Cyber security threats are growing in frequency, diversity and complexity. Get a quick, up-to-date review of 21 cyber security threats and how to gain the information you need to defend against them.
In this post you will learn:
- What are cyber security threats
- 21 cyber threats: DDoS, MitM, social engineering, and more
- Common sources of cyber security threats
- Cyber security trends and challenges
- How to prioritize threats: the OWASP threat model
- Using threat intelligence for threat prevention
What are cyber security threats?
Cyber security threats reflect the risk of experiencing a cyber attack. A cyber attack is an intentional and malicious effort by an organization or an individual to breach the systems of another organization or individual. The attacker’s motives may include information theft, financial gain, espionage, or sabotage.
What are the main types of cyber security threats?
The main types of cyber threats are:
- Distributed denial of service (DDoS)
- Man in the Middle (MitM)
- Social engineering
- Malware and spyware
- Password attacks
- Advanced persistent threats (APT)
We cover each of these threats in more detail below.
Distributed denial of service (DDoS)
The objective of a denial of service (DoS) attack is to overwhelm the resources of a target system and cause it to stop functioning, denying access to its users. Distributed denial of service (DDoS) is a variant of DoS in which attackers compromise a large number of computers or other devices, and use them in a coordinated attack against the target system.
DDoS attacks are often used in combination with other cyber threats. These attacks may launch a denial of service to capture the attention of security staff and create confusion, while they carry out more subtle attacks aimed at stealing data or causing other damage.
Methods of DDoS attacks include:
- Botnets—systems under hacker control that have been infected with malware. Attackers use these bots to carry out DDoS attacks. Large botnets can include millions of devices and can launch attacks at devastating scale.
- Smurf attack—sends Internet Control Message Protocol (ICMP) echo requests to the victim’s IP address. The ICMP requests are generated from ‘spoofed’ IP addresses. Attackers automate this process and perform it at scale to overwhelm a target system.
- TCP SYN flood attack—attacks flood the target system with connection requests. When the target system attempts to complete the connection, the attacker’s device does not respond, forcing the target system to time out. This quickly fills the connection queue, preventing legitimate users from connecting.
The following two attacks are less common today, as they rely on vulnerabilities in the internet protocol (IP) which have been addressed on most servers and networks.
- Teardrop attack—causes the length and fragmentation offset fields in IP packets to overlap. The targeted system tries to reconstruct packets but fails, which can cause it to crash.
- Ping of death attack—pings a target system using malformed or oversized IP packets, causing the target system to crash or freeze.
Man-in-the-middle attack (MitM)
When users or devices access a remote system over the internet, they assume they are communicating directly with the server of the target system. In a MitM attack, attackers break this assumption, placing themselves in between the user and the target server.
Once the attacker has intercepted communications, they may be able to compromise a user’s credentials, steal sensitive data and return different responses to the user.
MitM attacks include:
- Session hijacking—an attacker hijacks a session between a network server and a client. The attacking computer substitutes its IP address for the IP address of the client. The server believes it is corresponding with the client and continues the session.
- Replay attack—a cybercriminal eavesdrops on network communication and replays messages at a later time, pretending to be the user. Replay attacks have been largely mitigated by adding timestamps to network communications.
- IP spoofing—an attacker convinces a system that it is corresponding with a trusted, known entity. The system thus provides the attacker with access. The attacker forges its packet with the IP source address of a trusted host, rather than its own IP address.
- Eavesdropping attack—attackers leverage insecure network communication to access information transmitted between client and server. These attacks are difficult to detect because network transmissions appear to act normally.
Social engineering attacks
Social engineering attacks work by psychologically manipulating users into performing actions desirable to an attacker, or divulging sensitive information.
Social engineering attacks include:
- Phishing—attackers send fraudulent correspondence that seems to come from legitimate sources, usually via email. The email may urge the user to perform an important action or click on a link to a malicious website, leading them to hand over sensitive information to the attacker, or expose themselves to malicious downloads. Phishing emails may include an email attachment infected with malware.
- Spear phishing—a variant of phishing in which attackers specifically target individuals with security privileges or influence, such as system administrators or senior executives.
- Homograph attacks—attackers create fake websites with very similar web addresses to a legitimate website. Users access these fake websites without noticing the slight difference in URL, and may submit their credentials or other sensitive information to an attacker.
Malware and spyware attack
Attacks use many methods to get malware into a user’s device. Users may be asked to take an action, such as clicking a link or opening an attachment. In other cases malware uses vulnerabilities in browsers or operating systems to install themselves without the user’s knowledge or consent.
Once malware is installed, it can monitor user activities, send confidential data to the attacker, assist the attacker in penetrating other targets within the network, and even cause the user’s device to participate in a botnet leveraged by the attacker for malicious intent.
Social engineering attacks include:
- Trojan virus—tricks a user into thinking it is a harmless file. A Trojan can launch an attack on a system and can establish a backdoor, which attackers can use.
- Ransomware—prevents access to the data of the victim and threatens to delete or publish it unless a ransom is paid.
- Malvertising—online advertising controlled by hackers, which contains malicious code that infects a user’s computer when they click, or even just view the ad. Malvertising has been found on many leading online publications.
- Wiper malware—intends to destroy data or systems, by overwriting targeted files or destroying an entire file system. Wipers are usually intended to send a political message, or hide hacker activities after data exfiltration.
- Drive-by downloads—attackers can hack websites and insert malicious scripts into PHP or HTTP code on a page. When users visit the page, malware is directly installed on their computer; or the attacker’s script redirects users to a malicious site, which performs the download. Drive-by downloads rely on vulnerabilities in browsers or operating systems.
- Rogue security software—pretend to scan for malware and then regularly show the user fake warnings and detections. Attackers may ask the user to pay to remove the fake threats from their computer or to register the software. Users who comply transfer their financial details to an attacker.
A hacker can gain access to the password information of an individual by ‘sniffing’ the connection to the network, using social engineering, guessing, or gaining access to a password database. An attacker can ‘guess’ a password in a random or systematic way.
Passwords attacks include:
- Brute-force password guessing—an attacker uses software to try many different passwords, in the hope of guessing the correct one. The software can use some logic to trying passwords related to the name of the individual, their job, their family, etc.
- Dictionary attack—a dictionary of common passwords is used to gain access to the computer and network of the victim. One method is to copy an encrypted file that has the passwords, apply the same encryption to a dictionary of regularly used passwords, and contrast the findings.
Advanced persistent threats (APT)
When an individual or group gains unauthorized access to a network and remains undiscovered for an extended period of time, attackers may exfiltrate sensitive data, deliberately avoiding detection by the organization’s security staff. APTs require sophisticated attackers and involve major efforts, so they are typically launched against nation states, large corporations or other highly valuable targets.
Sources of cyber threats
When you identify a cyber threat, it’s important to understand who is the threat actor, as well as their tactics, techniques and procedures (TTP). Common sources of cyber threats include:
- State-sponsored—cyberattacks by countries can disrupt communications, military activities, or other services that citizens use daily.
- Terrorists—terrorists may attack government or military targets, but at times may also target civilian websites to disrupt and cause lasting damage.
- Industrial spies—organized crime and international corporate spies carry out industrial espionage and monetary theft. Their primary motive is financial.
- Organized crime groups—criminal groups infiltrate systems for monetary gain. Organized crime groups use phishing, spam, and malware to carry out identity theft and online fraud.
- Hackers—there is a large global population of hackers, ranging from beginner “script kiddies” or those leveraging ready made threat toolkits, to sophisticated operators who can develop new types of threats and avoid organizational defenses.
- Hacktivists—hacktivists are hackers who penetrate or disrupt systems for political or ideological reasons rather than financial gain.
- Malicious insider—insiders represent a very serious threat, as they have existing access to corporate systems and knowledge of target systems and sensitive data. Insider threats can be devastating and very difficult to detect.
- Cyber espionage—is a form of cyberattack that steals classified, or sensitive intellectual data to gain an advantage over a competitive company or government entity.
Top Cyber security Issues and Trends
As technology evolves, so do the threats and issues that security teams face. Below are a few of the top trends and concerns in cyber security today.
The growing role of artificial intelligence (AI)
AI is a double-edged sword; it is improving security solutions at the same time it is leveraged by attackers to bypass those solutions. Part of the reason for this is the growing accessibility to AI. In the past, developing machine learning models was only possible if you had access to significant budgets and resources. Now, however, models can be developed on personal laptops.
This accessibility makes AI a tool that has expanded from major digital arms races to everyday attacks. While security teams are using AI to try to detect suspicious behavior, criminals are using it to make bots that pass for human users and to dynamically change the characteristics and behaviors of malware.
The cyber security skills gap continues to grow
Since 2018 there has been growing concern over the cyber security skills gap. There are simply not enough cyber security experts to fill all of the positions needed. As more companies are created and others update their existing security strategies, this number increases.
Modern threats, from cloned identities to deep fake campaigns, are getting harder to detect and stop. The security skills required to combat these threats go far beyond just understanding how to implement tools or configure encryptions. These threats require diverse knowledge of a wide variety of technologies, configurations, and environments. To obtain these skills, organizations must recruit high-level experts or dedicate the resources to training their own.
Vehicle hacking and Internet of Things (IoT) threats on the rise
The amount of data contained in a modern vehicle is huge. Even cars that are not autonomous are loaded with a variety of smart sensors. This includes GPS devices, built-in communications platforms, cameras, and AI controllers. Many people’s homes, workplaces, and communities are full of similar smart devices. For example, personal assistants embedded in speakers are smart devices.
The data on these devices can provide sensitive information to criminals. This information includes private conversations, sensitive images, tracking information, and access to any accounts used with devices. These devices can be easily leveraged by attackers for blackmail or personal gain. For example, abusing financial information or selling information on the black market.
With vehicles in particular, the threat of personal harm is also very real. When vehicles are partially or entirely controlled by computers, attackers have the opportunity to hack vehicles just like any other device. This could enable them to use vehicles as weapons against others or as a means to harm the driver or passengers.
Top Cyber security Challenges
In addition to the more specific issues covered above, there are also broader challenges faced by many cyber security teams. Below are a few of the most common current challenges.
Mobile devices are difficult to manage and secure
Even if people haven’t fully embraced smart technologies, nearly everyone has a mobile device of some sort. Smartphones, laptops, and tablets are common. These devices are often multipurpose, used for both work and personal activities, and users may connect devices to multiple networks throughout the day.
This abundance and widespread use make mobile devices an appealing target for attackers. Targeting is not new but the real challenge comes from security teams not having full control over devices. Bring your own device (BYOD) policies are common but these policies often do not include internal control or management.
Often, security teams are only able to control what happens with these devices within the network perimeter. Devices may be out of date, already infected with malware, or have insufficient protections. The only way security teams may have to block these threats is to refuse connectivity which isn’t practical.
The complexity of cloud environment
With businesses moving to cloud resources daily, many environments are growing more complex. This is particularly true in the case of hybrid and multi-cloud environments, which require extensive monitoring and integration.
With every cloud service and resource that is included in an environment, the number of endpoints and the chances for misconfiguration increase. Additionally, since resources are in the cloud, most if not all endpoints are Internet-facing, granting access to attackers on a global scale.
To secure these environments, cybersecurity teams need advanced, centralized tooling and often more resources. This includes resources for 24/7 protection and monitoring since resources are running and potentially vulnerable even when the workday is over.
Sophisticated phishing exploits
Phishing is an old but still common tactic used by attackers to gain sensitive data, including credentials and financial information. In the past, phishing emails were vague, often posing as authority figures with wide user bases. For example, Facebook or Netflix. Now, however, phishing often leverages social engineering.
Many people willingly make large amounts of information about themselves public, including where they live and work, their hobbies, and their brand loyalties. Attackers can use this information to send targeted messages, increasing the likelihood that users will fall for their tricks.
As more of the world moves to the digital realm, the number of large-scale and state-sponsored attacks are increasing. Networks of hackers can now be leveraged and bought by opposing nationstates and interest groups to cripple governmental and organizational systems.
For some of these attacks, the results are readily apparent. For example, numerous attacks have been identified that involved tampering with elections. Others, however, may go unnoticed, silently gathering sensitive information, such as military strategies or business intelligence. In either case, the resources funding these attacks enables criminals to use advanced and distributed strategies that are difficult to detect and prevent
Prioritizing cyber threats: The OWASP threat model
The number of cyber threats is growing rapidly, and it is impossible for organizations to prepare for all of them. To help prioritize cyber security efforts, OWASP has developed a model for evaluating cyber threats, summarized as follows:
Risk = Likelihood + Impact
Consider the likelihood of a cyber threat – how easy is it for attackers to carry out an attack? Are there any attackers out there with the relevant skills? How likely are you able to detect and mitigate the threat?
In addition, consider the impact of the threat – how sensitive are the systems likely to be affected, how valuable and sensitive is the data that may be lost, and in general what would the financial or reputation impact of an attack be?
By combining the likelihood with impact, you can identify threats that are significant for your organization and ensure you are protected.
Using threat intelligence for threat prevention
Threat intelligence is organized, pre-analyzed information about attacks that may threaten an organization. Threat intelligence helps organizations understand potential or current cyber threats. The more information security staff have about threat actors, their capabilities, infrastructure, and motives, the better they can defend their organization.
Threat intelligence systems are commonly used in combination with other security tools. When a security system identifies a threat, it can be cross-referenced with threat intelligence data to immediately understand the nature of the threat, its severity, and known methods for mitigating or containing the threat. In many cases threat intelligence can help automatically block threats—for example, known bad IP addresses can be fed to a firewall, to automatically block traffic from compromised servers.
Threat intelligence is typically provided in the form of feeds. There are free threat intelligence feeds, and others provided by commercial security research bodies. Several vendors provide threat intelligence platforms that come with numerous threat intelligence feeds and help manage threat data and integrate it with other security systems.