Common Cybersecurity Attacks Everyone Should Know About; Is your Organization Safe?
Some of the Most Common Cybersecurity Attacks that Could Derail your Organization & How Implementing a SOAR Solution Could be your Best Line of Defense
Cyber attacks are all too common due to the increased opportunity provided by the rapid expansion of the digital world. Organizations frequently fall victim to these attacks, sometimes unknowingly, potentially causing irrefutable damage and putting valuable assets at risk. A cyber attack is a maliciously deliberate attempt to gain access to an individual’s or an organization’s system. Attackers are more persistent than ever; many of them are funded, sometimes even by nation-states, be it targeted attacks or mass campaigns. Having a working knowledge of common types of cyber attacks is important when determining how to prevent and recover from these threats.
Malware is arguably the most common type of cyber attack. ‘Malware’ refers to software, files, or programs intent on causing damage or gaining unauthorized access to a user, server, or network. Malware comes in many forms, including viruses, worms, spyware, trojan horses, ransomware, etc.
The ultimate goal for malware is to gain access to a network or computer through a vulnerability, then install the malicious software. There are countless ways attackers can gain access, but most of them require the user to take action to install the malware. This can be as simple as a user clicking on a dangerous link or opening an infectious email attachment disguised as a non-threatening Word document or Excel file.
Once inside the system, malware can take a wide variety of malicious actions like; install additional malware, take over control of the user’s computer, monitor the user’s actions and keystrokes, inhibit access to a network, collect and transmit confidential data from your machine or servers to any desired destination, even make the computer totally inoperative.
Malware With CyberSponse’s CyOPs™ SOAR
CyberSponse’s SOAR solution can assist in the detection of malware and aid in recovery by automating the process. For example, your organization’s FirePower IDS/IPS tool detects outbound C2 traffic to an external IP address and then sends the alert to Splunk. Splunk sends the alert to CyOPs™ via API and then CyOPs™ takes the following actions: instructs CarbonBlack EDR to quarantine the host using the CarbonBlack connector, next instructs the Palo Alto firewall to block the IP address using the Palo Alto Panorama connector, and finally generates a malware incident case and assigns an Investigation task to a SOC analyst. By automating this process with the CyOPs™ SOAR solution, the incident response can begin immediately, which is an important factor when the goal is to limit and prevent damage.
Phishing is one of the most successful methods actors use to introduce malware into a victim network. During the reconnaissance process, actors can identify a particular company, or identify specific employees to target. These targets are often selected by their seniority level, or by their position within a company. For example, business executives may access to sensitive corporate information an actor may want to exfiltrate. Alternatively, an actor can target technical staff with elevated network privileges. Malware via phishing achieves delivery through many means. This includes malicious links, weaponized business documents (pdf, doc, xls, etc) or direct attachment of malicious ‘exe’ or ‘zip’ files. Though these messages are delivered with many themes in an effort to entice the target to open the file, they always contain unique digital attributes (footprints) which can be blocked by security layers such as firewalls and email filtering tools.
Phishing With CyberSponse’s CyOPs™ SOAR
CyOPs™ conducts a typical phishing investigation by utilizing three continuous playbooks. The first playbook is responsible for fetching emails and their metadata from a designated email inbox. Alert records are created from these ingested emails, notifying the user that these emails should be investigated. The second playbook in the chain will then grab these emails and run phishing investigation with your preferred tool. In the third playbook, the same process is executed on email attachments to enrich the investigation.
Denial of service (DoS or DDoS)
Denial of service attacks impact the availability of systems or networks by exhausting resources. If a website floods with more traffic than its architecture can process, it limits the access of legitimate users. This can happen in normal circumstances, for example during Black Friday when online shopping traffic is at its peak. Malicious actors can also perform denial of service attacks. Also known as Distributed Denial of Service (DDoS) attacks, malicious actors can hijack network infrastructure around the world and use it to send traffic floods to victim networks, impacting system availability. Systems should be stress tested and have protections in place such as rate limiting and/or by utilizing Content Delivery Networks (CDNs) such as CloudFront or Akamai to prevent DDoS attacks from impacting sites.
DDoS With CyberSponse’s CyOPs™ SOAR
For a DDoS attack, CyberSponse establishes communication with your preferred tool that detects DDoS alerts. It then creates a CyOPs™ alert with the identical metadata by a playbook. Either an API request made by the external tool with a push functionality, or a pull by CyOPs™ on a set schedule, can instantly trigger this playbook. After creating the alert, the investigation and remediation steps initiate automatically, such as blocking the IP address that initiated the DDoS attack.
Another way to resolve this would be by using a Web Application Firewall to detect and then send an alert, and CyOPs would block the attacker IP addresses. Or, depending on organizational policy, CyOPs could instruct the firewall to block all inbound traffic to the target IP address to prevent the DDoS traffic from degrading throughput in the rest of the network. By automating this process with CyberSponse, an organization is able to configure and take the actions that meet their standard operating procedures and organizational policies regarding DDoS response and mitigation.
Structured Query Language (SQL) Injections
One of the most common attacks against web applications is a Structured Query Language (SQL) injection. These attacks have the potential to enable unauthorized access to sensitive data. An SQL injection is when an actor submits malicious data to a web application via an existing user text box on the website. This malicious data causes the application to return information back to the actor which was not intended. An example of this could be username and password text boxes on a webpage that are exploited by an SQL injection to return a list of all usernames and passwords to the application. The actor now has access to the credentials of the accounts for all system users.
In order to defend against SQL injections, web applications should ‘escape’ or ignore certain characters. These include the equals sign, a single quote, and the asterisk. Scans should be run against web applications to test them to see if they are susceptible to SQL injection attacks.
SQL Injections With CyberSponse’s CyOPs™ SOAR
Similar to DDoS attacks, either a WAF or an IDS/IPS tool detects SQL injections. The detection triggers a CyOPs™ playbook to create an alert with the necessary metadata and follow-on response actions can again be performed by a playbook automatically, or if desired an analyst can provide input during the process as well. For example, CyOPs™ could notify the website administrator that a SQL injection attempt was observed; then, CyOPs™ could recommend that the administrator review their logs to determine if the attack was successful. If the administrator reports that a successful attack, a playbook within CyOps generates an incident and tasks the forensics team to investigate the web server.
Cross Site Scripting (XSS)
One other type common type of web application attack is the Cross Site Scripting (XSS) attack. Similar to an SQL injection, XSS attacks target the web application; however, the purpose of an SQL injection is for the actor to gain access to the data stored. In an XSS attack, the actor attempts to target visitors of the website. The malicious code will only be run when visitors of the site browse to it and their computers execute the malicious code added to the site is executed by the visitor to the site. The malicious code deployed to a website during an XSS attack could cause loss of data to the victims. For example, actors could capture any user data on the website, and retransmit it to infrastructure controlled by them. This could include credit card data, personal information, or user credentials.
XXS With CyberSponse’s CyOPs™ SOAR
Detection is essential in the prevention of XSS attacks. CyberSponse can automate this process by integrating with your organization’s EDR or IDS. The tool would detect the attack and send an alert to CyOPs™. CyOPs™ would then use a connector to instruct the web proxy to block the website.
One of the most simple types of cyber attacks is ‘zero-day’ attacks; they are highly dependant on timing and constant network monitoring. After an announced network vulnerability, there is a period of time where no patch or fix exists. During this time, attackers will attempt to exploit the vulnerability in an attempt to compromise the victim’s machine or network.
The best protection and prevention from falling victim to zero-day attacks is to closely monitor one’s network or machine. It’s also important to regularly perform infrastructure and network penetration testing. Identifying any existing vulnerabilities and implementing patches or solutions are the most effective methods of effectively preventing zero-day attacks.
Zero-Day With CyberSponse’s CyOPs™ SOAR
While prevention of a zero-day attack is nearly impossible, the CyberSponse SOAR solution can expedite the response. CyOPS™ can automate the case management, creating and tracking tasks among teams (analysts, forensics, malware, firewall, etc.). Using IOCs and integrating CyOPs™ with connectors for tools like DomainTools and VirusTotal can also assist in recovery from cyber attacks. Creating custom playbooks in CyOPs™ for your IDS and IPS tools also reduces response time and closes the vulnerability window.
Prevention & Recovery
Overall, practicing good cyber hygiene and being aware of threats that exist help in the prevention of cyber attacks. Implementing simple things can assist in the protection of your networks and systems such as; performing recurring backups, restricting users access, using use two-factor authentication when available, encrypting sensitive data, and creating a password policy with mandatory time-based changes, and length or complexity requirements.
We discussed several of the most common cyber attacks; however, it’s important to consider all the available resources that could benefit your particular environment. One type of resource that has recently taken the market by storm is SOAR solutions, like the industry-leading CyberSponse CyOPs™ SOAR solution. A SOAR solution is a “Security Orchestration and Automation Incident Response Platform”. This platform incorporates the tools that your organization already uses and maximizes them by dramatically increasing efficiency. CyberSponse offers the only patented security orchestration and automation incident response SOAR platform that fills the gap between automation-only and human dependent security for organizations.
By implementing the CyberSponse CyOPs™ SOAR platform in your environment analysts will be enabled to efficiently evaluate threats by automating the collection of data from hundreds of enterprise security tools. CyOPs™ SOAR presents the raw log data collected to analysts in a concise, visually appealing way. This enables near real-time evaluation of an attacker’s progression in the attack lifecycle. Additionally, the CyOPs™ SOAR platform documents this information as part of its incident management functionality. This approach reduces alert fatigue, enabling analysts to evaluate attack scenarios and security incidents efficiently. This ensures analytical outputs are available to all members of the team in real-time.
Curious About Potentially Incorporating a SOAR Solution in your Organization’s Environment?
Try our FREE Community Edition for 45 Days, and See How CyOPs Can Streamline your Environment!
For a 45 Day FREE Trial of Community Edition, Write “Marketing” Under Referred & We’ll Give you an Additional 15-Day Extension!
– Or –
Complete & Submit the Form Below for your 45 Day FREE Trial!
Find us on LinkedIn
Follow us on Twitter