Cybersecurity is a critical aspect of today’s digital age, where individuals and organizations are susceptible to cyber attacks. As we rely more on technology, cyber attacks become increasingly prevalent, and attackers continue to find new methods to exploit systems. In 2022 alone, Canada saw a 20% increase in cyber attacks[1], while the global numbers increased by 38%.
This report highlights 15 of the most common cybersecurity attack vectors and the primary methods of cyber defence against each attack.
[1] https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacksc
1. Malware
Malware is a type of software that is designed to damage, disrupt, or gain unauthorized access to a computer system. Malware has evolved over the years from simple “viruses” that could infect a computer, to more elaborate and sophisticated programs that can change form, self-replicate, and attempt to avoid detection across entire networks.
Just as malware has evolved, anti-malware software has evolved with it. While traditional anti-virus software may have been adequate in years past, the best defense against malware is endpoint detection and response (EDR) software. EDR solutions will detect suspicious programs and prevent them from being installed in the first place, or identify inappropriate system behaviour and quarantine or eradicate the malware. Security awareness training can also be effective in preventing the spread of malware, whether it’s in reminding staff not to insert unknown USB drives into their laptops, not to click on suspicious links in emails, or to open unknown attachments – any of which could deploy malicious software.
2. Ransomware
Ransomware is a specific type of malware that encrypts a victim’s data. The threat actors first deploy the ransomware, usually via an email attachment or an embedded URL, then demand payment from the victim to unencrypt and release the data. In the case of “double extortion” ransomware attacks, the criminals will first steal a copy of the data before encrypting it. They can then demand a ransom to release the locked files and try to force the victim into paying more money to prevent the exfiltrated data from being released or re-sold on the dark web. Ransoms are usually demanded in the form of cryptocurrency.
Verizon’s 2022 Data Breach Investigations Report[2] suggested a 13% rise in ransomware attacks in 2022 year-over-year from 2021. This rise is a greater increase than the previous five years combined. The primary method of cyber defence against ransomware is to have current backup copies or archives of your information. In this way, even if the data is encrypted on the network, the victim can revert to previous versions with little to no loss of the affected information. Hackers understand this approach and will attempt to encrypt backups simultaneously as they compromise live data; therefore, it is essential to keep backups separate (physically or logically) from production data to prevent this from happening.
3. Cryptojacking
Cryptojacking is a specific type of malware, and is one of the few cyber attacks in which the attackers do not want to take down your systems. Cryptojacking schemes involve hijacking a victim’s computer to use some of its processing resources to mine cryptocurrency without their knowledge or consent. The malware is designed to run stealthily on an infected system; victims will often have a vague sense that their systems are running slower, but may not be aware that their systems have been compromised for weeks or months.
Cisco’s 2021 Cyber Security Threat Trends[3] report revealed that 69% of organizations surveyed had experienced some level of unsolicited cryptomining. The best defense against cryptojacking attacks is endpoint detection and response (EDR) software. EDR solutions will detect and disable unauthorized programs or suspicious behaviours to protect the system from misuse. Firewalls and system monitoring software can also be effective in spotting unauthorized traffic, data flows, or excessive resource usage on systems.
[3] https://umbrella.cisco.com/info/2021-cyber-security-threat-trends-phishing-crypto-top-the-list
4. Business Email Compromise (BEC)
Business Email Compromise is a common type of attack that targets businesses using compromised email accounts to deceive employees into divulging sensitive information or even making financial transactions. Emails may be spoofed to make them appear like they are coming from a legitimate source or a real user account that can be used fraudulently to issue requests for information or money. This can lead to unauthorized wire transfers, invoice fraud, and identity theft.
The IBM Cost of a Data Breach 2022[4] report found that business email compromises were the second most costly type of attack at an average of $4.89M (USD), and had second highest mean time to identify and contain, at 308 days. There are two key methods of defending against business email compromise. To reduce the risk of email spoofing, best practices must be observed (e.g., correct and secure configuration of DKIM, SPF, and DMARC email authentication[5] in the organization’s DNS) to verify the authenticity of emails. Implementing multi-factor authentication can greatly reduce the risk of unauthorized access to email systems, even if a password is compromised. Finally, security awareness training is essential to help prevent users from falling for fraudulent requests coming from real email addresses. BEC attacks will often have red flags like undue urgency, odd phrasing, and unfamiliar procedures: when staff are trained to recognize these signs, they can react with appropriate skepticism.
[4] https://www.ibm.com/reports/data-breach
[5] DKIM (DomainKeys Identified Mail) is a protocol that allows an organization to place a verifiable digital sign on transmitted messages. SPF (Sender Policy Framework) records list the IP addresses of an organization’s authorized email servers. DMARC (Domain-based Message Authentication, Reporting and Conformance) documents how to handle message verification, and how to report on exceptions, and how to react to exceptions.
5. Social Engineering
Social engineering attacks can take many forms. They involve the use of psychological manipulation to deceive individuals into divulging private or sensitive information. The threat actor can then pivot this information into identity theft or unauthorized system access. Some examples of social engineering include:
- Bait and switch (or “Pharming”): In this type of attack, the attacker creates a fake website or mobile app that looks legitimate. When the victim enters their login credentials or other sensitive information, the attacker steals this data for identity theft, financial gain, or other credential abuse.
- Tailgating or Piggybacking: This is an attack in which the attacker follows someone into a secure area, such as a building, office, or server room, without proper authorization. The attacker may be dressed as a service provider, or pretend they are a staff member who has forgotten their access passcard for the facility. Once they have gained access, they can resort to other measures to breach systems to access sensitive information.
- Impersonation: In this type of social engineering attack, the threat actor will pose as a third party to trick a victim into divulging personal or sensitive information. For example, they may fake an identity on social media to make a connection and begin to extract personal information, or they may call an office posing as a loan officer to get access to an employee’s address, salary, and contact information.
- Reverse social engineering: In this type of attack, the attacker first gains the victim’s trust and then convinces them to perform an action that compromises their security. For example, they might pose as an IT worker and ask the victim to disable a security feature or share a password.
The primary method of cyber defence against social engineering is to educate employees about the risks of sharing sensitive information and to implement multi-factor authentication for access to critical systems to mitigate the risk of disclosing a password.
6. Phishing
Phishing is a specific type of online social engineering that is so prevalent it deserves its own section. Phishing involves a threat actor sending fraudulent emails that appear to be from a legitimate source, often to trick the recipient into revealing sensitive information or downloading malware. Phishing has “cousins”: smishing (sending phishing messages via SMS texts) and vishing (sending phishing messages by voice over the phone). Where phishing campaigns can be sent to tens of thousands of targets, spearphishing is a more focused attack, with messages tailored to target specific phishing victims. And to extend the metaphor, a spearphishing attack on a senior executive or wealthy individual is often called whaling.
The IBM Security X-Force Threat Intelligence Index 2023[6] identified phishing as the most widely-used initial exploit at 41% of all cases handled by their team. A robust email filtering and protection solution is essential to defend against phishing attacks. Having the right tools in place will filter out most of the “known” phishing emails by inspecting their origin, format, or other obvious indications of a phishing message. These solutions will inspect and block potentially harmful messages before users ever get a chance to see them. Of course, these solutions can be imperfect and less effective against customized, focused attacks like spearphishing and whaling. Therefore, security awareness training is also an essential defence against these types of attacks. All staff must be educated about the risks of clicking links or downloading attachments from unknown sources.
7. Distributed Denial-of-Service (DDoS)
DDoS attacks involve overwhelming a website or network with traffic from multiple sources, making the site or services inaccessible. This can put your internal systems out of commission and prevent visitors from accessing your websites and services. The traffic is coordinated and launched from a wide distribution of locations, often representing systems infected with malware. These originating systems are called “bots,” as they robotically send signals to attack innocent targets. Bots will often number in the tens of thousands in coordinated attacks. A “botnet” describes the network of “bots” used to launch the attack.
Cisco analysts[7] estimate that DDoS attacks will grow to 15.4 million in 2023, more than double the 7.9 million attacks detected in 2018. While no defence can block every DDoS attack, the key measures to take involve the implementation of network and web application firewalls, implementing Intrusion Detection and Intrusion Prevention Systems (IDS and IPS) and the use of traffic filtering techniques (either in-house or more often through a content delivery network (CDN) service, which can filter malicious traffic at scale).
8. Web Compromise
As the face of an organization to the outside world on the Internet, websites and mobile apps are frequent targets of cyber attacks. There are various types of approaches taken by hackers to compromise systems.
- “SQL Injection” is a web application attack that exploits vulnerabilities in a website’s database by inserting malicious code into SQL statements. These statements are then posted to the website to “break” the site or expose security gaps that enable hackers to gain a foothold in the compromised system.
- “Cross-Site Scripting” (XSS) attacks involve the injection of malicious scripts into otherwise trustworthy sites, thereby allowing attackers to bypass security controls.
- “Web skimming” or “web scraping” attacks involve inserting malicious code into e-commerce websites. In these cases, attackers can copy personal financial information as the customer enters it. This is another example of an attack which seeks to run silently, stealing data over an extended period while not being detected.
- “API attacks” involve the malicious use of an Application Programming Interface (API) – a software layer offered by a site or service to allow external parties to communicate electronically. Hackers will abuse APIs to penetrate a system or gain unauthorized access to data or resources.
The IBM Security X-Force Threat Intelligence Index 2023[8] identified public-facing application exploits as the second most widely-used initial exploits (trailing only phishing), with 26% of the reports handled by the IBM team. A coordinated effort is required to help prevent these types of Internet-based attacks.
Secure coding practices and formal DevSecOps practices are required to develop safe programs. Penetration testing (“pen testing”) or ethical hacking exercises are recommended to identify and fix potential security gaps before threat actors discover them. Web application firewalls (WAFs) and appropriate network segmentation are important to protect user-facing systems and internal networks. A robust patch management system is a complementary step, ensuring that known flaws in website platforms and operating system software are remediated before they can be exploited.
9. Insider Threats
Most of the threats described involve external attackers. But it is an unfortunate reality that insider threats are a real problem as well. Insider threats can be unintentional or intentional, and can occur for various reasons, such as disgruntlement, carelessness, or lack of awareness.
A 2022 Ponemon[9] report showed that a total of 3,807 attacks (or 56%) of attacks reported were caused by employee or contractor negligence, costing on average $484,931 USD per incident. Appropriate governance and a zero-trust security framework can help reduce the risk of internal threat actors. A well-constructed recruitment and vetting process will help identify potential bad actors before they walk in the door. Many organizations have implemented multi-layer background check protocols to identify and avoid potentially risky hires. And once staff have been onboarded, a zero-trust approach will help ensure that all personnel only have access to data when, where, and how it has been authorized.
[9] https://static.poder360.com.br/2022/01/pfpt-us-tr-the-cost-of-insider-threats-ponemon-report.pdf
10. Man-in-the-Middle (MITM) Attacks
Man-in-the-Middle (MITM) attacks involve attackers intercepting communication between two parties to eavesdrop on sensitive information, even modify the content of the communication, or even inject malware into data exchanges. MITM attacks can occur on both wired and wireless networks, and attackers can use various methods to execute the attack, including Wi-Fi eavesdropping, DNS spoofing, and session hijacking.
The primary method of defense against MITM attacks is to use encryption technologies to protect information in flight. MITM attacks are commonplace among public Wi-Fi networks, so these should be avoided, particularly if you are handling private or sensitive information. A mitigation strategy for public WI-FI is to use an approved Virtual Private Network (VPN) solution.
11. Internet of Things (IoT) Attacks
IoT devices, such as smart home devices and appliances, industrial sensors and systems, and networkable medical devices, are increasingly being targeted by cyber attackers. Many of these devices are vulnerable to cyber attacks that exploit poor configurations or weak security protocols. IoT attacks can result in the theft of personal data, remote access to devices, and the use of devices for botnet attacks.
The primary defence against IoT attacks is to segment IoT devices from critical systems, disable unnecessary features, and keep firmware up to date. Using vulnerability management tools will help a busy enterprise or municipality stay on top of its fleet of IoT devices. And a well-defined governance structure in place to vet devices for security capabilities and harden them before deployment is an essential preventative measure.
12. Password Attacks
Password attacks involve attempting to guess or steal a user’s password to gain unauthorized access to their accounts or systems. Password attacks can be carried out using various methods, including brute force, dictionary attacks, and phishing. Brute force attacks involve attempting to guess a user’s password by systematically trying different combinations of characters until the correct one is found. Brute force attacks can be automated and are often used against poorly secured systems or accounts with weak passwords.
In an industry survey,[10] 30% of those surveyed reported a breach due to a weak password. Password reuse and password sharing remain widespread problems. The primary method of defence against password attacks is to use strong passwords, implement multi-factor authentication, and use password management tools. Systems should also be designed to lock accounts after repeated unsuccessful login attempts, and SIEM solutions can be used to watch for unusual or excessive login attempt/failure patterns.
[10] https://www.goodfirms.co/resources/top-password-strengths-and-vulnerabilities
13. Supply Chain Attacks
Supply chain attacks involve exploiting vulnerabilities in a company’s software or service supply chain to gain access to its systems and data. Supply chain attacks can occur via various channels, including software updates, third-party vendors, and suppliers.
Sonatype’s 8th Annual State of the Software Supply Chain[11] reported a remarkable 742% average annual increase in software supply chain attacks from 2020 to 2022. A strong security infrastructure featuring a zero-trust architecture is the best defence against a supply chain attack. Even if third-party software is tainted or a partner in the supply chain is compromised, strict access controls and following best practices will prevent the threat actor from moving laterally within the organization.
[11] https://www.sonatype.com/state-of-the-software-supply-chain/introduction
14. Zero-day Exploits
Zero-day exploits involve attackers exploiting software or hardware vulnerabilities that are previously unknown to the vendor or other security researchers. Zero-day exploits can be used to gain unauthorized access to systems, steal sensitive information, or carry out other malicious activities.
Splunk’s The State of Security 2023[12] analysis suggested that zero-day vulnerabilities in applications and operating systems were among the most significant business concerns, appearing on 32% of respondents‘ ”top three” lists: more than any other threat vector. The primary method of defence against zero-day exploits is to implement a robust vulnerability management program that includes regular vulnerability scanning and prompt patching of vulnerabilities once fixes have been released or the vendors have published appropriate risk mitigation strategies.
[12] https://www.splunk.com/en_us/form/state-of-security.html
15. Advanced Persistent Threats (APT)
APTs are the ultimate stealthy cyber attack. As the name implies, advanced persistent attacks are:
- usually complex and sophisticated and
- will take place over an extended period – often weeks or even months.
APTs involve multiple stages in their execution of the exploit, including reconnaissance, intrusion, and data exfiltration, all done as quietly as possible to avoid detection. The longer the APT attack lasts, the more lucrative it can be for the attackers. APTs are often carried out by nation-state actors or other highly skilled attackers.
As they are among the most sophisticated attacks, layered defences are required to prevent them from being successful. Even if a threat actor can breach one layer of a system, subsequent defensive measures should be in place at every level to prevent lateral movement and a more comprehensive compromise. Strong governance practices, identity and access controls, segmented network design, advanced SIEM monitoring, threat intelligence, and threat-hunting solutions help reduce exposure.
Conclusion
This primer illustrates that no silver bullet is available to face every cyber threat. There is no one-size-fits-all solution. The best answer is to always understand your risk areas and build a thoughtful, layered approach to cyber defences. This will make it difficult for threat actors to breach your system and make it hard for them to pivot within your system to cause further damage. If you are looking for guidance on building a strategy to defend your business from the common threats outlined – and more – contact ISA Cybersecurity today.
