Meritshot
Cyber Security

What Is a Cyber Attack? The Most Common Types and How to Prevent Them

In May 2017, WannaCry ransomware hit 80 NHS trusts and cancelled 19,000 appointments. The prevention cost was zero — a patch Microsoft had issued two months earlier. Here's how every major attack type works and where defenders can intervene.

Meritshot Team17 min read
Cyber SecurityRansomwarePhishingSQL InjectionXSSDDoSIncident ResponseMITRE ATT&CK
Back to Blog

What Is a Cyber Attack? The Most Common Types and How to Prevent Them

On a Tuesday morning in May 2017, the IT department of the UK's National Health Service started receiving distress calls from hospitals reporting that their computers were locking and displaying ransom demands in Bitcoin. Within hours, 80 NHS trusts were affected. Appointment systems went dark. Surgeries were cancelled. Ambulances were redirected. Patient records were inaccessible.

The attack was WannaCry ransomware. It exploited a Windows vulnerability called EternalBlue — a flaw in the SMB network protocol. Microsoft had issued a patch two months earlier. The NHS had not applied it.

A software update that cost nothing and took minutes to deploy would have prevented a national healthcare crisis affecting 80 hospitals and an estimated 19,000 cancelled appointments.

This is the recurring pattern in virtually every major cyber attack: the sophistication of the attack is rarely why it succeeds. It succeeds because of a gap in basic security practice — an unpatched system, a reused password, an employee who clicked a link, a misconfigured firewall rule.

Security protection and anti-virus

Why Most Descriptions of Cyber Attacks Are Useless in Practice

The standard treatment of cyber attacks presents a catalogue of attack types, each with a two-sentence explanation. Phishing: deceptive emails. Ransomware: encrypts your files. DDoS: overwhelms your server.

These descriptions are accurate but operationally useless. They do not explain the attacker's logic, the conditions that make each attack viable, the sequence of events that converts a vulnerability into a successful compromise, or — most importantly — the specific moment where a defender can interrupt the attack.

Every successful cyber attack exploits one or more of three fundamental weakness categories:

Technical weaknesses: Unpatched software, misconfigured systems, weak or default credentials, exposed services that should not be internet-facing, poor encryption implementation. These are gaps that attackers probe systematically using automated scanners.

Human weaknesses: Trust, urgency, authority, curiosity, fear. Attackers who cannot find technical weaknesses create situations that exploit human psychology. The person becomes the vulnerability.

Process weaknesses: Gaps in policy enforcement, inadequate monitoring, no incident response plan, no systematic patch management, excessive user privileges. Even technically secure systems can be compromised because the structure around them is not designed for adversarial conditions.

The Attack Chain: How Every Cyber Attack Unfolds in Stages

The most important structural insight about cyber attacks is that they are processes, not events. They unfold in stages, each building on the previous. The MITRE ATT&CK framework describes 14 tactical stages through which attacks progress.

Stage 1 — Reconnaissance: The attacker gathers information before touching anything. LinkedIn profiles reveal employee names, roles, email formats, and technology stacks. Shodan reveals exposed services and software versions. This stage is almost entirely invisible to defenders — the attacker is reading publicly available information.

Stage 2 — Initial Access: The attacker enters the environment. The mechanisms: a phishing email that delivers a malicious payload, exploitation of a vulnerable internet-facing web application, credential stuffing using leaked password databases, or a supply chain compromise through a third-party vendor.

Stage 3 — Execution: The attacker runs code on the compromised system. Modern attackers increasingly prefer "living off the land" — using legitimate tools already present on the system (PowerShell, WMI, certutil.exe on Windows) rather than dropping custom malware.

Stage 4 — Persistence: The attacker ensures they can maintain access through reboots, credential changes, and user logouts. Common mechanisms: creating new privileged user accounts, modifying registry run keys, installing scheduled tasks, placing backdoors in startup scripts.

Stage 5 — Privilege Escalation: A standard user account has limited access. Administrative or system-level access enables nearly everything. Privilege escalation exploits local vulnerabilities, misconfigured permissions, or credentials found in plaintext on the compromised system.

Stage 6 — Defence Evasion: The attacker actively works to avoid detection: disabling antivirus, clearing event logs, obfuscating malicious code, using encrypted communications for command-and-control.

Stage 7 — Credential Access: The attacker harvests credentials from the compromised environment: dumping password hashes from Windows memory (Mimikatz), reading credentials stored in browsers, extracting keys from configuration files.

Stages 8–14 — Discovery, Lateral Movement, Collection, Exfiltration, Impact: The attacker maps the internal network, moves to higher-value targets, collects and exfiltrates data, then achieves their final objective — encrypting systems, destroying data, or establishing long-term surveillance.

Why the chain matters for defenders:

The cost of containing an attack is exponential with stage. Detecting and responding at Stage 2 (initial access) typically costs a few hours of analyst time. Detecting at Stage 9 (lateral movement) means the attacker has already compromised multiple systems and potentially harvested credentials — response requires weeks. Detecting at Stage 12 (exfiltration) means customer data may already be sold on dark web marketplaces before the organization knows a breach occurred.

Phishing: The Attack That Defeats Technical Defences

Phishing is the initial access vector for more than 80% of all successful breaches. This number has remained remarkably stable for fifteen years despite two decades of user awareness training.

What phishing actually looks like in 2025:

Spear phishing: Targeted attacks on specific individuals using detailed reconnaissance. An attacker who spent two hours reading a CFO's LinkedIn activity and the company's investor relations page can craft an email that begins with specific deal context the CFO is expecting. A request to download a document in this context produces a very high success rate.

Business Email Compromise (BEC): The attacker either compromises a senior executive's actual email account or spoofs the email address and uses it to request urgent wire transfers, employee tax records, or credential resets. The FBI's 2023 Internet Crime Report identified BEC as the single highest-dollar category of cybercrime — $2.9 billion in reported losses in 2023 alone.

AI-generated phishing at scale: LLMs enable attackers to generate thousands of personalized, grammatically perfect phishing emails tailored to the recipient's specific industry, role, and recent public activity — at a cost of fractions of a cent per email.

The non-obvious vulnerability — phishing defeats MFA:

Modern phishing kits using real-time adversary-in-the-middle proxies (Evilginx2, Modlishka) sit between the victim and the legitimate website. The victim enters their credentials and OTP — and the attacker's proxy forwards everything to the real site while capturing the authenticated session cookie. The attacker now has a valid session that bypasses MFA entirely.

The specific phishing defense that is genuinely MFA-resistant: hardware security keys using FIDO2/WebAuthn (YubiKey, Google Titan Key). The key performs a cryptographic challenge that binds the response to the specific domain. A phishing proxy cannot satisfy the challenge because it is on a different domain. Google implemented FIDO2 hardware keys for all employees in 2017 — zero successful phishing attacks against employees since implementation.

What actually prevents phishing:

  • DMARC, DKIM, and SPF email authentication standards prevent domain spoofing in most cases
  • FIDO2 hardware security keys eliminate the session cookie theft that defeats TOTP-based MFA
  • A formal verification channel for any financial transaction over a defined threshold
  • Security awareness training that uses real simulated phishing attacks rather than slide decks

Ransomware: The Attack That Has Paralysed Hospitals, Pipelines, and Governments

How ransomware actually works — the technical sequence:

Phase 1 — Initial access: Via phishing, exploitation of a known vulnerability on an internet-facing system (VPN concentrators, Exchange servers, and remote desktop services are the most commonly exploited), or using credentials purchased on dark web markets.

Phase 2 — Reconnaissance and lateral movement (dwell time): Sophisticated ransomware groups do not deploy the encryption immediately. They spend days, weeks, or months mapping the network, identifying backup systems, escalating privileges, and positioning ransomware payloads across the entire environment. They specifically target and destroy or encrypt backups first. The 2021 JBS Foods ransomware attack involved an attacker who had been inside the network for 11 days before deploying ransomware.

Phase 3 — Double extortion setup: Before encrypting, the attacker exfiltrates a copy of the most sensitive data. This enables "double extortion" — threatening both to keep systems encrypted and to publish the stolen data publicly.

Phase 4 — Simultaneous detonation: Ransomware payloads placed on hundreds of systems detonate simultaneously, maximising disruption and minimising recovery options.

The Colonial Pipeline illustration:

The 2021 Colonial Pipeline attack: DarkSide ransomware entered via a compromised legacy VPN account with a reused password. No MFA was enabled on this account. The attack forced shutdown of 5,500 miles of pipeline supplying 45% of the US East Coast's fuel. The company paid a $4.4 million ransom.

The initial access vector: a single account with a reused password and no MFA. The prevention cost: zero (MFA on VPN accounts is free to implement).

Prevention that is specific and effective:

  • MFA on all remote access (VPN, RDP, web applications) — non-negotiable
  • Systematic vulnerability patching with priority on internet-facing systems
  • Offline or air-gapped backups that ransomware cannot reach
  • Network microsegmentation that prevents lateral movement between departments
  • SIEM correlation rules that identify ransomware precursor behaviour (mass file enumeration, backup deletion commands)
  • EDR solutions configured to alert on ransomware behavioural signatures (rapid file modification, shadow copy deletion)

SQL Injection: The Vulnerability That Has Survived Thirty Years

SQL injection was first documented in 1998. It appears in the OWASP Top 10 every year. And it is still successfully exploited in production applications in 2025.

How SQL injection works:

A web application takes user input and constructs a database query. If the input is included in the query directly without proper sanitization, the attacker can manipulate the query's logic.

A login form that constructs:

SELECT * FROM users WHERE username = '[user_input]' AND password = '[password_input]'

Can be attacked by entering ' OR '1'='1 as the username. The resulting query becomes:

SELECT * FROM users WHERE username = '' OR '1'='1' AND password = ''

The condition '1'='1' is always true. The query returns all users and the attacker is logged in as the administrator.

More sophisticated attacks can extract the entire database contents, write files to the server's filesystem, or execute operating system commands.

Real-world impact: In 2008, Heartland Payment Systems — processing 100 million credit card transactions per month — suffered a breach that exposed 130 million credit card numbers through SQL injection. The breach cost $145 million in fines, settlements, and operational costs.

Prevention:

Parameterized queries (prepared statements):

# Vulnerable
cursor.execute("SELECT * FROM users WHERE username = '" + username + "'")

# Safe
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

ORM frameworks: SQLAlchemy, Django's ORM, Hibernate use parameterized queries by default.

Least privilege on database accounts: The database account used by the web application should have only SELECT/INSERT/UPDATE/DELETE permissions on the tables it needs.

Cross-Site Scripting (XSS): The Attack That Steals Sessions and Spreads Silently

XSS is the most common web application vulnerability. It is often dismissed as "low severity" because it does not directly compromise the server. This is a dangerous misunderstanding.

XSS allows an attacker to inject malicious JavaScript into a web page that other users view. That JavaScript executes in the victim's browser with full access to everything the browser can access on that domain — including session cookies, stored credentials, form input, and the ability to make authenticated requests on the user's behalf.

The three types:

Stored XSS: The malicious script is stored in the application's database and displayed to all users who view that content. A single injection can affect thousands of users. Severity: critical.

Reflected XSS: The malicious script is delivered in a URL and reflected back to the user in the response. Requires social engineering to trick the victim into clicking the malicious link.

DOM-based XSS: The vulnerability is in client-side JavaScript that writes attacker-controlled data directly to the DOM. Cannot be detected by server-side scanning.

Prevention:

  • Output encoding: Every piece of data displayed on a web page must be encoded for the specific context it appears in. HTML encoding prevents <script> tags from being interpreted.
  • Content Security Policy (CSP): An HTTP header that instructs browsers to only execute JavaScript from specified trusted sources. A well-configured CSP eliminates the execution of injected scripts even when an XSS vulnerability exists.
  • Input validation: Use allowlist validation — only permit expected characters — rather than denylist validation, which can always be bypassed.

DDoS Attacks: Availability as a Target

Distributed Denial of Service attacks do not steal data or gain unauthorized access. Their objective: make the service unavailable. A DDoS attack floods the target with more traffic than its infrastructure can handle.

The three types with different mitigation strategies:

Volumetric attacks: Flood the network bandwidth — UDP floods, ICMP floods, amplification attacks. Mitigation requires upstream filtering at the ISP or cloud provider level.

Protocol attacks: Exploit weaknesses in network protocols — SYN floods exhaust TCP connection state tables. Mitigation requires stateful inspection and protocol-level filtering.

Application layer attacks (Layer 7): The most sophisticated and most difficult to defend. Instead of flooding with bulk traffic, the attacker sends HTTP requests specifically designed to consume maximum server resources. The volume may be low, making it hard to distinguish from legitimate traffic spikes.

Prevention and mitigation:

  • CDN and anycast networks (Cloudflare, Akamai, AWS CloudFront) distribute traffic across global networks, absorbing volumetric attacks before they reach origin infrastructure
  • Rate limiting: limit requests per IP address per time period
  • Traffic scrubbing: dedicated DDoS mitigation services route all traffic through scrubbing centers that filter attack traffic

Credential Attacks: The Attack That Does Not Need to Break Anything

Credential attacks are the most underappreciated category because they do not involve breaking security controls — they involve using legitimate credentials obtained through other means. From the system's perspective, the attacker is authenticated and authorized.

The three main variants:

Credential stuffing: Attackers obtain lists of leaked username/password combinations (billions of credentials are available from past breaches) and systematically test them against other services. A 2023 SpyCloud study found that 64% of users reuse passwords across multiple accounts.

Password spraying: Rather than trying many passwords against one account (which triggers lockout), the attacker tries one common password against many accounts. Active Directory lockout policies that block more than 5 failed attempts are vulnerable to spraying because the attacker can remain under the lockout threshold indefinitely.

Brute force: Direct exhaustive testing of all possible passwords. Only viable against weak passwords or when there is no lockout policy.

Prevention:

  • MFA on all user-facing applications — the single most effective control against credential-based attacks
  • Monitor for credential stuffing patterns: multiple failed logins followed by a successful login from an unusual location
  • CAPTCHA and rate limiting on login endpoints
  • Check new user passwords against HaveIBeenPwned's API of known breached credentials

Supply Chain Attacks: When Trusting the Vendor Is the Vulnerability

Supply chain attacks compromise the software or infrastructure of a vendor to gain access to that vendor's customers. They exploit the implicit trust organizations place in their software suppliers.

The SolarWinds attack (2020): Attackers compromised SolarWinds' software build process and inserted malicious code into a software update for their Orion network monitoring product. 18,000 organizations downloaded and installed the update, including the US Treasury Department, the US State Department, and NATO. The attacker was inside multiple organizations' networks for months before detection.

The XZ Utils attack (2024): A malicious actor spent two years building trust as a contributor to a legitimate open-source compression library, then inserted a backdoor. The backdoor was discovered days before the compromised version would have been included in major Linux distributions used by millions of servers worldwide — demonstrating the patience of sophisticated threat actors.

Why supply chain attacks are so difficult to defend against:

The software received from a trusted vendor has been signed with their legitimate certificate, distributed through their legitimate update mechanism, and passes all integrity checks. The malicious code is inside authentic, signed software.

Mitigation strategies:

  • Software composition analysis (SCA): tools that analyze the open-source libraries in your application's dependencies and alert on known vulnerabilities
  • Vendor security assessment: evaluate the security practices of critical software vendors before deploying their products
  • Network segmentation limiting blast radius: even if compromised software has remote access capability, segmentation limits where that access reaches

Advanced Persistent Threats (APTs): The Most Dangerous Category

APTs are sophisticated, long-term attacks conducted by well-resourced adversaries — typically nation-state actors or state-sponsored criminal groups — targeting specific high-value organizations.

What distinguishes APTs:

Persistence: APT actors invest months or years in a campaign. They will wait weeks for the right phishing email to succeed rather than compromising their cover with a rushed attack.

Stealth: APT actors specifically avoid detection. They use legitimate system tools. They operate within normal business hours. The average APT dwell time before detection is 200+ days.

Sophistication: APTs have access to zero-day vulnerabilities — exploits for which no patch exists. They build custom malware designed to evade specific security products deployed at the target.

Indian context: CERT-In has documented campaigns against Indian government infrastructure, defence contractors, pharmaceutical companies (during COVID-19 vaccine development), and financial institutions from threat actors attributed to both regional state actors and global criminal groups.

Defence against APTs:

  • Threat hunting programmes that proactively search for attacker tools and behaviours rather than waiting for alerts
  • Network traffic analysis that detects C2 (command and control) communications even over encrypted channels
  • Zero trust architecture that limits lateral movement even for authenticated attackers
  • Deception technology (honeypots, honeytokens) that alerts when an attacker interacts with deliberately placed fake assets

The Unified Prevention Framework: What to Do First

With multiple attack types requiring different controls, prioritization is essential.

Priority 1: Multi-Factor Authentication on all user accounts

Stops: phishing session stealing (reduces impact), credential stuffing (eliminates), password spraying (eliminates), BEC through compromised accounts. Microsoft has reported that accounts with MFA enabled are 99.9% less likely to be compromised.

Priority 2: Systematic patch management with priority on critical and internet-facing systems

Stops: exploitation of known vulnerabilities across all attack types. WannaCry, most ransomware initial access methods, and many APT entry vectors exploit known, patched vulnerabilities.

Priority 3: Air-gapped backups with tested restoration procedures

Limits: ransomware impact to operational disruption without existential financial risk from ransom demands.

Priority 4: Email authentication (DMARC, DKIM, SPF) and filtering

Stops: domain spoofing in phishing and BEC attacks — the most common initial access vector.

Priority 5: Endpoint detection and response (EDR) with behavioural monitoring

Detects: malware execution, lateral movement tools, and attacker behaviour at Stages 3–5 of the attack chain.

The Incident Response Dimension: When Prevention Fails

Prevention reduces the probability and severity of attacks. It does not reduce them to zero.

The four phases of incident response:

Preparation: Incident response plan documented and tested. Response team roles assigned. Backup systems tested. Communication procedures for notifying customers, regulators, and partners defined. Organizations that write IR plans and never test them discover the gaps when it matters most.

Detection and analysis: Identifying that an incident has occurred and understanding its scope. The most common failure: assuming the scope of what an attacker accessed is limited to what you can easily see.

Containment, eradication, and recovery: Stopping the ongoing attack, removing all attacker presence, and restoring systems to a known clean state. The sequencing matters — recovery before complete eradication means recovering into a still-compromised environment.

Post-incident activity: Root cause analysis, lessons learned documentation, and implementation of improvements. Organizations that treat post-incident review as a genuine learning exercise continuously improve their security posture.

The legal and regulatory dimension in India:

Under India's IT Act and the incoming Digital Personal Data Protection (DPDP) Act, organizations have legal obligations when personal data is breached. CERT-In mandates mandatory reporting of cyber incidents within six hours of detection. Failure to report carries regulatory penalties that can compound the damage of the original incident.

Closing

Understanding how cyber attacks actually work — the mechanisms, the operational sequences, the real-world impacts, and the specific defenses that prevent them — is the foundation of security literacy for anyone building systems, managing organizations, or considering cybersecurity as a career.

The controls with the highest return on investment address multiple attack types simultaneously: MFA prevents credential stuffing, phishing success, and BEC; systematic patching closes the technical weaknesses that ransomware, worms, and APTs exploit; layered detection and response limits the damage when prevention fails.

The sophistication of the attack is rarely why it succeeds. It succeeds because of a gap in basic security practice.

Recommended

View all Cyber Security articles