LAN). Since hosts reference an ARP cache to help identify other hosts with a given IP address, ARP spoofing permits attackers to disguise MAC addresses. Attackers can also “sniff” private traffic between hosts, use SSL stripping to intercept data packets, and even gain access to application accounts via pilfered information, such as exchange of session tokens.
Much like how ARP resolves IP addresses to MAC addresses on a LAN, DNS resolves domain names to IP addresses. Attackers can introduce corrupt DNS cache information and further the attempt to secure access to another host, resulting in the victim sharing sensitive information.
Detect MiTM attacks in your environment with Rapid7 InsightIDR.
One of the most common types of exploitative attacks, malware is a virus or other malicious software deployed to execute unauthorized actions on a victim’s system. This can take many forms—ransomware, spyware, command and control, and more—and can be used to exfiltrate data, disrupt organizational operations, and extort money.
Malware deployments can cause massive disruptions that get splashed across the news, as was the case with the WannaCry ransomware attack.
By appearing to be one thing, such as a game or application, a Trojan horse serves as a delivery mechanism for malware. Users download software and run it on the target.
A virus is a type of malware that infects other files and programs (or even parts of the operating system) through a targeted code injection. Viruses are self-propagating and spread through existing programs, files, and operating systems located on the infected target.
A worm is a type of malware designed to propagate itself into other systems. While a virus or Trojan horse remains localized to one target system, a worm actively seeks to infect other targets—sometimes without any user interaction.
Denial-of-service (DoS) attacks are designed to disrupt normal network or service operations through the use of intentionally crafted messages or flooding with artificial traffic. A DoS attack prevents legitimate users from accessing websites, applications, or other resources. Activist groups may use DoS attacks to “make a statement” by disrupting service, while state actors attack to punish foes. Criminal enterprises may use DoS attacks as a means of extorting money.
Distributed denial-of-service (DDoS)
Distributed denial-of-service (DDoS) is a type of coordinated attack between numerous systems all under the attacker’s control. This can involve even hundreds of thousands of systems, and is often the mechanism of choice when carrying out the other attack types listed below.
A type of bandwidth consumption attack, network-targeted DoS floods available network bandwidth so legitimate traffic can no longer pass between targeted systems. Attackers may also trick unwitting systems into increasing network traffic instead; this is called a distributed reflection denial-of-service (DRDoS) attack, and it creates similar DoS results without the need for flooding.
System-targeted DoS attacks seek to undermine system usability, commonly by draining resources (e.g., memory, CPU, disk space). Attackers intentionally eat up or overtax resources, causing operational capacity to be crippled, physical damages, and system crashes.
A popular attack vector, this type of DoS attack targets applications. For instance, victims may be locked out of their accounts, or cause other users to be denied service. This occurs when attackers make requests that may mimic existing user behavior, but ends up stressing an integral or vulnerable application component, such as a central database. Application-targeted DoS may trigger errors or system crashes.
Brute-force attacks are trial-and-error attempts to hack login credentials, including passwords and personal identification numbers. They may utilize software to automate the process and rotate through more potential combinations.
Dictionary attacks are a type of brute-force attack that rotates through common “dictionary” passwords. Keep in mind these attempts are not limited to English words. System administrators and other experts generally don’t favor brute-force attacks, and tend to prefer more sophisticated means of gaining entry than trial-and-error.
A spoofing attack disguises an attacker’s identity or communications in order to appear to come from a trusted or verified source. This commonly occurs via email or caller ID (e.g., phishing campaigns), as well as more technical components such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service.
Spoofing attacks generally occur with the aim of committing fraud. For example, an attacker may impersonate a manager to get an employee to send money to a hacker's account or otherwise harvest sensitive data. The organization might then face legal repercussions, lose consumer confidence, or suffer damage to its reputation.
If you suspect a spoofed message, whether it’s through email, text, or other channels, do not click on any links or attachments. Do not share login credentials or sensitive information. Instead, be sure to:
Detect spoofing attacks in your environment with Rapid7 InsightIDR. Learn more here.