21 Top Cybersecurity Threats and How Threat Intelligence Can Help
Cybersecurity threats are growing in frequency, diversity and complexity. Get a quick, up-to-date review of 21 cybersecurity threats and how to gain the information you need to prevent data breaches and bolster your information security.
In this post you will learn:
- What are cybersecurity threats
- 21 cyber threats: DDoS, MitM, social engineering, and more
- Common sources of cybersecurity threats
- Cybersecurity trends and challenges
- How to prioritize threats: the OWASP threat model
- Using threat intelligence for threat prevention
What are cybersecurity threats?
Cybersecurity threats reflect the risk of experiencing a cyber attack. A cyber attack is an intentional and malicious effort by an organization or an individual to breach the systems of another organization or individual. The attacker’s motives may include information theft, financial gain, espionage, or sabotage.
What are the main types of cybersecurity threats?
The main types of cyber threats are:
- Distributed denial of service (DDoS)
- Man in the Middle (MitM)
- Social engineering
- Malware and spyware
- Password attacks
- Advanced persistent threats (APT)
We cover each of these threats in more detail below.
Distributed denial of service (DDoS)
The objective of a denial of service (DoS) attack is to overwhelm the resources of a target system and cause it to stop functioning, denying access to its users. Distributed denial of service (DDoS) is a variant of DoS in which attackers compromise a large number of computers or other devices, and use them in a coordinated attack against the target system.
DDoS attacks are often used in combination with other cyber threats. These attacks may launch a denial of service to capture the attention of security staff and create confusion, while they carry out more subtle attacks aimed at stealing data or causing other damage.
Methods of DDoS attacks include:
- Botnets—systems under hacker control that have been infected with malware. Attackers use these bots to carry out DDoS attacks. Large botnets can include millions of devices and can launch attacks at devastating scale.
- Smurf attack—sends Internet Control Message Protocol (ICMP) echo requests to the victim’s IP address. The ICMP requests are generated from ‘spoofed’ IP addresses. Attackers automate this process and perform it at scale to overwhelm a target system.
- TCP SYN flood attack—attacks flood the target system with connection requests. When the target system attempts to complete the connection, the attacker’s device does not respond, forcing the target system to time out. This quickly fills the connection queue, preventing legitimate users from connecting.
The following two attacks are less common today, as they rely on vulnerabilities in the internet protocol (IP) which have been addressed on most servers and networks.
- Teardrop attack—causes the length and fragmentation offset fields in IP packets to overlap. The targeted system tries to reconstruct packets but fails, which can cause it to crash.
- Ping of death attack—pings a target system using malformed or oversized IP packets, causing the target system to crash or freeze.
Man-in-the-middle attack (MitM)
When users or devices access a remote system over the internet, they assume they are communicating directly with the server of the target system. In a MitM attack, attackers break this assumption, placing themselves in between the user and the target server.
Once the attacker has intercepted communications, they may be able to compromise a user’s credentials, steal sensitive data and return different responses to the user.
MitM attacks include:
- Session hijacking—an attacker hijacks a session between a network server and a client. The attacking computer substitutes its IP address for the IP address of the client. The server believes it is corresponding with the client and continues the session.
- Replay attack—a cybercriminal eavesdrops on network communication and replays messages at a later time, pretending to be the user. Replay attacks have been largely mitigated by adding timestamps to network communications.
- IP spoofing—an attacker convinces a system that it is corresponding with a trusted, known entity. The system thus provides the attacker with access. The attacker forges its packet with the IP source address of a trusted host, rather than its own IP address.
- Eavesdropping attack—attackers leverage insecure network communication to access information transmitted between client and server. These attacks are difficult to detect because network transmissions appear to act normally.
Social engineering attacks
Social engineering attacks work by psychologically manipulating users into performing actions desirable to an attacker, or divulging sensitive information.
Social engineering attacks include:
- Phishing—attackers send fraudulent correspondence that seems to come from legitimate sources, usually via email. The email may urge the user to perform an important action or click on a link to a malicious website, leading them to hand over sensitive information to the attacker, or expose themselves to malicious downloads. Phishing emails may include an email attachment infected with malware.
- Spear phishing—a variant of phishing in which attackers specifically target individuals with security privileges or influence, such as system administrators or senior executives.
- Homograph attacks—attackers create fake websites with very similar web addresses to a legitimate website. Users access these fake websites without noticing the slight difference in URL, and may submit their credentials or other sensitive information to an attacker.
Malware and spyware attack
Attacks use many methods to get malware into a user’s device. Users may be asked to take an action, such as clicking a link or opening an attachment. In other cases malware uses vulnerabilities in browsers or operating systems to install themselves without the user’s knowledge or consent.
Once malware is installed, it can monitor user activities, send confidential data to the attacker, assist the attacker in penetrating other targets within the network, and even cause the user’s device to participate in a botnet leveraged by the attacker for malicious intent.
Social engineering attacks include:
- Trojan virus—tricks a user into thinking it is a harmless file. A Trojan can launch an attack on a system and can establish a backdoor, which attackers can use.
- Ransomware—prevents access to the data of the victim and threatens to delete or publish it unless a ransom is paid.
- Malvertising—online advertising controlled by hackers, which contains malicious code that infects a user’s computer when they click, or even just view the ad. Malvertising has been found on many leading online publications.
- Wiper malware—intends to destroy data or systems, by overwriting targeted files or destroying an entire file system. Wipers are usually intended to send a political message, or hide hacker activities after data exfiltration.
- Drive-by downloads—attackers can hack websites and insert malicious scripts into PHP or HTTP code on a page. When users visit the page, malware is directly installed on their computer; or the attacker’s script redirects users to a malicious site, which performs the download. Drive-by downloads rely on vulnerabilities in browsers or operating systems.
- Rogue security software—pretend to scan for malware and then regularly show the user fake warnings and detections. Attackers may ask the user to pay to remove the fake threats from their computer or to register the software. Users who comply transfer their financial details to an attacker.
A hacker can gain access to the password information of an individual by ‘sniffing’ the connection to the network, using social engineering, guessing, or gaining access to a password database. An attacker can ‘guess’ a password in a random or systematic way.
Passwords attacks include:
- Brute-force password guessing—an attacker uses software to try many different passwords, in the hope of guessing the correct one. The software can use some logic to trying passwords related to the name of the individual, their job, their family, etc.
- Dictionary attack—a dictionary of common passwords is used to gain access to the computer and network of the victim. One method is to copy an encrypted file that has the passwords, apply the same encryption to a dictionary of regularly used passwords, and contrast the findings.
Advanced persistent threats (APT)
When an individual or group gains unauthorized access to a network and remains undiscovered for an extended period of time, attackers may exfiltrate sensitive data, deliberately avoiding detection by the organization’s security staff. APTs require sophisticated attackers and involve major efforts, so they are typically launched against nation states, large corporations or other highly valuable targets.
Sources of cyber threats
When you identify a cyber threat, it’s important to understand who is the threat actor, as well as their tactics, techniques and procedures (TTP). Common sources of cyber threats include:
- State-sponsored—cyberattacks by countries can disrupt communications, military activities, or other services that citizens use daily.
- Terrorists—terrorists may attack government or military targets, but at times may also target civilian websites to disrupt and cause lasting damage.
- Industrial spies—organized crime and international corporate spies carry out industrial espionage and monetary theft. Their primary motive is financial.
- Organized crime groups—criminal groups infiltrate systems for monetary gain. Organized crime groups use phishing, spam, and malware to carry out identity theft and online fraud.
- Hackers—there is a large global population of hackers, ranging from beginner “script kiddies” or those leveraging ready made threat toolkits, to sophisticated operators who can develop new types of threats and avoid organizational defenses.
- Hacktivists—hacktivists are hackers who penetrate or disrupt systems for political or ideological reasons rather than financial gain.
- Malicious insider—insiders represent a very serious threat, as they have existing access to corporate systems and knowledge of target systems and sensitive data. Insider threats can be devastating and very difficult to detect.
- Cyber espionage—is a form of cyberattack that steals classified, or sensitive intellectual data to gain an advantage over a competitive company or government entity.
Top Cybersecurity Issues and Trends
As technology evolves, so do the threats and issues that security teams face. Below are a few of the top trends and concerns in cybersecurity today.
The growing role of artificial intelligence (AI)
AI is a double-edged sword; it is improving security solutions at the same time it is leveraged by attackers to bypass those solutions. Part of the reason for this is the growing accessibility to AI. In the past, developing machine learning models was only possible if you had access to significant budgets and resources. Now, however, models can be developed on personal laptops.
This accessibility makes AI a tool that has expanded from major digital arms races to everyday attacks. While security teams are using AI to try to detect suspicious behavior, criminals are using it to make bots that pass for human users and to dynamically change the characteristics and behaviors of malware.
The cybersecurity skills gap continues to grow
Since 2018 there has been growing concern over the cybersecurity skills gap. There are simply not enough cybersecurity experts to fill all of the positions needed. As more companies are created and others update their existing security strategies, this number increases.
Modern threats, from cloned identities to deep fake campaigns, are getting harder to detect and stop. The security skills required to combat these threats go far beyond just understanding how to implement tools or configure encryptions. These threats require diverse knowledge of a wide variety of technologies, configurations, and environments. To obtain these skills, organizations must recruit high-level experts or dedicate the resources to training their own.
Vehicle hacking and Internet of Things (IoT) threats on the rise
The amount of data contained in a modern vehicle is huge. Even cars that are not autonomous are loaded with a variety of smart sensors. This includes GPS devices, built-in communications platforms, cameras, and AI controllers. Many people’s homes, workplaces, and communities are full of similar smart devices. For example, personal assistants embedded in speakers are smart devices.
The data on these devices can provide sensitive information to criminals. This information includes private conversations, sensitive images, tracking information, and access to any accounts used with devices. These devices can be easily leveraged by attackers for blackmail or personal gain. For example, abusing financial information or selling information on the black market.
With vehicles in particular, the threat of personal harm is also very real. When vehicles are partially or entirely controlled by computers, attackers have the opportunity to hack vehicles just like any other device. This could enable them to use vehicles as weapons against others or as a means to harm the driver or passengers.
Top Cybersecurity Challenges
In addition to the more specific issues covered above, there are also broader challenges faced by many cybersecurity teams. Below are a few of the most common current challenges.
Mobile devices are difficult to manage and secure
Even if people haven’t fully embraced smart technologies, nearly everyone has a mobile device of some sort. Smartphones, laptops, and tablets are common. These devices are often multipurpose, used for both work and personal activities, and users may connect devices to multiple networks throughout the day.
This abundance and widespread use make mobile devices an appealing target for attackers. Targeting is not new but the real challenge comes from security teams not having full control over devices. Bring your own device (BYOD) policies are common but these policies often do not include internal control or management.
Often, security teams are only able to control what happens with these devices within the network perimeter. Devices may be out of date, already infected with malware, or have insufficient protections. The only way security teams may have to block these threats is to refuse connectivity which isn’t practical.
The complexity of cloud environment
With businesses moving to cloud resources daily, many environments are growing more complex. This is particularly true in the case of hybrid and multi-cloud environments, which require extensive monitoring and integration.
With every cloud service and resource that is included in an environment, the number of endpoints and the chances for misconfiguration increase. Additionally, since resources are in the cloud, most if not all endpoints are Internet-facing, granting access to attackers on a global scale.
To secure these environments, cybersecurity teams need advanced, centralized tooling and often more resources. This includes resources for 24/7 protection and monitoring since resources are running and potentially vulnerable even when the workday is over.
Sophisticated phishing exploits
Phishing is an old but still common tactic used by attackers to gain sensitive data, including credentials and financial information. In the past, phishing emails were vague, often posing as authority figures with wide user bases. For example, Facebook or Netflix. Now, however, phishing often leverages social engineering.
Many people willingly make large amounts of information about themselves public, including where they live and work, their hobbies, and their brand loyalties. Attackers can use this information to send targeted messages, increasing the likelihood that users will fall for their tricks.
As more of the world moves to the digital realm, the number of large-scale and state-sponsored attacks are increasing. Networks of hackers can now be leveraged and bought by opposing nationstates and interest groups to cripple governmental and organizational systems.
For some of these attacks, the results are readily apparent. For example, numerous attacks have been identified that involved tampering with elections. Others, however, may go unnoticed, silently gathering sensitive information, such as military strategies or business intelligence. In either case, the resources funding these attacks enables criminals to use advanced and distributed strategies that are difficult to detect and prevent
Prioritizing cyber threats: The OWASP threat model
The number of cyber threats is growing rapidly, and it is impossible for organizations to prepare for all of them. To help prioritize cybersecurity efforts, OWASP has developed a model for evaluating cyber threats, summarized as follows:
Risk = Likelihood + Impact
Consider the likelihood of a cyber threat – how easy is it for attackers to carry out an attack? Are there any attackers out there with the relevant skills? How likely are you able to detect and mitigate the threat?
In addition, consider the impact of the threat – how sensitive are the systems likely to be affected, how valuable and sensitive is the data that may be lost, and in general what would the financial or reputation impact of an attack be?
By combining the likelihood with impact, you can identify threats that are significant for your organization and ensure you are protected.
Using threat intelligence for threat prevention
Threat intelligence is organized, pre-analyzed information about attacks that may threaten an organization. Threat intelligence helps organizations understand potential or current cyber threats. The more information security staff have about threat actors, their capabilities, infrastructure, and motives, the better they can defend their organization.
Threat intelligence systems are commonly used in combination with other security tools. When a security system identifies a threat, it can be cross-referenced with threat intelligence data to immediately understand the nature of the threat, its severity, and known methods for mitigating or containing the threat. In many cases threat intelligence can help automatically block threats—for example, known bad IP addresses can be fed to a firewall, to automatically block traffic from compromised servers.
Threat intelligence is typically provided in the form of feeds. There are free threat intelligence feeds, and others provided by commercial security research bodies. Several vendors provide threat intelligence platforms that come with numerous threat intelligence feeds and help manage threat data and integrate it with other security systems.
Learn More About Cybersecurity Threats
Information Security Threats and Tools for Addressing Them
The value of information today makes it a desirable commodity and a tempting target for theft and sabotage, putting those creating and using it at risk of attack. Criminals are constantly finding new ways of bypassing security tools and security developers are working to stay ahead by building more intelligent solutions.
The loss of information can cause great harm to a company, but by taking the right precautions and using the appropriate tools, the risk can be greatly minimized. Read on to find out what types of information security threats you have to consider, including examples of common threats, and how you can mitigate your risks.
Drive By Downloads: What They Are and How to Avoid Them
Most people don’t think twice about the websites they visit, quickly clicking through and not paying much attention to whether a link will redirect them or if a secure protocol is being used. Often, this isn’t a problem but if you happen to visit a site that has been compromised, your system can be quickly infected by a drive by download.
Here, we’ll look at what a drive by download is, the type of damage it can cause, and cover some strategies that your security operations center can use to minimize your risk.
Cyber Crime: Types, Examples, and What Your Business Can Do
Cyber crime is the flip side of cybersecurity — a huge spectrum of damaging and illegal activity carried out using computers and the Internet. This article will help you understand cyber crime and how to defend your organization against it.
What is MITRE ATT&CK: An Explainer
MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattacks. They’re displayed in matrices that are arranged by attack stages, from initial system access to data theft or machine control. There are matrices for common desktop platforms—Linux, macOS and Windows—as well as mobile platforms.
Read more: What is MITRE ATT&CK: An Explainer
What is MITRE ATT&CK: An Explainer
The MITRE ATT&CK framework, model, and taxonomy provide a categorized and structured catalog of tactics (the “why” of an attack) and techniques (the “how” and sometimes the “what” of an attack). The relationship between tactics and techniques is organized and presented as the ATT&CK matrix. The philosophy of the ATT&CK model is that by focusing on and prioritizing your defense against documented threat behavior, you can understand, prevent, and mitigate these threats and attacks.
Defending Against Ransomware: Prevention, Protection, Removal
A ransomware attack can be crippling for an organization. During an attack, cybercriminals will block access to your files or network, claiming that if you pay a ransom fee, your access will be restored. An effective ransomware defense strategy is essential to prevent extensive damage and must include three pillars: prevention, protection, and quick removal.
Top 5 Social Engineering Techniques and How to Prevent Them
Social engineering takes advantage of the weakest link in our security chain — our human workforce — to gain access to corporate networks. Attackers use increasingly sophisticated trickery and emotional manipulation to cause employees, even senior staff, to surrender sensitive information. Learn about the stages of a social engineering attack, what are the top social engineering threats according to the InfoSec Institute, and best practices to defend against them.
Privilege Escalation Detection: The Key to Preventing Advanced Attacks
Attackers are becoming increasingly sophisticated, and organized groups of hackers are carrying out advanced attacks against attractive targets. A key component in almost all advanced attacks is privilege escalation — an attempt to compromise an account, and then expand the attacker’s privileges, either by gaining control of more accounts or increasing the privilege level of the compromised account.
Read on to understand how privilege escalation works, how to detect it in your organization, and how to protect your systems and stop advanced attacks before they reach your most sensitive assets.
SIEM Concepts: Security Incidents
Security incidents indicate the failure of security measures or the breach of organizations’ systems or data. This includes any event that threatens the integrity, availability, or confidentiality of information. Causes of security incidents include perimeter breaches, cyber attacks, and insider threats.
Incidents usually require an IT administrator to take action. Incident response (IR) is an organized process by which organizations defend themselves against security incidents.
Read more: SIEM Concepts: Security Incidents
See our Additional Guides on Information Security
SIEM Security Guide
SIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems.
See top articles in our siem security guide
- 7 Open Source SIEMs: Features vs. Limitations
- SIEM Solutions: How They Work and Why You Need Them
- Combating Cyber Attacks With SOAR
User and entity behavior analytics Guide
UEBA stands for User and Entity Behavior Analytics which is a category of cybersecurity tools that analyze user behavior, and apply advanced analytics to detect anomalies.
See top articles in our User and Entity Behavior Analytics guide
- What Is UEBA and Why It Should Be an Essential Part of Your Incident Response
- User Behavior Analytics (UBA/UEBA): The Key to Uncovering Insider and Unknown Security Threats
- Behavioral Profiling: The Foundation of Modern Security Analytics
Insider Threat Guide
An insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases.
See top articles in our insider threat guide
- Fighting Insider Threats with Data Science
- Insider Threat Indicators: Finding the Enemy Within
- How to Find Malicious Insiders: Tackling Insider Threats Using Behavioral Indicators
Security Operations Centers Guide
A security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team.
See top articles in our security operations center guide
- How to Build a Security Operations Center for Small Companies
- Security Operations Center Roles and Responsibilities
- SecOps: 7 Steps to : Taking DevOps One Step Further
- Data Breach Guide
DLP is an approach that seeks to protect business information. It prevents end-users from moving key information outside the network.
See top articles in our DLP guide
- Data Loss Prevention Policy Template
- Data Loss Prevention Tools
- Security Breaches: What You Need to Know
Incident Response Guide
Incident response is an approach to handling security breaches.
See top articles in our incident response guide
- The Complete Guide to CSIRT Organization: How to Build an Incident Response Team
- How to Quickly Deploy an Effective Incident Response Policy
- Incident Response Plan 101: How to Build One, Templates and Examples
Regulatory Compliance Guide
See top articles in our regulatory compliance guide