Although every cyber-attack is individual, the strategies and tactics overall are often very similar and fall into a number of methods. Cyber criminals draw upon common types of hacking techniques that are proven to be highly effective. Here we look at 11 of the most common cyber-attack methods.
An attack vector is a pathway or means by which a hacker gains access to breach or infiltrate your network in order to conduct an attack. Attack vectors enable hackers to exploit system vulnerabilities, and this includes the human element (social engineering).
By understanding the basic types of attack a malicious actor might try to use the knowledge can help you to better defend yourself. Here’s an overview of 11 of the most common cyber-attacks seen today.
1. Compromised Credentials / Weak and Stolen Credentials
The constant top attack vector relates to credentials; compromised credentials account for more than 80% of breaches globally.
Today, users have so many log-ins and passwords to remember that it’s often tempting to re-use them to make life easier. Despite security best-practice recommending unique password use for all applications and website log-ins, people still re-use passwords and cyber-attackers rely on this.
Passwords are re-used an average of 2.7 times, and just one breached credential then provides attackers access to multiple accounts by the user.
Attackers can easily acquire lists of usernames and passwords from breached websites or services that are then available on the black-market / dark web. They’ll then try using these credentials on other websites with the chance the credentials have been re-used.
Multi-factor authentication and password managers are both suggested good practices to help against this common attack vector, but no prevention method is 100% guaranteed.
2. Malicious Insiders / Insider attacks
Not every network attack is performed by an unknown person from outside an organisation.
Insider threats are attacks carried out by an internal employee / colleague who is actually authorised to access the system and then abuses this. Insiders who perform these attacks have the advantage of already having access to the company information systems they attack in comparison to unknown attackers.
Not all insider attacks are necessarily malicious. There are occasions when naïve employees can inadvertently expose sensitive data or accidently provide access.
There is less security against insider attacks in most businesses as the focus and thoughts tend to be aimed at defending against external attacks. Since the ‘attacking’ user is considered legitimate, it can be more difficult to detect this type of attack.
Insider threats can affect all elements of computer security and range from inserting viruses and crashing systems to stealing sensitive data.
Many breaches have been as a result of misconfiguration. In December 2019 Microsoft disclosed a data breach due to a change made to the database’s network security group which contained misconfigured security rules that enabled exposure of the data.
In 2020, the French sporting retail giant Decathlon suffered exposed user data via a misconfigured database, leaking over 123 million records including customer and employee information.
Gaming hardware giant Razer exposed customer data via misconfigured database. Virgin Media confirmed ‘misconfigured database’ had left personal data of 900,000 people exposed, and we learned that Pfizer suffered a huge data breach because of unsecured cloud storage. The exposed data, including email addresses, home addresses, full names, and other HIPAA related information, was found on a misconfigured cloud storage bucket.
There have been dozens of breaches related to misconfiguration. The oversights are often the result of well-intentioned developers rushing to get the product to market, or they are unfamiliar with secure configuration of the services that they are using. Avoiding misconfigurations isn’t easier, but procedures to audit and automate a secure configuration are a good start.
Phishing is a type of ‘social engineering’ by which a cyber-criminal creates an email to fool a recipient into taking some action resulting in harmful consequences. For example, they could be tricked into downloading malware that’s disguised as an important attachment or urged to click on a link to a fake website where they’ll be asked for sensitive information.
Many phishing emails tend to be quite basic with key indicators of being fake (eg spelling errors, misspelt email address) but can be automated to send to thousands of potential recipients in the hope to ‘catch’ one or a few naïve users and gain their data, such as credit card numbers and login credentials.
Some are, however, specifically created and aimed at individuals to try to get them to part with useful information, this is known a spear phishing. An employee is observed and then targeted. This forms part of what is known as the rising threat of Business Email Compromise (BEC).
The attacker impersonates a trusted individual or legitimate business and tricks the victim to open a text message, email, or instant message. The recipient is then deceived to either click on an attachment which in turn installs malware onto the device or network, or open a malicious link that can also cause malware installation, system-freezing (as part of a ransomware attack), reveal sensitive information, or request sensitive data input.
Phishing attacks are a common weapon of choice as they rely on human impulse and curiosity, and the human action is the most difficult part of cyber security to manage.
To combat phishing attempts it’s important to look out for some key indicators of being fake. Take a look at the Phishing infographic for basic indicators to look out for.
5. Trust Relationships / Third Party / Supply Chain
There are many interconnected systems, both within and across organisations and this complex set of connections can be exploited by attackers. Third-party organizations can be major vectors of attack in cybersecurity, these attacks occur when someone infiltrates a system through an outside partner or provider with access to the systems and data.
This happened in the Target breach where the initial infiltration was via a third-party vendor.
This is the reason why organisations large and small together with their business partners must foster a culture where cyber security best practices are shared and mutual transparency is demonstrated.
According to a survey conducted in 2017 by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.
Minimizing privileges, leveraging zero-trust and privileged access management are also key in helping to prevent such attacks.
6. Zero-Day Vulnerabilities
Zero-days are unknown security vulnerabilities or software flaws that have yet to be fixed and are targeted by attackers with malicious code.
The name ‘zero-day’ is used in reference to the number of days that a software vendor has known about the exploit. Once a patch is released, each day represents fewer and fewer computers open to attack, as users download their security updates. But attackers may have already written malware that slips through the security hole and can then compromise a device or network. Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.
Techniques for exploiting such vulnerabilities are often bought and sold on the dark web.
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.
7. Brute-Force Attack (and Dictionary Network Attacks)
The term-brute force means overpowering the system through trial and error repetition. Brute-force and Dictionary Network attacks are attacks where the attacker tries to log into a user’s account simply by systematically checking and trying all possible passwords until finding the correct one. Brute-force dictionary are simple and reliable – attacks can make 100 to 1,000 attempts per minute as attackers let a computer do the work – trying different combinations of usernames and passwords until they find one that works.
When hacking passwords, brute force requires dictionary software that combines dictionary words with thousands of different variations.
After several hours or days, brute-force attacks can eventually crack any password. Brute force attacks reiterate the importance of password best practices, especially on critical resources such as network switches, routers and servers.
The length of time required to crack a short password (such as a four-digit PIN) could take under a minute. Extending it to six characters might take more like an hour. Further extension to eight characters, using both letters and symbols, could in turn, take days. By increasing the number and mixing the characters increases the amount of time necessary for a brute-force attack to discover the password. Therefore a strong, lengthy password, could take weeks or months. But, with enough time, computing power and dedication an attacker will ultimately solve the password.
8. Denial of Service and Distributed Denial of Service
A denial of service (DoS) aims at shutting down a network or service making it inaccessible to its users by flooding the resources of the system and rendering it useless. Attackers overwhelm the target with, for example, web traffic or so many requests that its systems can’t function and crashes, making it unavailable to anyone. The DoS attack denies legitimate users such as employees or account holders the resource or service they expected.
A distributed denial of service (DDoS) attack uses an army of computers, usually compromised by malware and under the control of cyber criminals, to funnel the traffic towards the targets. This type of attack can be difficult to overcome ss the it can appear to be coming from many different IP addresses at the same time, making it incredibly difficult to determine the source of the attack.
High-profile organisations such as banks, media companies, commerce and government are often targeted. These attacks don’t involve loss or theft of sensitive information, but they can cost a victim lots of money and time to mitigate. DDoS is also often used as a distraction from other network attacks taking place.
Short for malicious software, malware is a blanket term that can refer to any kind of software that is intentionally designed to cause damage to a computer, server, client or network and then breaches the network through a vulnerability. I.e., software is identified as malware based on its intended use, rather than a particular technique or technology used to build it. In contrast, software that causes unintentional harm, due to a deficiency of some kind, is typically described as a software bug.
Malware is about making money from the victim illicitly. Code is stealthily inserted and affects the compromised computer system without the knowledge or consent of the user. Once inside a system, malware can perform a number of assaults and wreak havoc. Malware appears in forms such as; spyware, ransomware, viruses, trojans and worms (the latter are distinguished from one another by the means in which they reproduce and spread).
Malware can spread across a network using a variety of physical and virtual means. Malicious software can be delivered into a system via a USB drive or can be spread via the internet with ‘drive-by’ downloads that automatically download the malicious programs to the system without the user’s knowledge.
Best practices to help prevent malware is to ensure all systems have the latest anti-virus software installed and limit user privileges.
Man-in-the-middle (MITM) attacks are a type of cybersecurity by which attackers manage to insert themselves inconspicuously between the user and a web service they’re transacting with. This then allows the attacker to intercept and eavesdrop on communication between two legitimate communicating parties – hence the name ‘man-in-the-middle’.
Sessions between a device and web server have a unique session ID. The MITM attacker hijacks the session by capturing the session ID. They impersonate the device making a request which in turn allows them to log in and gain access.
The two legitimate parties communicate as normal, as they don’t know that the message sender is an unknown perpetrator trying to access or alter the message before it is transmitted to the receiver. The attacker therefore has control of the whole communication.
Two common points of entry for MitM attacks are; via an unsecure public WiFi and by installing software to a breached device so the attacker can access all of the victim’s data.
11 SQL injection
SQL (pronounced ‘sequel’) stands for structured query language – is a programming language used to communicate with databases. SQL injection is a means by which an attacker can exploit a vulnerability to then take control of a user’s database.
Many servers storing critical data use SQL to manage the data in their databases. The databases are designed to obey commands written in SQL, and many websites that take information from users send the data given to SQL databases.
An SQL injection attack specifically targets this type of server. A hacker will write and insert malicious code to get the server to then share information and allow the attacker control of the database. SQL injections are among the most frequent threats to data security.