What is a cyberattack?

A cyberattack is any intentional effort to steal,

expose, alter, disable, or destroy data,
applications, or other assets through unauthorized
access to a network, computer system or digital
device.
Threat actors start cyberattacks for all sorts of reasons, from petty theft to
acts of war. They use various tactics, like malware attacks, social
engineering scams, and password theft, to gain unauthorized access to
their target systems.

Cyberattacks can disrupt, damage and even destroy businesses. The

average cost of a data breach is USD 4.35 million. This price tag includes
the costs of discovering and responding to the violation, downtime and
lost revenue, and the long-term reputational damage to a business and its
brand.

But some cyberattacks can be considerably more costly than others.

Ransomware attacks have commanded ransom payments as high as USD
40 million (link resides outside ibm.com). Business email compromise
(BEC) scams have stolen as much as USD 47 million from victims in a
single attack (link resides outside ibm.com). Cyberattacks that
compromise customers' personally identifiable information (PII) can lead
to a loss of customer trust, regulatory fines, and even legal action. By one
estimate, cybercrime will cost the world economy USD 10.5 trillion per
year by 2025 (link resides outside ibm.com).
ReportCost of a Data Breach
Get insights to better manage the risk of a data breach with the latest Cost of a Data
Breach report.
Related content
Register for the X-Force Threat Intelligence Index
Why do cyberattacks happen?

The motivations behind cyberattacks can vary, but there are three main
categories:

1. Criminal
2. Political
3. Personal

Criminally motivated attackers seek financial gain through monetary

theft, data theft, or business disruption. Cybercriminals may hack into a
bank account to steal money directly or use social engineering scams to
trick people into sending money to them. Hackers may steal data and use
it to commit identity theft or sell it on the dark web or hold it for ransom.
Extortion is another tactic that is used. Hackers may use ransomware,
DDoS attacks, or other tactics to hold data or devices hostage until a
company pays. However, according to the most recent X-Force Threat
Intelligence Index, 32 percent of cyber incidents involved the theft and
sale of data rather than encryption for extortion.

Personally motivated attackers, such as disgruntled current or former

employees, primarily seek retribution for some perceived slight. They may
take money, steal sensitive data, or disrupt a company's systems.

Politically motivated attackers are often associated with cyberwarfare,

cyberterrorism, or "hacktivism." In cyberwarfare, nation-state actors often
target their enemies' government agencies or critical infrastructure. For
example, since the start of the Russia-Ukraine War, both countries have
experienced a rash of cyberattacks against vital institutions (link resides
outside ibm.com). Activist hackers, called "hacktivists," may not cause
extensive damage to their targets. Instead, they typically seek attention
for their causes by making their attacks known to the public.

Less common cyberattack motivations include corporate espionage, in

which hackers steal intellectual property to gain an unfair advantage over
competitors, and vigilante hackers who use a system’s vulnerabilities to
warn others about them. Some hackers hack for sport, savoring the
intellectual challenge.
Who is behind cyberattacks?

Criminal organizations, state actors, and private persons can all start
cyberattacks. One way to classify threat actors is by categorizing them as
outsider threats or insider threats.

Outsider threats aren’t authorized to use a network or device but break

in anyway. External cyberthreat actors include organized criminal groups,
professional hackers, state-sponsored actors, amateur hackers, and
hacktivists.

Insider threats are users who have authorized and legitimate access to
a company’s assets and misuse their privileges deliberately or
accidentally. This category includes employees, business partners, clients,
contractors, and suppliers with system access.

While negligent users can put their companies at risk, it’s only a
cyberattack if the user intentionally uses their privileges to carry out
malicious activity. An employee who carelessly stores sensitive
information in an unsecured drive isn’t committing a cyberattack — but a
disgruntled employee who knowingly makes copies of confidential data for
personal gain is.
What do cyberattacks target?
Threat actors typically break into computer networks because they’re
after something specific. Common targets include:

 Money
 Businesses' financial data
 Client lists
 Customer data, including personally identifiable information (PII) or
other sensitive personal data
 Email addresses and login credentials
 Intellectual property, like trade secrets or product designs
In some cases, cyberattackers don’t want to steal anything at all. Rather,
they merely want to disrupt information systems or IT infrastructure to
damage a business, government agency, or other target.
What effects do cyberattacks have on businesses?

If successful, cyberattacks can damage enterprises. They can cause

downtime, data loss, and money loss. For example:

 Hackers can use malware or denial-of-service attacks to cause

system or server crashes. This downtime can lead to major service
interruptions and financial losses. According to the Cost of a Data
Breach report, the average breach results in USD 1.42 million in lost
business.

 SQL injection attacks allow hackers to alter, delete, or steal data

from a system.

 Phishing attacks allow hackers to trick people into sending money or

sensitive information to them.

 Ransomware attacks can disable a system until the company pays

the attacker a ransom. According to one report (link resides outside
ibm.com), the average ransom payment is USD 812,360.

In addition to directly harming the target, cyberattacks can have a host of

secondary costs and consequences. For example, the Cost of a Data
Breach report found that businesses spend an average of USD 2.62 million
on detecting, responding to, and remediating breaches.

Cyberattacks can also have repercussions for victims beyond the

immediate target. In 2021, the DarkSide ransomware gang attacked the
Colonial Pipeline, the largest refined oil pipeline system in the US. The
attackers entered the company’s network by using a compromised
password (link resides outside ibm.com). They shut down the pipeline that
carries 45% of the gas, diesel, and jet fuel supplied to the US East Coast,
leading to widespread fuel shortages.

The cybercriminals demanded a ransom of almost USD 5 million in bitcoin

cryptocurrency, which Colonial Pipeline paid (link resides outside
ibm.com). However, with help from the US government, the company
eventually recovered USD 2.3 million of the ransom.
What are the common types of cyberattacks?
Cybercriminals use many sophisticated tools and techniques to start
cyberattacks against enterprise IT systems, personal computers, and
other targets. Some of the most common types of cyberattacks include:
Malware

Malware is malicious software that can render infected systems

inoperable. Malware can destroy data, steal information, or even wipe files
critical to the operating system’s ability to run. Malware comes in many
forms, including:

 Trojan horses disguise themselves as useful programs or hide

within legitimate software to trick users into installing them. A
remote access Trojan (RAT) creates a secret back door on the
victim’s device, while a dropper Trojan installs additional malware
once it has a foothold.

 Ransomware is sophisticated malware that uses strong encryption

to hold data or systems hostage. Cybercriminals then demand
payment in exchange for releasing the system and restoring
functionality. According to IBM’s X-Force Threat Intelligence Index,
ransomware is the second most common type of cyberattack,
accounting for 17% of attacks.

 Scareware uses fake messages to frighten victims into

downloading malware or passing sensitive information to a
fraudster.

 Spyware is a type of malware that secretly gathers sensitive

information, like usernames, passwords, and credit card numbers. It
then sends this information back to the hacker.

 Rootkits are malware packages that allow hackers to gain

administrator-level access to a computer’s operating system or
other assets.

 Worms are self-replicating malicious code that can automatically

spread between apps and devices.
Social engineering

Social engineering attacks manipulate people into doing things that they
shouldn’t do, like sharing information they shouldn’t share, downloading
software they shouldn’t download, or sending money to criminals.

Phishing is one of the most pervasive social engineering attacks.

According to the Cost of a Data Breach report, it is the second most
common cause of breaches. The most basic phishing scams use fake
emails or text messages to steal users’ credentials, exfiltrate sensitive
data, or spread malware. Phishing messages are often designed to look as
though they’re coming from a legitimate source. They usually direct the
victim to click a hyperlink that takes them to a malicious website or open
an email attachment that turns out to be malware.

Cybercriminals have also developed more sophisticated methods of

phishing. Spear phishing is a highly targeted attack that aims to
manipulate a specific individual, often by using details from the victim’s
public social media profiles to make the ruse more convincing. Whale
phishing is a type of spear phishing that specifically targets high-level
corporate officers. In a business email compromise (BEC) scam,
cybercriminals pose as executives, vendors, or other business associates
to trick victims into wiring money or sharing sensitive data.
Denial-of-service attacks

Denial-of-service (DoS) and distributed denial-of-service (DDoS)

attacks flood a system's resources with fraudulent traffic. This traffic
overwhelms the system, preventing responses to legitimate requests and
reducing the system's ability to perform. A denial-of-service attack may be
an end in itself or a setup for another attack.

The difference between DoS attacks and DDoS attacks is simply that DoS
attacks use a single source to generate fraudulent traffic, while DDoS
attacks use multiple sources. DDoS attacks are often carried out with a
botnet, a network of internet-connected, malware-infected devices under
a hacker's control. Botnets can include laptops, smartphones, and Internet
of Things (IoT) devices. Victims often don't know when a botnet has
hijacked their devices.
Account compromise
Account compromise is any attack in which hackers hijack a legitimate
user's account for malicious activity. Cybercriminals can break into a
user's account in many ways. They can steal credentials through phishing
attacks or buy stolen password databases off the dark web. They can use
password attack tools like Hashcat and John the Ripper to break password
encryptions or stage brute force attacks, in which they run automated
scripts or bots to generate and test potential passwords until one works.
Man-in-the-middle attacks

In a man-in-the-middle (MiTM) attack, also called an "eavesdropping

attack," a hacker secretly intercepts communications between two people
or between a user and a server. MitM attacks are commonly carried out
via unsecured public wifi networks, where it's relatively easy for threat
actors to spy on traffic.

Hackers may read a user's emails or even secretly alter the emails before
they reach the recipient. In a session hijacking attack, the hacker
interrupts the connection between a user and a server hosting important
assets, like a confidential company database. The hacker swaps their IP
address with the user's, making the server think they're a legitimate user
logged into a legitimate session. This gives the hacker free rein to steal
data or otherwise wreak havoc.
Supply chain attacks

Supply chain attacks are cyberattacks in which hackers breach a company

by targeting its software vendors, material suppliers, and other service
providers. Because vendors are often connected to their customers'
networks in some way, hackers can use the vendor's network as an attack
vector to access multiple targets at once.

For example, in 2020, Russian state actors hacked the software vendor
SolarWinds and distributed malware to its customers under the guise of a
software update (link resides outside ibm.com). The malware allowed
Russian spies to access the sensitive data of various US government
agencies using SolarWinds' services, including the Treasury, Justice, and
State Departments.
Other types of cyberattacks
Cross-site scripting (XSS)
Cross-site scripting (XSS) attacks insert malicious code into a legitimate
web page or web application. When a user visits the site or app, the code
automatically runs in the user's web browser, usually stealing sensitive
information or redirecting the user to a spoofed, malicious website.
Attackers frequently use JavaScript for XSS attacks.
SQL injection
SQL injection attacks use Structured Query Language (SQL) to send
malicious commands to a website's or app's backend database. Hackers
input the commands through user-facing fields like search bars and login
windows. The commands are then passed to the database, prompting it to
return private data like credit card numbers or customer details.
DNS tunneling
DNS tunneling hides malicious traffic inside DNS packets, allowing it to
bypass firewalls and other security measures. Cybercriminals use DNS
tunneling to create secret communication channels, which they can use to
silently extract data or establish connections between malware and a
command and control (C&C) server.
Zero-day exploits
Zero-day exploits take advantage of zero-day vulnerabilities, which are
vulnerabilities either unknown to the security community or identified but
not yet patched. These vulnerabilities can exist for days, months, or years
before developers learn about the flaws, making them prime targets for
hackers.
Fileless attacks
Fileless attacks use vulnerabilities in legitimate software programs to
inject malicious code directly into a computer's memory. Cybercriminals
often use PowerShell, a scripting tool built into Microsoft Windows
operating systems, to run malicious scripts that change configurations or
steal passwords.
DNS spoofing
DNS spoofing attacks, also called "DNS poisoning," covertly edit DNS
records to replace a website's real IP address with a fake one. When
victims try to visit the real site, they're unknowingly delivered to a
malicious copy that steals their data or spreads malware.
Cyberattack prevention, detection, and response
Organizations can reduce cyberattacks by implementing cybersecurity
systems and strategies. Cybersecurity is the practice of protecting critical
systems and sensitive information from digital attacks by using a
combination of technology, people, and processes.
Preventing cyberattacks

Many organizations implement a threat management strategy to identify

and protect their most important assets and resources. Threat
management may include policies and security solutions like:

 Identity and access management (IAM) platforms and

policies, including least-privilege access, multi-factor
authentication, and strong password policies, can help ensure that
only the right people have access to the right resources. Companies
may also require remote employees to use virtual private networks
(VPNs) when accessing sensitive resources over unsecured wifi.

 A comprehensive data security platform and data loss

prevention (DLP) tools can encrypt sensitive data, monitor its
access and usage, and raise alerts when suspicious activity is
detected. Organizations can also make regular data backups to
minimize damage if there is a breach.

 Firewalls can help block threat actors from entering the network in
the first place. Firewalls can also block malicious traffic flowing out
of the network, such as malware attempting to communicate with a
command and control server.

 Security awareness training can help users identify and avoid

some of the most common cyberattack vectors, such as phishing
and other social engineering attacks.

 Vulnerability management policies, including patch

management schedules and regular penetration testing, can help
catch and close vulnerabilities before hackers can exploit them.

 Attack surface management (ASM) tools can identify, catalog,

and remediate potentially vulnerable assets before cyberattackers
find them.

 Unified endpoint management (UEM) tools can enforce security

policies and controls around all endpoints on the corporate network,
including laptops, desktops, and mobile devices.
Detecting cyberattacks
It is impossible to prevent cyberattack attempts entirely, so organizations
may also use continuous security monitoring and early detection
processes to identify and flag cyberattacks in progress. Examples include:

 Security information and event management

(SIEM) systems centralize and track alerts from various internal
cybersecurity tools, including intrusion detection systems (IDSs),
endpoint detection and response systems (EDRs), and other security
solutions.

 Threat intelligence platforms enrich security alerts to help

security teams understand the types of cybersecurity threats they
may face.

 Antivirus software can regularly scan computer systems for

malicious programs and automatically eradicate identified malware.

 Proactive threat hunting processes can track down cyberthreats

secretly lurking in the network, such as advanced persistent threats
(APTs).
Responding to cyberattacks

Organizations may also take steps to ensure an appropriate response to

ongoing cyberattacks and other cybersecurity events. Examples include:

 Incident response plans can help contain and eradicate various

kinds of cyberattacks, restore affected systems, and analyze root
causes to prevent future attacks. Incident response plans are shown
to reduce the overall costs of cyberattacks. According to the Cost of
a Data Breach report, organizations with formal incident response
teams and plans have 58% lower breach costs on average.

 Security orchestration, automation, and response

(SOAR) solutions can enable security teams to coordinate
disparate security tools in semi- or fully automated playbooks for
responding to cyberattacks in real-time.

 Extended detection and response (XDR) solutions integrate

security tools and operations across all security layers—users,
endpoints, email, applications, networks, cloud workloads, and data.
XDRs can help automate complex cyberattack prevention,
detection, investigation, and response processes, including
proactive threat hunting.