A cyberattack is any intentional effort to steal, expose, alter, disable, or destroy data, applications or other assets through unauthorized access to a network, computer system or digital device.
Threat actors launch cyberattacks for all sorts of reasons, from petty theft to acts of war. They use a variety of tactics, like malware attacks, social engineering scams, and password theft, to gain unauthorized access to their target systems.
Cyberattacks can disrupt, damage and even destroy businesses. The average cost of a data breach is USD 4.35 million. This price tag includes the costs of discovering and responding to the violation, downtime and lost revenue, and the long-term reputational damage to a business and its brand.
But some cyberattacks can be considerably more costly than others. Ransomware attacks have commanded ransom payments as high as USD 40 million (link resides outside ibm.com). Business email compromise (BEC) scams have stolen as much as USD 47 million from victims in a single attack (link resides outside ibm.com). Cyberattacks that compromise customers' personally identifiable information (PII) can lead to a loss of customer trust, regulatory fines, and even legal action. By one estimate, cybercrime will cost the world economy USD 10.5 trillion per year by 2025 (link resides outside ibm.com).
The motivations behind cyberattacks can vary, but there are three main categories: criminal, political, and personal.
Criminally motivated attackers seek financial gain through monetary theft, data theft, or business disruption. Cybercriminals may hack into a bank account to steal money directly or use social engineering scams to trick people into sending money to them. Hackers may steal data and use it to commit identity theft or sell it on the dark web or hold it for ransom.
Extortion is another popular tactic. Hackers may use ransomware, DDoS attacks, or other tactics to hold data or devices hostage until a company pays. According to the X-Force Threat Intelligence Index, 27 percent of cyberattacks aim to extort their victims.
Personally motivated attackers, such as disgruntled current or former employees, primarily seek retribution for some perceived slight. They may take money, steal sensitive data, or disrupt a company's systems.
Politically motivated attackers are often associated with cyberwarfare, cyberterrorism, or "hacktivism." In cyberwarfare, nation-state actors often target their enemies' government agencies or critical infrastructure. For example, since the start of the Russia-Ukraine War, both countries have experienced a rash of cyberattacks against vital institutions (link resides outside ibm.com). Activist hackers, called "hacktivists," may not cause extensive damage to their targets. Instead, they typically seek attention for their causes by making their attacks known to the public.
Less common cyberattack motivations include corporate espionage, in which hackers steal intellectual property to gain an unfair advantage over competitors, and vigilante hackers who exploit a system’s vulnerabilities to warn others about them. Some hackers simply hack for sport, savoring the intellectual challenge.
Criminal organizations, state actors, and private persons can all launch cyberattacks. One way to classify threat actors is by categorizing them as outsider threats or insider threats.
Outsider threats aren’t authorized to use a network or device but break in anyway. External cyberthreat actors include organized criminal groups, professional hackers, state-sponsored actors, amateur hackers, and hacktivists.
Insider threats are users who have authorized and legitimate access to a company’s assets and misuse their privileges deliberately or accidentally. This category includes employees, business partners, clients, contractors, and suppliers with system access.
While negligent users can put their companies at risk, it’s only a cyberattack if the user intentionally uses their privileges to carry out malicious activity. An employee who carelessly stores sensitive information in an unsecured drive isn’t committing a cyberattack — but a disgruntled employee who knowingly makes copies of confidential data for personal gain is.
Threat actors typically break into computer networks because they’re after something specific. Common targets include:
In some cases, cyberattackers don’t want to steal anything at all. Rather, they merely wish to disrupt information systems or IT infrastructure to damage a business, government agency, or other target.
If successful, cyberattacks can damage enterprises. They can cause downtime, data loss, and money loss. For example:
In addition to directly harming the target, cyberattacks can have a host of secondary costs and consequences. For example, the Cost of a Data Breach report found that businesses spend an average of USD 2.62 million on detecting, responding to, and remediating breaches.
Cyberattacks can also have repercussions for victims beyond the immediate target. In 2021, the DarkSide ransomware gang attacked the Colonial Pipeline, the largest refined oil pipeline system in the US. The attackers entered the company’s network using a compromised password (link resides outside of ibm.com). They shut down the pipeline that carries 45% of the gas, diesel, and jet fuel supplied to the US East Coast, leading to widespread fuel shortages.
The cybercriminals demanded a ransom of almost USD 5 million in bitcoin cryptocurrency, which Colonial Pipeline paid (link resides outside of ibm.com). However, with help from the US government, the company eventually recovered USD 2.3 million of the ransom.
Cybercriminals use many sophisticated tools and techniques to launch cyberattacks against enterprise IT systems, personal computers, and other targets. Some of the most common types of cyberattacks include:
Malware is malicious software that can render infected systems inoperable. Malware can destroy data, steal information, or even wipe files critical to the operating system’s ability to run. Malware comes in many forms, including:
Social engineering attacks manipulate people into doing things they shouldn’t do, like sharing information they shouldn’t share, downloading software they shouldn’t download, or sending money to criminals.
Phishing is one of the most pervasive social engineering attacks. According to the Cost of a Data Breach report, it is the second most common cause of breaches. The most basic phishing scams use fake emails or text messages to steal users’ credentials, exfiltrate sensitive data, or spread malware. Phishing messages are often designed to look as though they’re coming from a legitimate source. They usually direct the victim to click a hyperlink that takes them to a malicious website or open an email attachment that turns out to be malware.
Cybercriminals have also developed more sophisticated methods of phishing. Spear phishing is a highly targeted attack that aims to manipulate a specific individual, often using details from the victim’s public social media profiles to make the ruse more convincing. Whale phishing is a type of spear phishing that specifically targets high-level corporate officers. In a business email compromise (BEC) scam, cybercriminals pose as executives, vendors, or other business associates to trick victims into wiring money or sharing sensitive data.
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks flood a system's resources with fraudulent traffic. This traffic overwhelms the system, preventing responses to legitimate requests and reducing the system's ability to perform. A denial-of-service attack may be an end in itself or a setup for another attack.
The difference between DoS attacks and DDoS attacks is simply that DoS attacks use a single source to generate fraudulent traffic, while DDoS attacks use multiple sources. DDoS attacks are often carried out with a botnet, a network of internet-connected, malware-infected devices under a hacker's control. Botnets can include laptops, smartphones, and Internet of Things (IoT) devices. Victims often don't know when a botnet has hijacked their devices.
Account compromise is any attack in which hackers hijack a legitimate user's account for malicious activity. Cybercriminals can break into a user's account in many ways. They can steal credentials through phishing attacks or buy stolen password databases off the dark web. They can use password attack tools like Hashcat and John the Ripper to break password encryptions or stage brute force attacks, in which they run automated scripts or bots to generate and test potential passwords until one works.
In a man-in-the-middle (MiTM) attack, also called an "eavesdropping attack," a hacker secretly intercepts communications between two people or between a user and a server. MitM attacks are commonly carried out via unsecured public wifi networks, where it's relatively easy for threat actors to spy on traffic.
Hackers may read a user's emails or even secretly alter the emails before they reach the recipient. In a session hijacking attack, the hacker interrupts the connection between a user and a server hosting important assets, like a confidential company database. The hacker swaps their IP address with the user's, making the server think they're a legitimate user logged into a legitimate session. This gives the hacker free rein to steal data or otherwise wreak havoc.
Supply chain attacks are cyberattacks in which hackers breach a company by targeting its software vendors, material suppliers, and other service providers. Because vendors are often connected to their customers' networks in some way, hackers can use the vendor's network as an attack vector to access multiple targets at once.
For example, in 2020, Russian state actors hacked the software vendor SolarWinds and distributed malware to its customers under the guise of a software update (link resides outside ibm.com). The malware allowed Russian spies to access the sensitive data of various US government agencies using SolarWinds' services, including the Treasury, Justice, and State Departments.
SQL injection attacks use Structured Query Language (SQL) to send malicious commands to a website's or app's backend database. Hackers input the commands through user-facing fields like search bars and login windows. The commands are then passed to the database, prompting it to return private data like credit card numbers or customer details.
DNS tunneling hides malicious traffic inside DNS packets, allowing it to bypass firewalls and other security measures. Cybercriminals use DNS tunneling to create secret communication channels, which they can use to silently extract data or establish connections between malware and a command and control (C&C) server.
Zero-day exploits take advantage of zero-day vulnerabilities, which are vulnerabilities either unknown to the security community or identified but not yet patched. These vulnerabilities can exist for days, months, or years before developers learn about the flaws, making them prime targets for hackers.
Fileless attacks use vulnerabilities in legitimate software programs to inject malicious code directly into a computer's memory. Cybercriminals often use PowerShell, a scripting tool built into Microsoft Windows operating systems, to run malicious scripts that change configurations or steal passwords.
DNS spoofing attacks, also called "DNS poisoning," covertly edit DNS records to replace a website's real IP address with a fake one. When victims try to visit the real site, they're unknowingly delivered to a malicious copy that steals their data or spreads malware.
Organizations can reduce cyberattacks by implementing cybersecurity systems and strategies. Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks using a combination of technology, people, and processes.
Many organizations implement a threat management strategy to identify and protect their most important assets and resources. Threat management may include policies and security solutions like:
It is impossible to prevent cyberattack attempts entirely, so organizations may also use continuous security monitoring and early detection processes to identify and flag cyberattacks in progress. Examples include:
Organizations may also take steps to ensure an appropriate response to ongoing cyberattacks and other cybersecurity events. Examples include:
Outsmart attacks with a connected, modernized security suite. The QRadar portfolio is embedded with enterprise-grade AI and offers integrated products for endpoint security, log management, SIEM and SOAR—all with a common user interface, shared insights and connected workflows.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.
To prevent and combat modern ransomware threats, IBM uses insight from 800 TB of threat activity data, information on more than 17 million spam and phishing attacks and reputation data on nearly 1 million malicious IP addresses from a network of 270 million endpoints.
Cybersecurity threats are becoming more advanced and more persistent, and demanding more effort by security analysts to sift through countless alerts and incidents. IBM Security QRadar SIEM makes it easy to remediate threats faster while maintaining your bottom line. QRadar SIEM prioritizes high-fidelity alerts to help you catch threats that others simply miss.