Explainer

The most common types of cyberattacks

Businesses have never been at more threat of cyberattacks, which can take many forms. Kris Cooper breaks down the most common types.

Credit: mayam_studio / Shutterstock

W​​​​​​​ith cyberattacks having the potential to bring business to a standstill and the attack surface constantly growing, businesses must focus on building cybersecurity and resilience to navigate the evolving threat landscape. 

In its annual review of cyberattacks released in January, threat intelligence researcher Check Point found that organisations around the world experienced an average of 1,158 weekly cyberattacks each during 2023 – a rise of 1% from 2022. 

It was revealed in April, meanwhile, that half of businesses (50%) in the UK, 70% of medium-sized businesses (70%) and nearly three-quarters of large businesses (74%) had experienced some form of cyberattack in the last 12 months

The real-world impacts that cyberattacks can cause were underscored recently when a cyberattack on pathology service provider Synnovis brought some hospitals in the UK to a standstill. 

Categorising cyberattacks

Cyberattacks can be separated into targeted and non-targeted attacks. As the terms suggest, targeted attacks are aimed at a specific institution. Non-targeted attacks attempt to target as many devices or networks as possible to broaden the chances of success. 

Motivations for cyberattacks can be financial, data-foccused or for extortion, among other things. ‘Hacktivists’ want to gain attention for their cause, while terrorists seek to disrupt or damage critical infrastructure assets or exact industrial espionage. Other threat actors can include nation-states and disgruntled employees or customers. 

According to GlobalData’s latest report on cybersecurity, untargeted attacks usually take the form of phishing, malware, water-holing or zero-day exploits, whereas targeted attacks are usually spear-phishing attacks, distributed denial of service (DDoS) attack and supply chain attacks 

Untargeted
​​​​​​​
Phishing:
The practice of sending fraudulent messages to large numbers of people asking for sensitive information, such as bank details, or encouraging them to visit a fake website. Phishing continues to be popular due to its simplicity and effectiveness. It targets the weakest link in the security chain: the user. Phishers usually masquerade as trustworthy entities. 

Malware: This term, short for malicious software, refers to any intrusive software developed by cybercriminals to steal data and damage or destroy computers and computer systems. Examples of common malware include viruses, worms, spyware, adware, and ransomware. 

Water holing: Refers to setting up a fake website or compromising a legitimate one to exploit visiting users. 

Zero-day exploits: Attacks targeting a security flaw previously unknown to the software vendor or security provider. Typically, an attacker will probe a system until they discover a vulnerability. If it has never been reported, it is a zero-day flaw because developers have had zero days to fix it. Taking advantage of the security flaw is a zero-day exploit, which often compromises the target system. Zero-day vulnerabilities can exist for years before they are discovered. 

Targeted 

Spear-phishing attack:
Sending messages to targeted individuals with an attachment containing malicious software or a link that downloads malicious software. 

DDoS attack: A coordinated attack in which multiple connected machines in a botnet, usually infected with malware or otherwise compromised to co-opt them into the attack, flood a network, server, or website with data, causing it to crash. 

Supply chain attack: An attack in which threat actors compromise enterprise networks using connected applications or services owned or used by outside partners, such as suppliers. The outside provider has already gained the right to use and manipulate a company’s network, applications, or sensitive data, so the attacker only has to penetrate the third party’s defences or program a loophole into a solution offered by a vendor to infiltrate the system. 

Industry insights

Speaking to Verdict, Dave Gerry, CEO of crowdsourced security platform Bugcrowd, says that the firm has seen the most successful hackers focus on authorisation-based attacks over the last year. 

“Unlike authentication vulnerabilities, which can involve user impersonation or credential theft, authorization issues arise after a user is authenticated but can perform unauthorized actions,” he explains. 

“These vulnerabilities are among the hardest to detect due to their complexity. Allowing hackers to report them and offering compensation is crucial for maintaining a mature security posture.” 

Elsewhere, NetScout's principal threat analyst Filippo Vitale says that, starting in early 2022, adversaries pivoted towards application layer and direct-path attacks. He added that DDoS attacks “now primarily employ direct-path vectors as more providers implement anti-spoofing techniques such as source address validation”. 

Ed Williams, vice president for consulting and professional services in EMEA at Trustwave notes that many cyberattacks can be broken down into phases, with the first phase being gaining an initial foothold. 

Explaining that spear-fishing links, valid accounts and external remote services make up for approximately 90% of the initial foothold phase, he comments: “If organisations were able to fully eradicate and manage this phase, I believe we would see a reduction in the overall number of successful attacks. Though it should be stated that these are hard problems to fix across complex and ever-increasing environments.”  

Reflecting on the increasingly complex cybersecurity environment, Williams warned: “The annual 20-minute cyber awareness training is not enough anymore,” adding that more dedicated tools and training are required. 

Cyber regulation

As the cyber threat landscape evolves, so too does the regulatory environment. A recent development is the NIS2 Directive, an EU-wide legislation aimed at boosting the overall level of cybersecurity. Adopted in 2023, EU member states have until October 2024 to put the measures into law. 

The directive seeks to appropriately equip member states for cyberattacks, as well as facilitate cooperation in defending against attacks across the EU. Alongside this, the EU’s Cyber Resilience Act (CRA) has addressed potential entry points for cybercriminals in hardware and software, with a particular focus on securing IoT devices. 

Speaking previously with Verdict, Ross Brewer, vice president and managing director for EMEA of threat detection and incident response company Graylog, highlighted that, while these regulatory frameworks are a step in the right direction, he fears that often compliance exercises are treated as checkbox exercises, reducing the effectiveness of the regulation. 

Alongside NIS2 and the CRA, the European Commission is also expected to adopt draft regulations establish a European Cybersecurity certification scheme (ECCS). This scheme will evaluate the security properties of ICT-based products and services to inform users of the cybersecurity risk of certain products.   

Elsewhere, the UK and US have both tightened the rules on firms disclosing cyberattacks over the last couple of years. 

The SEC consolidated a new rule in late 2023 that requires public companies to disclosure cybersecurity incidents within four business days. In the UK mandatory reporting obligations for service providers have been introduced, with the potential for managed service providers to be fined £17m for non-compliance.