Understanding in deep the whole subject of cyber attacks will help us to prevent and to be more responsive.
Here a simple classification to introduce a common naming convention.
Why, Who, What
Why performing cyber attacks
1: to disturb or to interrupt a service
This is the classical DOS attach, aimed to make a site or services not available or at least to reduce dramatically the response time of the online services. Because these services are delivered to the Internet users through a pipe of components including internet connection, border gateway, firewall, balancer, application server, databases, if only one of these element is not able to face a specific traffic, all the pipe in not able to provide the services as supposed. The traffic causing the problem is not necessary so huge, maybe it is only a little corrupted or focused enough to block one component of the pipe. Broken 3way handshaking can block your firewall, corrupted http headers can overload your http server, a spike of requests against a specific page with big queries on the backend can slow down your db. There are many different types of attach depending on the target in the pipe, but the majority of these are extremely generic, they are not designed for the specific application. Due to this there are generic security architecture working very well in protecting online services.
2: to get access to information inside the server
This is the category of attach like SQL injection, where the attackers use some software vulnerabilities to extract information from your server (or datacenter). Speaking about a web application, the vulnerability can be found in the custom software developed (generic bad development practices or specific bugs) or in some software components used by the developers to build the application. This kind of attach require a basic knowledge of the site, to test generic vulnerabilities or to understand from outside the components used inside the application.
3: to get information from the user
Trying to get information from a user can open the access to sensitive data. You can get them from different channels: email (phishing), a phone call (Social engineering), injecting some bad script inside the login page to collect data (XSScript, Adv Code Injection), or the use of virus / trojan . This kind of attacks requires a high knowledge of the site, sometimes the site is even replicated with a fake version,
4: to alter/delete information inside the server
Not updated versions of WordPress hacked and the content changed, Facebook corporate pages manipulated. This is typical of pure content sites, there is nothing to stole because it is all public, but the content can be changed for many different reasons. This is caused often by security vulnerabilities in the CMS application or weak/stolen access login. Defacing sites is one of the common task for newbie hackers.
5: get control of the server
large different types of attacks, with many different effect, from the worse full root control of the server to the simpler ability to run a specific application. There are multiple ways to get the control of a server, but usually they are related to a lack of security or a disclosed vulnerability in some software running on this server.
Who performs cyber attacks
1:Cracker /Ethical hacker
They are skilled tech people with experience in intrusion techniques. They are driven by curiosity (ethical hackers) or the desire to break a system just to demonstrate to be able to do it or to demonstrate systems are not very well protected.
2: Script kiddie
Low expert people able to manage “ready to use” script and tool. Usually not so dangerous. They want to attract mass media attention and they can not have ethical control of their actions.
3: The Hacktivist
People moved by specific interests involving politic, religion, moral, etc. The targets include companies or institutions guilty of some wrongdoing from their point of view or other content sites hacked just to be used as self advertising. In the past we saw examples of attacks created intentionally by a large mass of people coordinated to perform some specific disturbing activities (from mail bombing to ddos with multiple requests)
4: Cyber Criminals
In this category the are all the professional people using cyber attack to make money. There are Cyber warriors, soldiers available to hack on demand for money or organized cyber crime groups. Their activity moves from credit card fraud, personal information black market, damages to competitors on demand, request of money not to ddos your site.
What is the main types of cyber attacks
1: Volume Based cyber attacks
Attack at network layer. Targets are network connectivity, network appliance such as border gateways, firewalls and balancers. The scope is to choke the communication channels, with a huge amount of dirty traffic (volumetric attack). To get a huge volume of traffic, the attack is often performed using a large number of points of attack (Distributed DOS) and putting in place reflection techniques (NTP amplification, DNS reflection, etc). This huge amount of traffic can break connectivity or over load the network appliance.
This kind of attack is measured in Bps (bit per seconds) and can be mitigated with a distributed network architecture.
2: Protocol Based cyber attacks
Targets are the main basic services like Firewall, DNS, email servers, Http servers, etc. It can be based on specific vulnerabilities, broken protocols not correctly managed by the applications, extreme use of standard protocols. The effect is this devices/applicatins not working correctly, suffering due to high cpu or out of memory. Typical attach of this category are Syn Flood, Ping of Death, UDP Flood, etc.
They are measured in packet per seconds. This attacks can be mitigated with Intrusion detection Appliance.
3: Application layer cyber attacks
Targets are applications. The vehicles for these attacks can be multiple: libraries with vulnerabilities included in the custom software, low quality development, low quality architecture. The expected result could be from the block of the application to retrieve information inside the server. In this case requests arriving to the servers seems to be legitimate request, with a correct structure, but due to hidden vulnerabilities some normal request can produce unexpected results. In this category there are attacks to common platform components such as Operative systems, web servers (slow loris, slow post, http Flood, …) or to custom application (SqlInjection). These attacks can be mitigated with a Web Application Firewall
4: Theft of credential
Target are the user credentials. Multiple techniques from “man in the middle” to “social engineering”. A particular interest in the subject regarding external code injection. More details in Protect your site from Malvertising, Bad tracking and malicious iframe contents