A cyberattack is a deliberate attempt to access, damage, steal from, or disrupt a computer system, network, or device without authorization. A cyberattack uses technical methods or human deception to break the confidentiality, integrity, or availability of a target, with motives that range from financial gain to espionage. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) document the attack types and the defenses that resist them.
This article defines a cyberattack, explains the main categories of attack, sets out attacker motives, describes the attack lifecycle at a high level, identifies common targets, and explains defense in depth. A table summarizes the attack categories.
Each section states one part of the topic and connects it to the deliberate, unauthorized intent at the center of the definition. The result is a complete account of what a cyberattack is, the forms it takes, and the controls that defend a system against attack.
What Is a Cyberattack?
A cyberattack is a deliberate, unauthorized attempt to access, damage, steal from, or disrupt a computer system, network, or device. A cyberattack targets the confidentiality, integrity, or availability of data and services, using malicious software, deception, or the exploitation of a flaw. The defining traits of a cyberattack are listed below:
- Deliberate intent separates a cyberattack from an accident, since the actor chooses to breach the target.
- Unauthorized access means the actor lacks permission to reach or affect the system.
- A target in the CIA triad is always confidentiality, integrity, or availability of data or services.
- A method ranges from malicious code and deception to the exploitation of a software flaw.
A cyberattack threatens the data and services that cybersecurity protects, breaking the confidentiality, integrity, or availability the field defends. Many attacks rely on deceiving a person rather than a machine, the method explained in the overview of social engineering.
What Are the Main Categories of Cyberattack?
The main categories of cyberattack are malware, phishing and social engineering, denial-of-service, man-in-the-middle, injection, and credential attacks. A cyberattack category groups methods by how the attacker reaches the target. The main categories are listed below:
- Malware is malicious software, including viruses, worms, and ransomware, that infects a device to damage or control it.
- Phishing and social engineering deceive a person into revealing information or granting access.
- Denial-of-service floods a system with traffic to make it unavailable to legitimate users.
- Man-in-the-middle intercepts traffic between two parties to read or alter the data.
- Injection inserts malicious input, such as SQL or script, into an application to run unintended commands.
- Credential attacks guess, steal, or reuse passwords to gain unauthorized access.
Each category maps to a specific defense among the layered controls of cybersecurity. A flood that targets availability is the distributed denial-of-service attack, an interception that targets traffic is the man-in-the-middle attack, and an input attack against a database is SQL injection.
What Are the Motives Behind a Cyberattack?
The motives behind a cyberattack are financial gain, espionage, hacktivism, and disruption. An attacker’s motive shapes the target chosen and the method used. The common motives are listed below:
- Financial gain drives ransomware, fraud, and data theft that an attacker sells or exploits for money.
- Espionage steals confidential data, intellectual property, or state secrets for a competitor or government.
- Hacktivism attacks a target to advance a political or social cause, often through disruption or defacement.
- Disruption aims to damage operations, destroy data, or take a service offline.
The Federal Bureau of Investigation (FBI) and its Internet Crime Complaint Center (IC3) report that financially motivated attacks, including ransomware and business email compromise, account for the largest share of reported losses. An attacker’s motive determines whether the goal is theft, surveillance, protest, or damage.
How Does a Cyberattack Work at a High Level?
A cyberattack works through a lifecycle of reconnaissance, initial access, escalation, execution, and exfiltration or impact. An attack lifecycle describes the stages an attacker moves through, from studying a target to achieving the goal. The high-level stages are listed below:
- Reconnaissance gathers information about the target, such as systems, services, and people.
- Initial access breaches the target through a phishing message, a stolen credential, or an exploited flaw.
- Privilege escalation expands the attacker’s access from a single account toward broader control.
- Execution carries out the goal, such as deploying ransomware or copying data.
- Exfiltration or impact removes stolen data or causes the intended damage or disruption.
The lifecycle of a cyberattack maps to the stages described in frameworks such as the Lockheed Martin Cyber Kill Chain and the MITRE ATT&CK knowledge base. Initial access often begins with a deceptive message, the technique catalogued in the guide to phishing attack types, or with an unpatched flaw such as a zero-day exploit.
What Are the Common Targets of a Cyberattack?
The common targets of a cyberattack are individuals, businesses, government agencies, and critical infrastructure. A target is selected for the value of its data, its money, or its operations. The common targets are listed below:
- Individuals are targeted for credentials, financial accounts, and personal data used in fraud and identity theft.
- Businesses are targeted for customer data, intellectual property, and funds, often through ransomware and fraud.
- Government agencies are targeted for confidential records and for espionage by other states.
- Critical infrastructure, including energy, water, and healthcare, is targeted to disrupt essential services.
CISA identifies critical infrastructure sectors as priority targets because an attack on them affects public safety and essential services. An attack on an individual frequently leads to identity theft, while an attack on a business often begins with a deceived employee.
How Do You Defend Against a Cyberattack?
A cyberattack is defended through defense in depth, which layers patching, access control, encryption, monitoring, backups, and user awareness. Defense in depth assumes no single control stops every attack, so it stacks independent barriers. The core defenses are listed below:
- Patching closes the software flaws that attackers exploit for initial access.
- Access control limits accounts and permissions, applying least privilege and multi-factor authentication.
- Encryption protects data so an interception or theft yields unreadable information.
- Monitoring detects an attack in progress so a response can contain it.
- Backups restore data and services after ransomware or destructive attacks.
- User awareness trains people to recognize phishing and social engineering attempts.
NIST and CISA recommend defense in depth, in which layered controls protect a system even when one control fails. Training users to verify requests defends the deception attacks described in the social engineering overview, and recognizing fraudulent messages is the focus of the guide to spotting a phishing email.
What Is the Difference Between a Cyberattack, a Threat, and a Vulnerability?
A vulnerability is a weakness, a threat is a potential to exploit it, and a cyberattack is the act of exploiting it. These three terms describe different stages of risk. The distinctions are listed below:
- A vulnerability is a flaw in software, configuration, or human behavior that an attacker can use.
- A threat is any circumstance or actor with the potential to exploit a vulnerability.
- A cyberattack is the realized action in which a threat exploits a vulnerability against a target.
- A risk is the likelihood and impact of a threat exploiting a vulnerability.
NIST defines these terms separately so that organizations can measure risk and prioritize defenses. A vulnerability without a threat causes no harm, and a threat without a vulnerability has no path, while a cyberattack is the point at which the two meet.
Cyberattack Categories Comparison Table
| Category | How It Works | Primary Target | Primary Defense |
|---|---|---|---|
| Malware | Malicious software infects a device | Integrity, availability | Antivirus, patching, backups |
| Phishing / social engineering | Deceives a person into acting | Confidentiality, access | Awareness, verification |
| Denial-of-service | Floods a system with traffic | Availability | Filtering, rate limiting |
| Man-in-the-middle | Intercepts traffic between parties | Confidentiality, integrity | Encryption, authentication |
| Injection | Inserts malicious input into an app | Integrity, confidentiality | Input validation, parameterized queries |
| Credential attack | Guesses or steals passwords | Access | Strong passwords, multi-factor authentication |
What Are the Most Common Cyberattacks Reported Today?
The most common cyberattacks reported today are ransomware, phishing, business email compromise, and credential theft. A reported attack reflects the methods that produce the highest volume and financial loss. The most common reported attacks are listed below:
- Ransomware encrypts a victim’s data and demands payment, disrupting operations until files are restored.
- Phishing deceives users into revealing credentials, serving as the entry point for many larger attacks.
- Business email compromise impersonates an executive or vendor to redirect a payment or obtain sensitive data.
- Credential theft steals or reuses passwords to access accounts and systems.
The FBI Internet Crime Complaint Center (IC3) and CISA report ransomware and business email compromise among the costliest categories each year. Phishing and credential theft frequently precede these attacks, since a stolen password or a deceived user often provides the initial access that a brute-force attack or an exploited flaw also seeks.
How Has the Cyberattack Threat Changed Over Time?
The cyberattack threat has changed from isolated, individual intrusions toward organized, financially motivated, and supply-chain operations. The evolution reflects shifts in attacker organization and target selection. The major changes are listed below:
- Professionalization turned attacks into organized criminal services, including ransomware sold as a service.
- Supply-chain attacks compromise a trusted vendor to reach the vendor’s many customers at once.
- Automation uses tools that scan and exploit large numbers of targets quickly.
- Expanded attack surface grows as cloud services, remote work, and connected devices add new entry points.
CISA identifies supply-chain compromise and ransomware as priority threats because each affects many organizations from a single intrusion. The widening attack surface increases the value of defense in depth, since more entry points require the layered controls of cybersecurity.
Key Takeaways
- A cyberattack is a deliberate, unauthorized attempt to access, damage, steal from, or disrupt a system.
- The main categories are malware, phishing, denial-of-service, man-in-the-middle, injection, and credential attacks.
- The motives are financial gain, espionage, hacktivism, and disruption.
- The lifecycle moves through reconnaissance, access, escalation, execution, and impact.
- The targets include individuals, businesses, government, and critical infrastructure.
- Defense in depth layers patching, access control, encryption, monitoring, backups, and awareness.
What is a cyberattack in simple terms?
A cyberattack is a deliberate, unauthorized attempt to access, damage, steal from, or disrupt a computer system, network, or device. It targets the confidentiality, integrity, or availability of data and services.
What are the main types of cyberattacks?
The main types are malware, phishing and social engineering, denial-of-service, man-in-the-middle, injection, and credential attacks. Each reaches the target through a different method and is countered by a different defense.
Why do cyberattacks happen?
Cyberattacks happen for financial gain, espionage, hacktivism, and disruption. The FBI reports that financially motivated attacks, including ransomware and fraud, account for the largest share of reported losses.
What is the difference between a threat and a cyberattack?
A threat is the potential to exploit a weakness, while a cyberattack is the act of exploiting it. A vulnerability is the weakness itself, and risk is the likelihood and impact of an attack.
Who are the common targets of cyberattacks?
Common targets are individuals, businesses, government agencies, and critical infrastructure. Each is chosen for the value of its data, money, or operations to the attacker.
How can you prevent a cyberattack?
Prevent cyberattacks through defense in depth: patch software, enforce access control and multi-factor authentication, encrypt data, monitor systems, keep backups, and train users to recognize phishing.
Last Thoughts on Cyberattacks
A cyberattack is a deliberate, unauthorized attempt to access, damage, steal from, or disrupt a computer system, network, or device, targeting confidentiality, integrity, or availability. The main categories are malware, phishing, denial-of-service, man-in-the-middle, injection, and credential attacks, driven by motives of financial gain, espionage, hacktivism, and disruption.
The attack lifecycle moves through reconnaissance, access, escalation, execution, and impact, and defense in depth layers patching, access control, encryption, monitoring, backups, and awareness. Readers can continue with the overview of social engineering, the guide to phishing attack types, the explanation of a DDoS attack, or the introduction to cybersecurity.
