Attack Catalog

What is a cyber attack?

A cyber attack is a deliberate and malicious attempt by individuals or organizations to breach the information systems of another individual, company, or government entity. The goal is often to steal, alter, destroy, or gain unauthorized access to data or disrupt digital operations.

Understanding the motives behind cyber attacks

Cyber attackers may be motivated by various goals, such as those discussed below.

Financial gain

Financial gain is the most common motivation behind cyber security attacks, where attackers seek direct or indirect monetary profit. Attack methods typically employed for financial gains include ransomware, phishing, and banking Trojans.

• In a ransomware attack, malicious software encrypts a victim’s data, and the attacker demands a ransom to decrypt it. High-profile examples include WannaCry and REvil.
• In phishing, fake emails or messages trick users into revealing personal data like passwords or credit card information. These are then used for theft or fraud.
• For banking Trojans, malware like Zeus or Emotet specifically targets banking credentials to siphon funds from victim accounts.

Espionage

Cyber espionage, including corporate espionage and nation-state espionage, is conducted to gather confidential or sensitive information for strategic advantage.

• In corporate espionage, competitors or criminals steal trade secrets, R&D data, or business strategies.
• In nation-state espionage, state-sponsored groups hack into government agencies, defense contractors, or foreign companies. Examples include China’s APT10 and Russia’s Fancy Bear.

Hacktivism

Hacktivists use cyber attacks to promote a political, social, or environmental cause. These attacks are ideologically driven, rather than for personal or national gain. Common attack tactics include website defacements, data leaks, and denial-of-service (DoS).

Cyber warfare

Cyber warfare attacks are politically motivated and usually state-sponsored, causing disruption or fear. The Stuxnet attack on Iran’s nuclear program is a good example of this kind of attack.

• In government-sponsored attacks, states develop capabilities to attack critical infrastructure, such as power grids or military systems. A classic example is the Stuxnet attack on Iran’s nuclear program.
• Hybrid warfare combines traditional military operations with cyber attacks to destabilize opponents.

Insider threats

Insider threats come from individuals within an organization who have access to sensitive information. For example:

• Employees or contractors may misuse access due to financial incentive, coercion, revenge, or negligence.
• Some insiders may deliberately steal data, leak secrets, or sabotage systems.
• Mistakes by insiders, such as clicking phishing links or mishandling data, can also cause damage.

Most common types of cyber attacks

Some most common types of attacks in cyber security are discussed below.

Malware attacks

Malware is designed to harm, exploit, or otherwise compromise a device, network, or service.

Key Types:

1. Trojans - Disguised as legitimate software but give attackers access to the system
2. Worms - Self-replicating malware that spreads without human interaction
3. Spyware - Secretly monitors user activity and gathers information
4. Adware - Automatically delivers unwanted advertisements, sometimes with spyware features
5. Rootkits - Enable attackers to maintain persistent access while hiding their presence

Advanced persistent threats (APTs)

APTs are long-term, targeted attacks often orchestrated by well-funded adversaries (typically nation-states). These attacks aim to infiltrate networks and remain undetected for months or years, gathering intelligence or silently manipulating systems. An example is the SolarWinds breach (2020), where an APT targeted US federal agencies and enterprises.

Phishing & Social Engineering

These attacks manipulate individuals into divulging sensitive information or performing actions that compromise security.

Types of Phishing:

1. Spear phishing - Highly targeted emails directed at specific individuals or organizations using personal information
2. Whaling - Aimed at senior executives or high-profile targets within an organization
3. Business email compromise (BEC) - Fraudsters spoof or hack into business email accounts to trick employees into transferring funds or sharing confidential information

Real-world example:

1. A major case involved Ubiquiti Networks losing over $46.7 million after a BEC scam tricked employees into wiring money to attacker-controlled accounts.

Ransomware

Ransomware encrypts a victim’s data and demands a ransom for decryption -posing both technical and financial threats.

In its early stage, ransomware was simple encryption-based attacks with a single ransom demand. Today it has evolved to double extortion, where attackers not only encrypt data but also exfiltrate sensitive files. They then threaten to leak the stolen data publicly if the ransom is not paid. This adds reputational and legal pressure on victims to pay.

Major ransomware groups are:

1. LockBit –Tactics include Ransomware-as-a-Service (RaaS), Double Extortion, and Automation.
2. Conti – This group has a highly sophisticated team that uses Double Extortion for aggressive negotiation.
3. Revil – Tactics include Supply Chain Attacks, Double & Triple Extortion, and DDoS attacks.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks

A DoS (Denial-of-Service) attack is a malicious attempt to make a server, service, or network resource unavailable to users by overwhelming it with a flood of illegitimate requests.

1. Performed using a single source (one computer or server)
2. Simple and easier to trace and block
3. Does not usually involve a botnet

A DDoS (Distributed Denial-of-Service) attack is a more sophisticated form of DoS, using multiple compromised systems (often distributed globally) to flood a target, making the attack harder to block and mitigate.

• Uses multiple sources—typically hundreds or thousands of devices in a botnet
• Much harder to defend against, since traffic comes from distributed IP addresses worldwide
• The attack traffic can mimic legitimate users, making mitigation complex

How Botnets Execute a DDoS Attack

• Botnets are built by infecting vulnerable devices via phishing, malware, or exploiting unpatched systems.
• The botmaster communicates with bots through a centralized or peer-to-peer command structure.
• Bots are instructed to simultaneously send massive amounts of traffic to a specific target (server, service, or network).
• The target becomes overwhelmed, leading to server crashes, network congestion, and service unavailability.

Impact on critical services

• Online services, including banking, government portals, healthcare systems, and e-commerce platforms, can become inaccessible.
• Organizations may suffer direct revenue loss and spend heavily on mitigation and recovery.
• Trust in the service provider can be severely damaged.
• DDoS attacks can act as distractions while attackers infiltrate systems for data theft or other malicious activities.

Zero-Day exploits

A Zero-Day vulnerability is a security flaw in software or hardware that is unknown to the vendor or developer. Hence, it remains unpatched and exploitable.

A Zero-Day exploit is a tool or method developed by attackers to take advantage of a Zero-Day vulnerability. These exploits can be sold on the dark web or used in espionage, cybercrime, or targeted attacks.

Zero-Day exploits are dangerous due to:

• No defense - Traditional security systems (antivirus, firewalls) might not detect them
• High impact - Can lead to data theft, remote control of systems, or full system compromise
• Widespread risk - Used against individuals, enterprises, and governments

Lifecycle of a Zero-Day Threat

1. Discovery - Found by hackers, researchers, or criminals
2. Exploitation - Used in attacks before the vendor is aware
3. Disclosure - Eventually reported
4. Patch - The vendor releases an update or fix
5. Post-Day - Once patched, it is no longer “zero-day”

Man-in-the-Middle (MitM) attacks

A MitM attack occurs when a malicious actor secretly intercepts and possibly alters communications between two parties who believe they are directly communicating with each other.

How attackers intercept and manipulate communications

1. Interception methods
   1. Rogue Wi-Fi Hotspots - Fake networks that appear legitimate, tricking users into connecting
   2. Packet Sniffing - Capturing data packets over unsecured networks using tools like Wireshark
   3. Session Hijacking - Stealing session cookies to impersonate users
   4. DNS Spoofing - Redirecting users to fake websites by altering DNS responses
2. Manipulation techniques
   1. Data Injection - Inserting malicious content (for example, fake login pages) into web traffic
   2. SSL Stripping - Downgrading HTTPS connections to HTTP, making data unencrypted
   3. Credential Theft - Capturing usernames, passwords, or payment information

Public Wi-Fi risks

Public Wi-Fi networks are prime targets for MitM attacks due to weak security.

• Many networks lack WPA3/WPA2 encryption, allowing attackers to see unprotected data
• Attackers mimic legitimate networks, leading users to connect to a malicious one
• Devices often reconnect automatically to known networks, which can be exploited

SQL Injection & Cross-Site Scripting (XSS)

SQL Injection occurs when attackers insert malicious SQL statements into input fields (like search boxes or login forms), which are then executed by the backend database. This results in:

1. Unauthorized access to sensitive data (usernames, passwords, financial records)
2. Modification or deletion of database contents
3. Full database control in severe cases

Cross-Site Scripting allows attackers to inject malicious scripts (usually JavaScript) into webpages viewed by others. These scripts execute in the victim’s browser. XSS types include:

• Stored XSS - Malicious script is permanently stored on the server
• Reflected XSS - Script is reflected off a web server, often via URL parameters
• DOM-based XSS - Manipulation of the DOM environment in the browser

XXS has consequences, such as:

• Theft of session cookies (leading to account hijacking)
• Redirection to malicious websites
• Keylogging or phishing attacks

DNS tunneling and spoofing

DNS Tunneling involves encoding data within DNS queries and responses to establish a hidden communication channel between a compromised system and an external server (usually controlled by an attacker). While DNS is typically used to resolve domain names to IP addresses, attackers exploit its ubiquity and permissiveness in networks.

How DNS tunneling works

1. An endpoint is compromised by malware.
2. The malware encodes data (such as user credentials, files) into DNS requests.
3. These DNS requests are sent to a malicious domain (controlled by the attacker).
4. The attacker’s DNS server interprets the requests, responds with commands or collects exfiltrated data.

It is dangerous as:

• DNS traffic is often overlooked by traditional security tools.
• Firewalls typically allow DNS traffic by default.
• Attackers can exfiltrate data slowly to avoid detection.

DNS Spoofing, also known as DNS Cache Poisoning, manipulates DNS responses to redirect users to malicious sites without their knowledge.

How DNS Spoofing works

• Attackers corrupt a DNS resolver’s cache with forged DNS entries.
• When a user tries to access a legitimate domain, they are redirected to a fake website.
• Users may unknowingly enter login credentials or download malware.

Why it's effective

• Users see the expected domain name in the address bar.
• It is ideal for impersonating legitimate services.
• It can affect entire networks if resolver cache is poisoned.

The Cyber Kill Chain: How cyber security attacks unfold

The Cyber Kill Chain is a framework developed by Lockheed Martin to describe the stages of a cyberattack from the attacker’s point of view. Understanding each phase can help organizations detect, defend against, and mitigate attacks more effectively.

Reconnaissance

The objective here is to gather information about the target to prepare for an attack. Open-source intelligence (OSINT), social media scraping, website analysis, and domain and IP scanning are some methods used to gather intelligence. Focus areas include employee names, organizational structures, system details, and technologies used (such as software, platforms).

Weaponization

Attackers create a customized attack based on the gathered intelligence. The goal is to package a payload that can successfully breach the target's defenses. Weaponization methods include building malware (for example, ransomware, trojans, remote access tools), developing exploits for known vulnerabilities, and designing convincing phishing lures or malicious documents.

Delivery

The next step is to transmit the weapon to the victim, i.e., ensure that the payload reaches the target's system without raising alarms. Delivery methods include phishing emails with malicious links or attachments, compromising a legitimate website to automatically download malware when visited, and infiltrating a vendor or third-party provider to deliver the attack.

Exploitation

Exploitation Is when the malicious code is triggered to exploit a vulnerability, aimed to gain unauthorized access or control over the target system. Exploiting unpatched software or zero-day vulnerabilities and tricking users into running malicious code (social engineering) are some exploitation methods.

Installation & Command-and-Control (C2)

In this phase, attackers establish a foothold in the victim’s environment to maintain stealthy, long-term access and control. It involves:

• Installation - Dropping backdoors, spyware, or other persistent malware
• Command-and-Control (C2) - Setting up communication channels (for example, encrypted web traffic, DNS tunneling) to receive instructions and exfiltrate data

Action on objectives

Attackers achieve their mission, whether financial gain, espionage, or destruction. It involves the following types of actions:

• Data Theft - Stealing intellectual property, personal information, financial records
• System Compromise - Escalating privileges, lateral movement within networks
• Operational Disruption - Launching ransomware, sabotaging systems, causing reputational damage

Cyber attack prevention: Best practices for individuals & businesses

Cybersecurity is a shared responsibility that requires proactive measures from both individuals and organizations. Below are some best practices to prevent cyber attacks.

Security awareness training

Human error is a leading cause of data breaches. Organizations that invest in security awareness training often see a reduction in successful phishing attacks and improved security posture.

Best Practices:

• Conduct periodic training to keep employees informed about the latest phishing techniques, scams, and insider threats.
• Implement controlled phishing tests to assess and improve employee response to suspicious emails.
• Establish straightforward procedures for reporting potential security incidents.
• Customize training materials to address specific roles and departments within the organization.

Endpoint security & Zero Trust framework

Endpoints like laptops and mobile devices are common entry points for cyberattacks. A Zero Trust approach ensures that every access request is verified, regardless of its origin. A multi-layered defense strategy, such as a Zero Trust framework combined with robust endpoint security measures, reduces the attack surface and enhances the organization's ability to detect and respond to threats.

Best Practices:

• Implement Zero Trust Architecture - Adopt a security model that assumes no implicit trust and continuously verifies every access attempt.
• Multi-Factor Authentication (MFA) - Require multiple forms of verification to access systems and data.
• Endpoint Detection and Response (EDR) - Deploy solutions that monitor and respond to threats on endpoint devices.
• Regular Updates and Patching - Keep all endpoint devices up to date with the latest security patches.

Patch management & vulnerability scanning

Unpatched vulnerabilities are a common target for attackers. Effective patch management, timely updates, and proactive vulnerability scanning can prevent exploitation as it reduces the window of opportunity for attackers.

Best Practices:

• Use tools that automatically apply patches to systems and applications.
• Focus on patching vulnerabilities that pose the highest risk to the organization.
• Conduct regular vulnerability scans to identify and remediate security weaknesses.
• Keep an up-to-date list of all hardware and software assets to ensure comprehensive coverage.

Incident response & cyber resilience

Despite preventive measures, incidents can still occur. Organizations with robust incident response and resilience strategies can contain threats more effectively and resume operations with minimal disruption.

Best Practices

• Develop an Incident Response Plan - Create a documented strategy outlining how to detect, respond to, and recover from security incidents.
• Conduct Tabletop Exercises - Simulate cyber incidents to test and refine response procedures.
• Establish Communication Protocols - Define clear communication channels and responsibilities during an incident.
• Invest in Cyber Resilience - Implement measures that enable the organization to maintain essential functions during and after a cyberattack.

Cloud security & IoT protection

The proliferation of cloud services and IoT devices introduces new security challenges that require specialized strategies. Organizations must address the unique security needs of cloud and IoT environments to protect sensitive data and maintain the integrity of their systems.

Best Practices

• Ensure cloud services and IoT devices are configured securely, avoiding default settings that may be vulnerable.
• Implement strict access controls and monitor for unauthorized access attempts.
• Keep all devices and services updated with the latest security patches.
• Isolate IoT devices on separate networks to limit potential breaches.

How to respond to a cyber security attack

Responding effectively to a cyber attack is crucial to minimize damage and ensure a swift recovery. Here's a structured guide outlining the key steps.

Immediate steps to contain an attack

a. Isolate infected systems
Disconnect compromised devices from the network to prevent the spread of malware or unauthorized access. This may involve unplugging network cables, disabling Wi-Fi, or shutting down affected servers.

b. Disable compromised accounts
Immediately revoke access for any user accounts suspected of being compromised to secure sensitive data.

c. Engage cybersecurity experts and authorities
Notify your internal IT security team and, if necessary, external cybersecurity professionals. Additionally, report the incident to relevant authorities to comply with legal requirements and receive guidance.

Incident investigation & threat intelligence

a. Conduct forensic analysis
Gather and analyze digital evidence, such as log files and network traffic, to understand the attack's origin, methods used, and scope. This helps in identifying vulnerabilities and preventing future incidents.

b. Leverage threat intelligence
Utilize threat intelligence to contextualize the attack within broader trends, understand attacker motivations, and adapt your defense strategies accordingly.

Recovery & business continuity planning

a. Restore from backups
Use clean, recent backups to restore affected systems and data, ensuring that the backups are free from malware before deployment.

b. Test systems before full deployment
Before bringing systems back online, thoroughly test them to confirm that all threats have been eradicated and that they function correctly.

c. Update Business Continuity and Disaster Recovery Plans
Review and revise your plans based on lessons learned from the incident to improve resilience against future attacks.

Legal and regulatory considerations

a. Understand applicable laws

Familiarize yourself with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), which mandate specific actions following a data breach.

b. Timely disclosure
Ensure that you disclose the breach to affected parties and regulatory bodies within the timeframes stipulated by relevant laws (for example, GDPR requires notification within 72 hours).

c. Document all actions
Keep detailed records of the incident response process, communications, and decisions made to demonstrate compliance and for future reference.