Cybersecurity threats are growing in frequency, diversity and complexity. Get a quick, up-to-date review of 21 cyber security threats and how to gain the information you need to defend against them.
In this post you will learn:
- What are cybersecurity threats
- 21 cyber threats: DDoS, MitM, social engineering, and more
- Common sources of cybersecurity threats
- How to prioritize threats: the OWASP threat model
- Using threat intelligence for threat prevention
What are cybersecurity threats?
Cybersecurity threats reflect the risk of experiencing a cyber attack. A cyber attack is an intentional and malicious effort by an organization or an individual to breach the systems of another organization or individual. The attacker’s motives may include information theft, financial gain, espionage, or sabotage.
Types of cybersecurity threats
Distributed denial of service (DDoS)
The objective of a denial of service (DoS) attack is to overwhelm the resources of a target system and cause it to stop functioning, denying access to its users. Distributed denial of service (DDoS) is a variant of DoS in which attackers compromise a large number of computers or other devices, and use them in a coordinated attack against the target system.
DDoS attacks are often used in combination with other cyber threats. These attacks may launch a denial of service to capture the attention of security staff and create confusion, while they carry out more subtle attacks aimed at stealing data or causing other damage.
Methods of DDoS attacks include:
- Botnets—systems under hacker control that have been infected with malware. Attackers use these bots to carry out DDoS attacks. Large botnets can include millions of devices and can launch attacks at devastating scale.
- Smurf attack—sends Internet Control Message Protocol (ICMP) echo requests to the victim’s IP address. The ICMP requests are generated from ‘spoofed’ IP addresses. Attackers automate this process and perform it at scale to overwhelm a target system.
- TCP SYN flood attack—attacks flood the target system with connection requests. When the target system attempts to complete the connection, the attacker’s device does not respond, forcing the target system to time out. This quickly fills the connection queue, preventing legitimate users from connecting.
The following two attacks are less common today, as they rely on vulnerabilities in the internet protocol (IP) which have been addressed on most servers and networks.
- Teardrop attack—causes the length and fragmentation offset fields in IP packets to overlap. The targeted system tries to reconstruct packets but fails, which can cause it to crash.
- Ping of death attack—pings a target system using malformed or oversized IP packets, causing the target system to crash or freeze.
Man-in-the-middle attack (MitM)
When users or devices access a remote system over the internet, they assume they are communicating directly with the server of the target system. In a MitM attack, attackers break this assumption, placing themselves in between the user and the target server.
Once the attacker has intercepted communications, they may be able to compromise a user’s credentials, steal sensitive data and return different responses to the user.
MitM attacks include:
- Session hijacking—an attacker hijacks a session between a network server and a client. The attacking computer substitutes its IP address for the IP address of the client. The server believes it is corresponding with the client and continues the session.
- Replay attack—a cybercriminal eavesdrops on network communication and replays messages at a later time, pretending to be the user. Replay attacks have been largely mitigated by adding timestamps to network communications.
- IP spoofing—an attacker convinces a system that it is corresponding with a trusted, known entity. The system thus provides the attacker with access. The attacker forges its packet with the IP source address of a trusted host, rather than its own IP address.
- Eavesdropping attack—attackers leverage insecure network communication to access information transmitted between client and server. These attacks are difficult to detect because network transmissions appear to act normally.
Social engineering attacks
Social engineering attacks work by psychologically manipulating users into performing actions desirable to an attacker, or divulging sensitive information.
Social engineering attacks include:
- Phishing—attackers send fraudulent correspondence that seems to come from legitimate sources, usually via email. The email may urge the user to perform an important action or click on a link to a malicious website, leading them to hand over sensitive information to the attacker, or expose themselves to malicious downloads. Phishing emails may include an email attachment infected with malware.
- Spear phishing—a variant of phishing in which attackers specifically target individuals with security privileges or influence, such as system administrators or senior executives.
- Homograph attacks—attackers create fake websites with very similar web addresses to a legitimate website. Users access these fake websites without noticing the slight difference in URL, and may submit their credentials or other sensitive information to an attacker.
Malware and spyware attack
Attacks use many methods to get malware into a user’s device. Users may be asked to take an action, such as clicking a link or opening an attachment. In other cases malware uses vulnerabilities in browsers or operating systems to install themselves without the user’s knowledge or consent.
Once malware is installed, it can monitor user activities, send confidential data to the attacker, assist the attacker in penetrating other targets within the network, and even cause the user’s device to participate in a botnet leveraged by the attacker for malicious intent.
Social engineering attacks include:
- Trojan virus—tricks a user into thinking it is a harmless file. A Trojan can launch an attack on a system and can establish a backdoor, which attackers can use.
- Ransomware—prevents access to the data of the victim and threatens to delete or publish it unless a ransom is paid.
- Malvertising—online advertising controlled by hackers, which contains malicious code that infects a user’s computer when they click, or even just view the ad. Malvertising has been found on many leading online publications.
- Wiper malware—intends to destroy data or systems, by overwriting targeted files or destroying an entire file system. Wipers are usually intended to send a political message, or hide hacker activities after data exfiltration.
- Drive-by downloads—attackers can hack websites and insert malicious scripts into PHP or HTTP code on a page. When users visit the page, malware is directly installed on their computer; or the attacker’s script redirects users to a malicious site, which performs the download. Drive-by downloads rely on vulnerabilities in browsers or operating systems.
- Rogue security software—pretend to scan for malware and then regularly show the user fake warnings and detections. Attackers may ask the user to pay to remove the fake threats from their computer or to register the software. Users who comply transfer their financial details to an attacker.
A hacker can gain access to the password information of an individual by ‘sniffing’ the connection to the network, using social engineering, guessing, or gaining access to a password database. An attacker can ‘guess’ a password in a random or systematic way.
Passwords attacks include:
- Brute-force password guessing—an attacker uses software to try many different passwords, in the hope of guessing the correct one. The software can use some logic to trying passwords related to the name of the individual, their job, their family, etc.
- Dictionary attack—a dictionary of common passwords is used to gain access to the computer and network of the victim. One method is to copy an encrypted file that has the passwords, apply the same encryption to a dictionary of regularly used passwords, and contrast the findings.
Advanced persistent threats (APT)
When an individual or group gains unauthorized access to a network and remains undiscovered for an extended period of time, attackers may exfiltrate sensitive data, deliberately avoiding detection by the organization’s security staff. APTs require sophisticated attackers and involve major efforts, so they are typically launched against nation states, large corporations or other highly valuable targets.
Sources of cyber threats
When you identify a cyber threat, it’s important to understand who is the threat actor, as well as their tactics, techniques and procedures (TTP). Common sources of cyber threats include:
- State-sponsored—cyberattacks by countries can disrupt communications, military activities, or other services that citizens use daily.
- Terrorists—terrorists may attack government or military targets, but at times may also target civilian websites to disrupt and cause lasting damage.
- Industrial spies—organized crime and international corporate spies carry out industrial espionage and monetary theft. Their primary motive is financial.
- Organized crime groups—criminal groups infiltrate systems for monetary gain. Organized crime groups use phishing, spam, and malware to carry out identity theft and online fraud.
- Hackers—there is a large global population of hackers, ranging from beginner “script kiddies” or those leveraging ready made threat toolkits, to sophisticated operators who can develop new types of threats and avoid organizational defenses.
- Hacktivists—hacktivists are hackers who penetrate or disrupt systems for political or ideological reasons rather than financial gain.
- Malicious insider—insiders represent a very serious threat, as they have existing access to corporate systems and knowledge of target systems and sensitive data. Insider threats can be devastating and very difficult to detect.
- Cyber espionage—is a form of cyberattack that steals classified, or sensitive intellectual data to gain an advantage over a competitive company or government entity.
Prioritizing cyber threats: The OWASP threat model
The number of cyber threats is growing rapidly, and it is impossible for organizations to prepare for all of them. To help prioritize cybersecurity efforts, OWASP has developed a model for evaluating cyber threats, summarized as follows:
Risk = Likelihood + Impact
Consider the likelihood of a cyber threat – how easy is it for attackers to carry out an attack? Are there any attackers out there with the relevant skills? How likely are you able to detect and mitigate the threat?
In addition, consider the impact of the threat – how sensitive are the systems likely to be affected, how valuable and sensitive is the data that may be lost, and in general what would the financial or reputation impact of an attack be?
By combining the likelihood with impact, you can identify threats that are significant for your organization and ensure you are protected.
Using threat intelligence for threat prevention
Threat intelligence is organized, pre-analyzed information about attacks that may threaten an organization. Threat intelligence helps organizations understand potential or current cyber threats. The more information security staff have about threat actors, their capabilities, infrastructure, and motives, the better they can defend their organization.
Threat intelligence systems are commonly used in combination with other security tools. When a security system identifies a threat, it can be cross-referenced with threat intelligence data to immediately understand the nature of the threat, its severity, and known methods for mitigating or containing the threat. In many cases threat intelligence can help automatically block threats—for example, known bad IP addresses can be fed to a firewall, to automatically block traffic from compromised servers.
Threat intelligence is typically provided in the form of feeds. There are free threat intelligence feeds, and others provided by commercial security research bodies. Several vendors provide threat intelligence platforms that come with numerous threat intelligence feeds and help manage threat data and integrate it with other security systems.