What Is a Cyber Attack?
A cyber attack is a set of actions performed by threat actors, who try to gain unauthorized access, steal data or cause damage to computers, computer networks, or other computing systems. A cyber attack can be launched from any location. The attack can be performed by an individual or a group using one or more tactics, techniques and procedures (TTPs).
The individuals who launch cyber attacks are usually referred to as cybercriminals, threat actors, bad actors, or hackers. They can work alone, in collaboration with other attackers, or as part of an organized criminal group. They try to identify vulnerabilities—problems or weaknesses in computer systems—and exploit them to further their goals.
Cybercriminals can have various motivations when launching cyber attacks. Some carry out attacks for personal or financial gain. Others are “hacktivists” acting in the name of social or political causes. Some attacks are part of cyberwarfare operations conducted by nation states against their opponents, or operating as part of known terrorist groups.
Cyber Attack Statistics
What are the costs and impact of cyber attacks for businesses?
The global cost of cyber attacks is expected to grow by 15% per year and is expected to reach over $10 trillion. A growing part of this cost is Ransomware attacks, which now cost businesses in the US $20 billion per year.
The average cost of a data breach in the US is $3.8 million. Another alarming statistic is that public companies lose an average of 8% of their stock value after a successful breach.
How well are organizations prepared for cyber attacks?
In a recent survey, 78% of respondents said they believe their company’s cybersecurity measures need to be improved. As many as 43% of small businesses do not have any cyber defenses in place. At the same time, organizations of all sizes are facing a global cybersecurity skills shortage, with almost 3.5 million open jobs worldwide, 500,000 of them in the US alone.
Cyber Attack Examples
Here are a few recent examples of cyber attacks that had a global impact.
Kaseya Ransomware Attack
Kaseya, a US-based provider of remote management software, experienced a supply chain attack, which was made public on July 2, 2021. The company announced that attackers could use its VSA product to infect customer machines with ransomware.
The attack was reported to be highly sophisticated, chaining together several new vulnerabilities discovered in the Kaseya product: CVE-2021-30116 (credentials leak and business logic flaw), CVE-2021-30119 (XSS), and CVE-2021-30120 (two-factor authentication flaw). The malware exploiting these vulnerabilities was pushed to customers using a fake software update labelled “Kaseya VSA Agent Hot Fix”.
The attack was carried out by the Russian-based REvil cybercrime group. Kaseya said less than 0.1% of their customers were affected by the breach, however, some of them were managed service providers (MSP) who used Kaseya software, and the attack affected their customers. A short time after the attack, press reports said 800-1500 small to mid-sized companies were infected by REvil ransomware as a result of the attack.
SolarWinds Supply Chain Attack
This was a massive, highly innovative supply chain attack detected in December 2020, and named after its victim, Austin-based IT management company SolarWinds. It was conducted by APT 29, an organized cybercrime group connected to the Russian government.
The attack compromised an update meant for SolarWinds’s software platform, Orion. During the attack, threat actors injected malware, which came to be known as the Sunburst or Solorigate malware—into Orion’s updates. The updates were then distributed to SolarWinds customers.
The SolarWinds attack is considered one of the most serious cyber espionage attacks on the United States, because it successfully breached the US military, many US-based federal agencies, including agencies responsible for nuclear weapons, critical infrastructure services, and a majority of Fortune 500 organizations.
Amazon DDoS Attack
In February 2020, Amazon Web Services (AWS) was the target of a large-scale distributed denial of service (DDoS) attack. The company experienced and mitigated a 2.3 Tbps (terabits per second) DDoS attack, which had a packet forwarding rate of 293.1 Mpps and a request rate per second (rps) of 694,201. It is considered one of the largest DDoS attacks in history.
Microsoft Exchange Remote Code Execution Attack
In March 2021, a large-scale cyber attack was carried out against Microsoft Exchange, a popular enterprise email server. It leveraged four separate zero-day vulnerabilities discovered in Microsoft Exchange servers.
These vulnerabilities enable attackers to forge untrusted URLs, use them to access an Exchange Server system, and provide a direct server-side storage path for malware. It is a Remote Code Execution (RCE) attack, which allows attackers to completely compromise a server and gain access to all its data. On affected servers, attackers stole sensitive information, injected ransomware, and deployed backdoors in a way that was almost untraceable.
In the United States alone, the attacks affected nine government agencies and more than 60,000 private businesses.
Twitter Celebrities Attack
In July 2020, Twitter was breached by a group of three attackers, who took over popular Twitter accounts. They used social engineering attacks to steal employee credentials and gain access to the company’s internal management systems, later identified by Twitter as vishing (phone phishing).
Dozens of well-known accounts were hacked, including Barack Obama, Jeff Bezos, and Elon Musk. The attackers used the stolen accounts to post bitcoin scams and earned more than $100,000. Two weeks after the events, the US Justice Department charged three suspects, one of whom was 17 years old at the time.
Other Notable Attacks
- Marriott’s Starwood Hotels announced a breach that leaked the personal data of more than 500 million guests.
- UnderArmor’s MyFitnessPal brand leaked the email addresses and login information of 150 million user accounts.
- The WannaCry ransomware attack affected more than 300,000 computers in 150 countries, causing billions of dollars in damages.
- Equifax experienced an open source vulnerability in an unpatched software component, which leaked the personal information of 145 million people.
- The NotPetya attack hit targets around the world, with several waves continuing for more than a year, costing more than $10 billion in damage.
- An attack on the FriendFinder adult dating website compromised the data of 412 million users.
- Yahoo’s data breach incident compromised the accounts of 1 billion users, not long after a previous attack exposed personal information contained in 500 million user accounts.
6 Types of Cyber Attacks
While there are thousands of known variants of cyber attacks, here are a few of the most common attacks experienced by organizations every day.
Ransomware is malware that uses encryption to deny access to resources (such as the user’s files), usually in an attempt to compel the victim to pay a ransom. Once a system has been infected, files are irreversibly encrypted, and the victim must either pay the ransom to unlock the encrypted resources, or use backups to restore them.
Ransomware is one of the most prevalent types of attacks, with some attacks using extortion techniques, such as threatening to expose sensitive data if the target fails to pay the ransom. In many cases, paying the ransom is ineffective and does not restore the user’s data.
There are many types of malware, of which ransomware is just one variant. Malware can be used for a range of objectives from stealing information, to defacing or altering web content, to damaging a computing system permanently.
The malware landscape evolves very quickly, but the most prevalent forms of malware are:
- Botnet Malware—adds infected systems to a botnet, allowing attackers to use them for criminal activity
- Cryptominers—mines cryptocurrency using the target’s computer
- Infostealers—collects sensitive information on the target’s computer
- Banking trojans—steals financial and credential information for banking websites
- Mobile Malware—targets devices via apps or SMS
- Rootkits—gives the attacker complete control over a device’s operating system
DoS and DDoS Attacks
Denial-of-service (DoS) attacks overwhelm the target system so it cannot respond to legitimate requests. Distributed denial-of-service (DDoS) attacks are similar but involve multiple host machines. The target site is flooded with illegitimate service requests and is forced to deny service to legitimate users. This is because servers consume all available resources to respond to the request overload.
These attacks don’t provide the attacker with access to the target system or any direct benefit. They are used purely for the purpose of sabotage, or as a diversion used to distract security teams while attackers carry out other attacks.
Firewalls and network security solutions can help protect against small-scale DoS attacks. To protect against large scale DDoS, organizations leverage cloud-based DDoS protection which can scale on demand to respond to a huge number of malicious requests.
Phishing and Social Engineering Attacks
Social engineering is an attack vector that relies heavily on human interaction, used in over 90% of cyberattacks. It involves impersonating a trusted person or entity, and tricking individuals into granting an attacker sensitive information, transferring funds, or providing access to systems or networks.
Phishing attacks occur when a malicious attacker obtains sensitive information from a target and sends a message that appears to be from a trusted and legitimate source. The name “phishing” alludes to the fact that attackers are “fishing” for access or sensitive information, baiting the unsuspecting user with an emotional hook and a trusted identity.
As part of a phishing message, attackers typically send links to malicious websites, prompt the user to download malicious software, or request sensitive information directly through email, text messaging systems or social media platforms. A variation on phishing is “spear phishing”, where attackers send carefully crafted messages to individuals with special privileges, such as network administrators, executives, or employees in financial roles.
Man-in-the-Middle (MitM) attacks are breaches that allow attackers to intercept the data transmitted between networks, computers or users. The attacker is positioned in the “middle” of the two parties and can spy on their communication, often without being detected. The attacker can also modify messages before sending them on to the intended recipient.
You can use VPNs or apply strong encryption to access points to protect yourself from MitM attacks.
Fileless attacks are a new type of malware attack, which takes advantage of applications already installed on a user’s device. Unlike traditional malware, which needs to deploy itself on a target machine, fileless attacks use already installed applications that are considered safe, and so are undetectable by legacy antivirus tools.
Fileless malware attacks can be triggered by user-initiated actions, or may be triggered with no user action, by exploiting operating system vulnerabilities. Fileless malware resides in the device’s RAM and typically access native operating system tools, like PowerShell and Windows Management Instrumentation (WMI) to inject malicious code.
A trusted application on a privileged system can carry out system operations on multiple endpoints, making them ideal targets for fileless malware attacks.
Cyber Attack Prevention: Common Cybersecurity Solutions
Following are a few security tools commonly deployed by organizations to prevent cyber attacks. Of course, tools are not enough to prevent attacks—every organization needs trained IT and security staff, or outsourced security services, to manage the tools and effectively use them to mitigate threats.
Web Application Firewall (WAF)
A WAF protects web applications by analyzing HTTP requests and detecting suspected malicious traffic. This may be inbound traffic, as in a malicious user attempting a code injection attack, or outbound traffic, as in malware deployed on a local server communicating with a command and control (C&C) center.
WAFs can block malicious traffic before it reaches a web application, and can prevent attackers from exploiting many common vulnerabilities—even if the vulnerabilities have not been fixed in the underlying application. It complements traditional firewalls and intrusion detection systems (IDS), protecting attacks performed by attackers at the application layer (layer 7 of the OSI network model).
A DDoS protection solution can protect a network or server from denial of service attacks. It does this using dedicated network equipment, deployed on-premises by the organization, or as a cloud-based service. Only cloud based services are able to deflect large scale DDoS attacks, which involve millions of bots, because they are able to scale on demand.
A DDoS protection system or service monitors traffic to detect a DDoS attack pattern, and distinguish legitimate from malicious traffic. When it detects an attack, it performs “scrubbing”, inspecting traffic packets and dropping those that are deemed malicious, preventing them from reaching the target server or network. At the same time, it routes legitimate traffic to the target system to ensure there is no disruption of service.
Bots make up a large percentage of Internet traffic. Bots put a heavy load on websites, taking up system resources. While some bots are useful (such as bots that index websites for search engines), others can perform malicious activities. Bots can be used for DDoS, to scrape content from websites, automatically perform web application attacks, spread spam and malware, and more.
A bot protection system detects and blocks bad bots, while allowing legitimate bots to perform activities like search indexing, testing and performance monitoring. It does this by maintaining a large database of known bot sources, and detecting behavior patterns that might indicate a bot is malicious.
Almost all organizations today manage infrastructure, applications, and data in the cloud. Cloud systems are especially vulnerable to cyber threats, because they are commonly exposed to public networks, and often suffer from a low level of visibility, because they are highly dynamic and running outside the corporate network.
Cloud providers take responsibility for securing their infrastructure, and offer built-in security tools that can help cloud users secure their data and workloads. However, first-party cloud security tools are limited, and there is no guarantee that they are being used properly and all cloud resources are really secured. Many organizations use dedicated cloud security solutions to ensure that all sensitive assets deployed in the cloud are properly protected.
Databases typically hold sensitive, mission critical information, and are a prime target for attackers. Securing databases involves hardening database servers, properly configuring databases to enable access control and encryption, and monitoring for malicious activities.
Database security solutions can help ensure a consistent level of security for databases across the organization. They can help prevent issues like excessive privileges, unpatched vulnerabilities in database engines, unprotected sensitive data, and database injection.
Modern applications use application programming interfaces (APIs) to communicate with other applications, to obtain data or services. APIs are used to integrate systems inside an organization, and are increasingly used to contact and receive data from systems operated by third parties.
All APIs, especially public APIs that are accessed over the Internet, are sensitive to attacks. Because APIs are highly structured and documented, they are easy for attackers to learn and manipulate. Many APIs are not properly secured, may be weakly authenticated, or exposed to vulnerabilities like cross site scripting (XSS), SQL injection, and man in the middle (MitM) attacks.
Securing APIs requires a variety of measures, including strong multi factor authentication (MFA), secure use of authentication tokens, encryption of data in transit, and sanitization of user inputs to prevent injection attacks. API solutions can help enforce these security controls for APIs in a centralized manner.
Threat intelligence operates in the background and supports many modern security tools. It is also used directly by security teams when investigating incidents. Threat intelligence databases contain structured information, gathered from a variety of sources, about threat actors, attack tactics, techniques, and procedures, and known vulnerabilities in computing systems.
Threat intelligence solutions gather data from a large number of feeds and information sources, and allows an organization to quickly indicators of compromise (IOCs), use them to identify attacks, understand the motivation and mode of operation of the threat actor, and design an appropriate response.
Cyber Attack Prevention with Imperva
Imperva provides security solutions that protect organizations against all common cyber attacks.
Imperva Application Security
Imperva provides comprehensive protection for applications, APIs, and microservices:
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
DDoS Protection – Block attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Imperva Data Security
Imperva protects all cloud-based data stores to ensure compliance and preserve the agility and cost benefits you get from your cloud investments:
Cloud Data Security – Simplify securing your cloud databases to catch up and keep up with DevOps. Imperva’s solution enables cloud-managed services users to rapidly gain visibility and control of cloud data.
Database Security – Imperva delivers analytics, protection and response across your data assets, on-premise and in the cloud – giving you the risk visibility to prevent data breaches and avoid compliance incidents. Integrate with any database to gain instant visibility, implement universal policies, and speed time to value.
Data Risk Analysis – Automate the detection of non-compliant, risky, or malicious data access behavior across all of your databases enterprise-wide to accelerate remediation.