Types of Cyber Attacks
What is a Cyber Attack?
A cyber attack refers to an action designed to target a computer or any element of a computerized information system to change, destroy, or steal data, as well as exploit or harm a network. Cyber attacks have been on the rise, in sync with the digitization of business that has become more and more popular in recent years.
While there are dozens of different types of attacks, what follows are the 20 most common cyber attack examples.
Top 20 Most Common Types of Cyber Attacks
DoS and DDoS Attacks
A denial-of-service (DoS) attack is designed to overwhelm the resources of a system to the point where it is unable to reply to legitimate service requests. A distributed denial-of-service (DDoS) attack is similar in that it also seeks to drain the resources of a system. A DDoS attack is initiated by a vast array of malware-infected host machines controlled by the attacker. These are referred to as “denial of service” attacks because the victim site is unable to provide service to those who want to access it.
With a DoS attack, the target site gets flooded with illegitimate requests. Because the site has to respond to each request, its resources get consumed by all the responses. This makes it impossible for the site to serve users as it normally does and often results in a complete shutdown of the site.
DoS and DDoS attacks are different from other types of attacks that enable the hacker to either obtain access to a system or increase the access they currently have. With these types of attacks, the attacker directly benefits from their efforts. With DoS and DDoS attacks, on the other hand, the objective is simply to interrupt the effectiveness of the target's service. If the attacker is hired by a business competitor, they may benefit financially from their efforts.
A DoS attack can also be used to set up the target for another type of attack. With a successful DoS or DDoS attack, the system often has to come offline, which can leave it vulnerable to other types of attacks. One common way to prevent DoS attacks is to use a firewall that detects whether requests sent to your site are legitimate. Imposter requests can then be discarded, allowing normal traffic to flow without interruption.
Man-in-the-middle (MITM) attacks refer to breaches in cybersecurity that make it possible for an attacker to eavesdrop on the data sent back and forth between two people, networks, or computers. It is called a “man in the middle” attack because the attacker positions themselves in the “middle” or between the two parties trying to communicate. In effect, the attacker is spying on the interaction between the two parties.
In a MITM attack, the two parties involved feel like they are communicating as they normally do. What they do not know is that the person actually sending the message illicitly modifies or accesses the message before it reaches its destination. Some ways to protect yourself and your organization from MITM attacks is by using strong encryption on access points or to use a virtual private network (VPN).
A phishing attack occurs when a malicious actor sends emails that seem to be coming from trusted, legitimate sources in an attempt to grab sensitive information from the target. Phishing attacks combine social engineering and technology and are so-called because the attacker is, in effect, “fishing” for access to a forbidden area by using the “bait” of a seemingly trustworthy sender.
To execute the attack, the bad actor may send a link that brings you to a website that then fools you into downloading malware or giving the attacker your private information. In many cases, the target may not realize they have been compromised, which allows the attacker to go after others in the same organization without anyone suspecting malicious activity.
You can prevent phishing attacks from achieving their objectives by thinking carefully about the kinds of emails you open and the links you click on. Pay close attention to email headers, and do not click on anything that looks suspicious. Check the parameters for “Reply-to” and “Return-path.” They need to connect to the same domain presented in the email.
A whale-phishing attack is so-named because it goes after the “big fish” or whales of an organization, which typically include those in the C-suite or others in charge of the organization. These individuals are likely to possess information that can be valuable to attackers, such as proprietary information about the business or its operations.
If a targeted “whale” downloads ransomware, they are more likely to pay the ransom to prevent news of the successful attack from getting out and damaging their reputation or that of the organization. Whale-phishing attacks can be prevented by taking the same kinds of precautions to avoid phishing attacks, such as carefully examining emails and the attachments and links that come with them, keeping an eye out for suspicious destinations or parameters.
Spear phishing refers to a specific type of targeted phishing attack. The attacker takes the time to research their intended targets and then write messages the target is likely to find personally relevant. These types of attacks are aptly called “spear” phishing because of the way the attacker hones in on one specific target. The message will seem legitimate, which is why it can be difficult to spot a spear-phishing attack.
Often, a spear-phishing attack uses email spoofing, where the information inside the “From” portion of the email is faked, making it look like the email is coming from a different sender. This can be someone the target trusts, like an individual within their social network, a close friend, or a business partner. Attackers may also use website cloning to make the communication seem legitimate. With website cloning, the attacker copies a legitimate website to lull the victim into a sense of comfort. The target, thinking the website is real, then feels comfortable entering their private information.
Similar to regular phishing attacks, spear-phishing-attacks can be prevented by carefully checking the details in all fields of an email and making sure users do not click on any link whose destination cannot be verified as legitimate.
With ransomware, the victim’s system is held hostage until they agree to pay a ransom to the attacker. After the payment has been sent, the attacker then provides instructions regarding how the target can regain control of their computer. The name "ransomware” is appropriate because the malware demands a ransom from the victim.
In a ransomware attack, the target downloads ransomware, either from a website or from within an email attachment. The malware is written to exploit vulnerabilities that have not been addressed by either the system’s manufacturer or the IT team. The ransomware then encrypts the target's workstation. At times, ransomware can be used to attack multiple parties by denying access to either several computers or a central server essential to business operations.
Affecting multiple computers is often accomplished by not initiating systems captivation until days or even weeks after the malware's initial penetration. The malware can send AUTORUN files that go from one system to another via the internal network or Universal Serial Bus (USB) drives that connect to multiple computers. Then, when the attacker initiates the encryption, it works on all the infected systems simultaneously.
In some cases, ransomware authors design the code to evade traditional virus protection software. It is therefore important for users to remain vigilant regarding which sites they visit and which links they click. You can also prevent many ransomware attacks by using a next-generation firewall (NGFW) that can perform deep data packet inspections using artificial intelligence (AI) that looks for the characteristics of ransomware.
Passwords are the access verification tool of choice for most people, so figuring out a target’s password is an attractive proposition for a hacker. This can be done using a few different methods. Often, people keep copies of their passwords on pieces of paper or sticky notes around or on their desks. An attacker can either find the password themselves or pay someone on the inside to get it for them.
An attacker may also try to intercept network transmissions to grab passwords not encrypted by the network. They can also use social engineering, which convinces the target to input their password to solve a seemingly “important” problem. In other cases, the attacker can simply guess the user’s password, particularly if they use a default password or one that is easy to remember such as “1234567.”
Attackers also often use brute-force methods to guess passwords. A brute-force password hack uses basic information about the individual or their job title to try to guess their password. For example, their name, birthdate, anniversary, or other personal but easy-to-discover details can be used in different combinations to decipher their password. Information that users put on social media can also be leveraged in a brute-force password hack. What the individual does for fun, specific hobbies, names of pets, or names of children are sometimes used to form passwords, making them relatively easy to guess for brute-force attackers.
A hacker can also use a dictionary attack to ascertain a user’s password. A dictionary attack is a technique that uses common words and phrases, such as those listed in a dictionary, to try and guess the target's password.
One effective method of preventing brute-force and dictionary password attacks is to set up a lock-out policy. This locks out access to a device, website, or application automatically after a certain number of failed attempts. With a lock-out policy, the attacker only has a few tries before they get banned from access. If you have a lockout policy in place already and discover that your account has been locked out because of too many login attempts, it is wise to change your password.
If an attacker systematically uses a brute-force or dictionary attack to guess your password, they may take note of the passwords that did not work. For example, if your password is your last name followed by your year of birth and the hacker tries putting your birth year before your last name on the final attempt, they may get it right on the next try.
SQL Injection Attack
Structured Query Language (SQL) injection is a common method of taking advantage of websites that depend on databases to serve their users. Clients are computers that get information from servers, and an SQL attack uses an SQL query sent from the client to a database on the server. The command is inserted, or “injected”, into a data plane in place of something else that normally goes there, such as a password or login. The server that holds the database then runs the command and the system is penetrated.
If an SQL injection succeeds, several things can happen, including the release of sensitive data or the modification or deletion of important data. Also, an attacker can execute administrator operations like a shutdown command, which can interrupt the function of the database.
To shield yourself from an SQL injection attack, take advantage of the least-privileged model. With least-privileged architecture, only those who absolutely need to access key databases are allowed in. Even if a user has power or influence within the organization, they may not be allowed to access specific areas of the network if their job does not depend on it.
For example, the CEO can be kept from accessing areas of the network even if they have the right to know what is inside. Applying a least-privileged policy can prevent not just bad actors from accessing sensitive areas but also those who mean well but accidentally leave their login credentials vulnerable to attackers or leave their workstations running while away from their computers.
With URL interpretation, attackers alter and fabricate certain URL addresses and use them to gain access to the target’s personal and professional data. This kind of attack is also referred to as URL poisoning. The name “URL interpretation” comes from the fact that the attacker knows the order in which a web-page’s URL information needs to be entered. The attacker then “interprets” this syntax, using it to figure out how to get into areas they do not have access to.
To execute a URL interpretation attack, a hacker may guess URLs they can use to gain administrator privileges to a site or to access the site’s back end to get into a user’s account. Once they get to the page they want, they can manipulate the site itself or gain access to sensitive information about the people who use it.
For example, if a hacker attempts to get into the admin section of a site called GetYourKnowledgeOn.com, they may type in http://getyourknowledgeon.com/admin, and this will bring them to an admin login page. In some cases, the admin username and password may be the default "admin" and "admin" or very easy to guess. An attacker may also have already figured out the admin’s password or narrowed it down to a few possibilities. The attacker then tries each one, gains access, and can manipulate, steal, or delete data at will.
To prevent URL interpretation attacks from succeeding, use secure authentication methods for any sensitive areas of your site. This may necessitate multi-factor authentication (MFA) or secure passwords consisting of seemingly random characters.
With Domain Name System (DNS) spoofing, a hacker alters DNS records to send traffic to a fake or “spoofed” website. Once on the fraudulent site, the victim may enter sensitive information that can be used or sold by the hacker. The hacker may also construct a poor-quality site with derogatory or inflammatory content to make a competitor company look bad.
In a DNS spoofing attack, the attacker takes advantage of the fact that the user thinks the site they are visiting is legitimate. This gives the attacker the ability to commit crimes in the name of an innocent company, at least from the perspective of the visitor.
To prevent DNS spoofing, make sure your DNS servers are kept up-to-date. Attackers aim to exploit vulnerabilities in DNS servers, and the most recent software versions often contain fixes that close known vulnerabilities.
Session hijacking is one of multiple types of MITM attacks. The attacker takes over a session between a client and the server. The computer being used in the attack substitutes its Internet Protocol (IP) address for that of the client computer, and the server continues the session without suspecting it is communicating with the attacker instead of the client. This kind of attack is effective because the server uses the client's IP address to verify its identity. If the attacker's IP address is inserted partway through the session, the server may not suspect that anything is wrong because it is already engaged in a trusted connection.
To prevent session hijacking, use a VPN to access business-critical servers. This way, all communication is encrypted, and an attacker cannot gain access to the secure tunnel created by the VPN.
Brute force attack
A brute-force attack gets its name from the “brutish” or simple methodology employed by the attack. The attacker simply tries to guess the login credentials of someone with access to the target system. Once they get it right, they are in.
While this may sound time-consuming and difficult, attackers often use bots to crack the credentials. The attacker provides the bot with a list of credentials that they think may give them access to the secure area. The bot then tries each one while the attacker sits back and waits. Once the correct credentials have been entered, the attacker gains access.
To prevent brute-force attacks, have lock-out policies in place as part of your authorization security architecture. After a certain number of attempts, the user attempting to enter the credentials gets locked out. This typically involves “freezing” the account so even if someone else tries from a different device with a different IP address, they cannot bypass the lockout.
It is also wise to use random passwords without regular words, dates, or sequences of numbers in them. This is effective because, for example, even if an attacker uses software to try to guess a 10-digit password, it will take many years of non-stop attempts to get it right.
Web attacks refer to threats that target vulnerabilities in web-based applications. Every time you enter information into a web application, you are initiating a command that generates a response. For example, if you are sending money to someone using an online banking application, the data you enter instructs the application to go into your account, take money out, and send it to someone else’s account. Attackers work within the frameworks of these kinds of requests and use them to their advantage.
Some common web attacks include SQL injection and cross-site scripting (XSS), which will be discussed later in this article. Hackers also use cross-site request forgery (CSRF) attacks and parameter tampering. In a CSRF attack, the victim is fooled into performing an action that benefits the attacker. For example, they may click on something that launches a script designed to change the login credentials to access a web application. The hacker, armed with the new login credentials, can then log in as if they are the legitimate user.
Parameter tampering involves adjusting the parameters that programmers implement as security measures designed to protect specific operations. The operation’s execution depends on what is entered in the parameter. The attacker simply changes the parameters, and this allows them to bypass the security measures that depended on those parameters.
To avoid web attacks, inspect your web applications to check for—and fix—vulnerabilities. One way to patch up vulnerabilities without impacting the performance of the web application is to use anti-CSRF tokens. A token is exchanged between the user’s browser and the web application. Before a command is executed, the token’s validity is checked. If it checks out, the command goes through—if not, it is blocked. You can also use SameSite flags, which only allow requests from the same site to be processed, rendering any site built by the attacker powerless.
Sometimes, the most dangerous actors come from within an organization. People within a company’s own doors pose a special danger because they typically have access to a variety of systems, and in some cases, admin privileges that enable them to make critical changes to the system or its security policies.
In addition, people within the organization often have an in-depth understanding of its cybersecurity architecture, as well as how the business reacts to threats. This knowledge can be used to gain access to restricted areas, make changes to security settings, or deduce the best possible time to conduct an attack.
One of the best ways to prevent insider threats is to limit access to sensitive systems to only those who need them to perform their duties. Also, for the select few who need access, use MFA, which will require them to use at least one thing they know in conjunction with a physical item they have to gain access to a sensitive system. For example, the user may have to enter a password and insert a USB device. In other configurations, an access number is generated on a handheld device that the user has to log in to. The user can only access the secure area if both the password and the number are correct.
While MFA may not prevent all attacks on its own, it makes it easier to ascertain who is behind an attack—or an attempted one—particularly because only relatively few people are granted access to sensitive areas in the first place. As a result, this limited access strategy can work as a deterrent. A cyber criminal within your organization will know it is easy to pinpoint who the perpetrator is because of the relatively small pool of potential suspects.
A Trojan horse attack uses a malicious program that is hidden inside a seemingly legitimate one. When the user executes the presumably innocent program, the malware inside the Trojan can be used to open a backdoor into the system through which hackers can penetrate the computer or network. This threat gets its name from the story of the Greek soldiers who hid inside a horse to infiltrate the city of Troy and win the war. Once the “gift” was accepted and brought within the gates of Troy, the Greek soldiers jumped out and attacked. In a similar way, an unsuspecting user may welcome an innocent-looking application into their system only to usher in a hidden threat.
To prevent Trojan attacks, users should be instructed not to download or install anything unless its source can be verified. Also, NGFWs can be used to examine data packets for potential threats.
In a drive-by attack, a hacker embeds malicious code into an insecure website. When a user visits the site, the script is automatically executed on their computer, infecting it. The designation “drive by” comes from the fact that the victim only has to “drive by” the site by visiting it to get infected. There is no need to click on anything on the site or enter any information.
To protect against drive-by attacks, users should make sure they are running the most recent software on all their computers, including applications like Adobe Acrobat and Flash, which may be used while browsing the internet. Also, you can use web-filtering software, which can detect if a site is unsafe before a user visits it.
With XSS, or cross-site scripting, the attacker transmits malicious scripts using clickable content that gets sent to the target’s browser. When the victim clicks on the content, the script is executed. Because the user has already logged into a web application’s session, what they enter is seen as legitimate by the web application. However, the script executed has been altered by the attacker, resulting in an unintended action being taken by the “user.”
For example, an XSS attack may change the parameters of a transfer request sent through an online banking application. In the falsified request, the intended recipient of the transferred money has their name replaced with that of the attacker. The attacker may also change the amount being transferred, giving themselves even more money than the target initially intended to send.
One of the most straightforward ways of preventing XSS attacks is to use a whitelist of allowable entities. This way, anything other than approved entries will not be accepted by the web application. You can also use a technique called sanitizing, which examines the data being entered, checking to see if it contains anything that can be harmful.
Eavesdropping attacks involve the bad actor intercepting traffic as it is sent through the network. In this way, an attacker can collect usernames, passwords, and other confidential information like credit cards. Eavesdropping can be active or passive.
With active eavesdropping, the hacker inserts a piece of software within the network traffic path to collect information that the hacker analyzes for useful data. Passive eavesdropping attacks are different in that the hacker “listens in,” or eavesdrops, on the transmissions, looking for useful data they can steal.
Both active and passive eavesdropping are types of MITM attacks. One of the best ways of preventing them is by encrypting your data, which prevents it from being used by a hacker, regardless of whether they use active or passive eavesdropping.
In a birthday attack, an attacker abuses a security feature: hash algorithms, which are used to verify the authenticity of messages. The hash algorithm is a digital signature, and the receiver of the message checks it before accepting the message as authentic. If a hacker can create a hash that is identical to what the sender has appended to their message, the hacker can simply replace the sender’s message with their own. The receiving device will accept it because it has the right hash.
The name “birthday attack” refers to the birthday paradox, which is based on the fact that in a room of 23 people, there is more than a 50% chance that two of them have the same birthday. Hence, while people think their birthdays, like hashes, are unique, they are not as unique as many think.
To prevent birthday attacks, use longer hashes for verification. With each extra digit added to the hash, the odds of creating a matching one decrease significantly.
Malware is a general term for malicious software, hence the “mal” at the start of the word. Malware infects a computer and changes how it functions, destroys data, or spies on the user or network traffic as it passes through. Malware can either spread from one device to another or remain in place, only impacting its host device.
Several of the attack methods described above can involve forms of malware, including MITM attacks, phishing, ransomware, SQL injection, Trojan horses, drive-by attacks, and XSS attacks.
In a malware attack, the software has to be installed on the target device. This requires an action on the part of the user. Therefore, in addition to using firewalls that can detect malware, users should be educated regarding which types of software to avoid, the kinds of links they should verify before clicking, and the emails and attachments they should not engage with.
How Fortinet Can Help
The Fortinet suite of cybersecurity tools can prevent all of these attacks and more. The Fortinet Security Fabric incorporates cyber threat intelligence, hardware, and software to bolster your security solution, empowering it to defeat a wide range of threats. Fortinet security solutions protect everything from the edge to the core, providing visibility and automated responses for all endpoints that connect to your network.