Cyber ​​Security Threats | Types and sources | Imperva (2023)

What are the cyber security threats?

Cyber ​​securityThreats are actions taken by people with malicious intent to steal data, damage or disrupt computer systems. Common categories of cyber threats include malware, social engineering, man-in-the-middle (MitM) attacks, denial-of-service (DoS) and injection attacks. Below we describe each of these categories in more detail.

Cyber ​​threats can come from a variety of sources, from hostile nation states and terrorist groups, individual hackers, to trusted individuals such as employees or contractors who abuse their privileges to perform malicious activities.

Common Sources of Cyber ​​Threats

Here are some common sources of cyber threats to organizations:

• nation states—hostile countries may launch cyberattacks against local businesses and institutions with the goal of disrupting communications, disrupting order, and causing damage.
• terrorist organizations– terrorists carry out cyber attacks aimed at destroying or misusing critical infrastructure, threatening national security, disrupting the economy and injuring civilians.
• Criminal groups– Organized groups of hackers attempt to break into computer systems for financial gain. These groups use phishing, spam, spyware and malware for extortion, theft of personal information and online scams.
• Hacker—Individual hackers target organizations using a variety of attack techniques. They are usually motivated by personal gain, revenge, financial gain or political activity. Hackers often create new threats to increase their criminal skills and improve their standing in the hacker community.
• Malicious insiders— an employee with legitimate access to Company resources and abuse of authority to steal information or damage computer systems for financial or personal gain. Insiders may be employees, contractors, suppliers or partners of the target organization. They can also be outsiders who have hacked into a privileged account and impersonated its owner.

Types of cyber threats

Malware attacks

Malwareis short for "malware," which includes viruses, worms, Trojan horses, spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a system, usually through a link to an untrusted website or email, or by downloading unwanted software. It deploys on the target system, collects sensitive data, manipulates and blocks access to network components and can destroy data or shut down the system completely.

Here are some of the main types of malware attacks:

• viruses -the code snippet is inserted into the application. When the application is launched, malicious code is executed.
• worms-malware that exploits software vulnerabilities and backdoors to gain access to the operating system. Once installed in a network, the worm can carry out attacks such as distributed denial of service (DDoS).
• Trojan horses—malicious code or software masquerading as a harmless program hidden in apps, games or email attachments. An unsuspecting user downloads a Trojan and takes control of their device.
• Ransomware—A user or organization cannot access their own systems or data through encryption. The attacker typically demands a ransom payment in exchange for a decryption key to restore access, but there is no guarantee that paying the ransom will actually restore full access or functionality.
• Cryptojacking– Attackers install software on the victim's device and start using the computer's resources to generate cryptocurrencies without their knowledge. Affected systems may run slowly and encryption kits may affect system stability.
• Spyware- The malicious actor gains access to unsuspecting user data, including sensitive information such as passwords and payment information. Spyware can affect desktop browsers, mobile phones, and desktop applications.
• Adware -The user's browsing activity is tracked to determine patterns of behavior and interests, which allows advertisers to target the user with advertisements. Adware is similar to spyware, but does not require the software to be installed on the user's device and is not necessarily used for malicious purposes. However, it can be used without the user's consent and violate their privacy.
• Fileless malware- no software is installed on the operating system. Native files such as WMI and PowerShell are edited to include malicious functionality. This hidden form of attack is difficult to detect (antivirus software cannot detect it) because the attacked files are recognized as legitimate.
• Rootkity—the software is injected into applications, firmware, operating system kernels, or hypervisors, providing remote administrator access to the computer. In a compromised environment, an attacker could boot into the operating system, take full control of the computer, and deliver additional malware.

Social engineering attacks

Social engineeringtricks users into providing an entry point for malware. The victim provides sensitive information or unknowingly installs malware on their device because the attacker pretends to be a legitimate person.

Here are some of the main types of social engineering attacks:

• lure- An attacker lures the user into a social engineering trap, usually by promising something enticing, such as a free gift card. The victim gives the attacker sensitive information, such as login details.
• Justification- Similar to provocation, the false pretenses attacker pressures the target into providing information. This usually involves impersonating a person in authority, such as a taxman or police officer whose position will compel the victim to comply.
• Phishing—an attacker sends email pretending to come from a trusted source. Phishing often involves sending fake emails to as many users as possible, but it can also be more targeted. For example, spear phishing personalizes an email to target a specific user, while whaling goes a step further by targeting high-value individuals such as CEOs.
• Wishes(voice phishing) – the fraudster uses the phone to convince the victim to reveal sensitive data or grant access to the target system. Vishing usually affects the elderly, but it can be used against anyone.
• Lubricant(SMS phishing) – the attacker uses text messages to trick the victim.
• piggyback— an authorized user provides physical access to another person who "carries" the user's credentials. For example, an employee may grant access to a person impersonating a new employee who has lost their identity.
• tail-an unauthorized person follows an authorized user to a designated location, for example by quickly passing through a secure door after it has been opened by an authorized user. This technique is similar to piggybacking, except that the person being stalked is unaware that they are being used by another person.

Supply chain attacks

Supply chain attacksthey pose a new type of threat to software developers and vendors. The goal is to infect legitimate applications and spread malware through source code, build processes, or software update mechanisms.

Attackers look for insecure network protocols, server infrastructure, and encryption techniques and use them to undermine the build and update process, modify source code, and hide malicious content.

Supply chain attacks are particularly serious because the applications infected by the attackers are signed and certified by trusted vendors. In the case of an attack in the software supply chain, the software vendor does not know that its applications or updates are infected with malware. The malicious code runs with the same privileges and trust as the attacked application.

Types of supply chain attacks include:

• Construction tools compromiseor development pipelines
• Compromise in code signing proceduresor developer accounts
• Malicious code sent as automatic updatesin hardware or software components
• Pre-installed malicious codeon physical devices

Atak typu Man-in-the-Middle

ONEAtak typu man-in-the-middle (MitM).prevents communication between two endpoints, such as a user and an application. An attacker can eavesdrop on communications, steal sensitive data, and impersonate any party involved in the communications.

Examples of MitM attacks include:

• Wi-Fi eavesdropping —an attacker creates a Wi-Fi connection by impersonating a legitimate actor, such as a company, to which users can connect. Fake Wi-Fi allows an attacker to monitor the activity of connected users and intercept data such as payment card details and login information.
• E-mail interception- An attacker spoofs the email address of a legitimate organization, such as a bank, and uses it to trick users into revealing sensitive information or sending money to the attacker. The user follows instructions that they believe are coming from the bank but are actually coming from the attacker.
• Spoofing DNS- The domain name server (DNS) is spoofed and directs the user to a malicious website masquerading as a legitimate website. An attacker could redirect traffic from a legitimate website or steal a user's credentials.
• IP address spoofing—The Internet Protocol (IP) address connects users to a specific website. An attacker can spoof an IP address to impersonate a website and trick users into believing they are interacting with that website.
• Spoofing HTTPS—HTTPS is generally considered a more secure version of HTTP, but it can also be used to trick a browser into thinking a malicious website is secure. The attacker uses "HTTPS" in the URL to disguise the malicious nature of the site.

Denial of service attack.

ONEDenial of serviceThe (DoS) attack overloads the target system with a large volume of traffic, preventing the system from functioning normally. A multi-device attack is called a distributed denial of service (DDoS) attack.

DoS attack techniques include:

• HTTP DDoS overload- An attacker uses what appear to be legitimate HTTP requests to overload an application or web server. This technique does not require high performance or malformed packets and usually tries to force the target system to allocate as many resources as possible for each request.
• SYN DDoS flood—Initiating a Transmission Control Protocol (TCP) connection sequence involves sending a SYN request, which requires the host to respond with a SYN-ACK acknowledging the request, and then the supplicant must respond with an ACK . Attackers can exploit this sequence and exhaust server resources by sending SYN requests but not responding to centralized SYN ACKs.
• Flood UDP DDoS- The remote host is flooded with User Datagram Protocol (UDP) packets sent to random ports. This technique forces the host to look for applications on compromised ports and respond with "destination unreachable" packets, which exhausts the host's resources.
• ICMP overload- ICMP Echo Request packet firewall overshoots the target, consuming both inbound and outbound bandwidth. Servers may attempt to respond to each request with an ICMP Echo Reply packet, but cannot keep up with the number of requests, which slows down the system.
• NTP enhancement- Network Time Protocol (NTP) servers are publicly available and could be used by an attacker to send large amounts of UDP traffic to the target server. This is considered an amplification attack due to the query-to-response ratio of 1:20 to 1:200, which allows an attacker to exploit open NTP servers to launch massive, high-throughput DDoS attacks.

Injection attacks

Injection attacks exploit various security vulnerabilities to inject malicious data directly into web application code. Successful attacks can reveal confidential information, launch a DoS attack, or compromise the entire system.

Here are some of the main injection attack vectors:

• SQL injection- An attacker injects an SQL query into an end-user input channel, such as a web form or comment box. The vulnerable application sends the attacker's data to the database and executes all SQL statements entered in the query. Most web applications use structured query language (SQL) databases, which makes them vulnerable to SQL injection. A new variant of this attack is NoSQL attacks that target databases that do not use a relational data structure.
• Enter code- An attacker can inject code into an application if it is vulnerable. The web server executes the malicious code as if it were part of the application.
• Operating system command injection- An attacker could exploit a command injection vulnerability to inject commands to be executed by the operating system. This allows an attacker to extract data from or take over the operating system.
• LDAP injection- An attacker inserts characters to modify Lightweight Directory Access Protocol (LDAP) queries. The system is vulnerable if it uses uninfected LDAP queries. These attacks are very serious because LDAP servers can store the user accounts and credentials of an entire organization.
• External XML Entity (XXE) injection.— the attack is carried out using specially crafted XML documents. This differs from other attack vectors in that it exploits inherent vulnerabilities in older XML parsers instead of unauthenticated user input. XML documents can be used for path tracing, remote code execution, and server-side request forgery (SSRF).
• Online script(XSS)- An attacker enters a text string containing malicious JavaScript code. The target browser executes code, allowing an attacker to redirect users to a malicious website or steal session cookies to compromise a user's session. The application is vulnerable to XSS if user input is not sanitized to remove JavaScript.

Cyber ​​security solutions

Cyber ​​security solutionsare the tools organizations use to protect against cyber threats, as well as accidental damage, natural disasters and other threats. Here are the main types of security solutions:

• Application security-used to audit applications for vulnerabilities during development and testing and to protect applications in production from threats such as network attacks, software vulnerabilities, and web application attacks.
• Network Security-monitors network traffic, detects potentially malicious traffic, and enables organizations to block, filter, or mitigate threats.
• Security in the cloud—implements security controls in public, private and hybrid cloud environments, detecting and resolving fraudulent security configurations and vulnerabilities.
• Endpoint Security -deployed on end devices such as servers and employee workstations, helping to prevent threats such as malware, unauthorized access, and exploitation of operating system and browser vulnerabilities.
• Internet of Things (IoT) - Usage—Connected devices are often used to store sensitive data, but are usually not protected by design. IoT security solutions help increase the visibility and security of IoT devices.
• Threat analysis- Combines multiple data sources for attack signatures and threat actors, providing additional context for security events. Threat intelligence can help security teams detect attacks, understand them and plan the most appropriate response.

Imperva Cyber ​​Security Solutions

Imperva can help protect your organizations from cyber threats that affect applications and sensitive business data.

Imperva App Security

At the application level, Imperva provides comprehensive protection for applications, APIs and microservices:

Firewall for web applications– Prevent attacks with world-class web traffic analytics in your applications.

Runtime Application Self-Protection (RASP)– Real-time attack detection and prevention at application runtime, wherever they are. Stop external attacks and injections and reduce vulnerabilities.

API security– Automated API protection ensures that API endpoints are protected as soon as they are published, protecting applications from abuse.

Advanced bot protection– Prevent attacks on business logic from all entry points: websites, mobile apps and APIs. Get seamless visibility and control over bot traffic to stop online fraud in the form of account takeovers or competitive pricing.

DDoS protection– Block edge attack traffic to ensure business continuity with guaranteed uptime and zero performance impact. Secure your resources on-premises or in the cloud, whether hosted on AWS, Microsoft Azure, or Google Public Cloud.

Attack analysis– Provides complete visibility through machine learning and expertise across the entire application security stack to reveal noise patterns and detect application attacks, helping to isolate and prevent attack campaigns.

Client-side protection– Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, data breaches and customer-side attacks.

Imperva App Security

At the data level, Imperva protects all cloud storage to ensure compliance and preserve the flexibility and cost benefits of a cloud investment:

Data security in the cloud– Simplify your cloud database security to keep up with DevOps. The Imperva solution enables users of managed cloud services to quickly gain visibility and control over their data in the cloud.

Database security– Imperva provides analytics, protection and response for all your data assets, on-premises and in the cloud, providing threat visibility to prevent data breaches and compliance incidents. Integrate with any database for instant insights, apply universal policies and accelerate time to value.

Data risk analysis– Automate the detection of non-compliant, dangerous or malicious data access behavior across your enterprise databases to speed recovery.