Threat Actors’ Tenacity to Disrupt: Examination of Major Cybersecurity Incidents

The exponential growth in the interconnectedness of people and devices, as well as the upward trend in cyberspace usage will continue to lead to a greater reliance on the internet. Most people’s daily activities are dependent on their ability to navigate the internet to access and manage information. There are usually real risks associated with managing or accessing information, and these risks when exploited by threat actors, often lead to cybersecurity incidents. It is a common knowledge that a major cybersecurity incident is likely to result in significant financial losses, legal liability, privacy violations, reputational damage, sensitive data compromises, as well as national security implications. Threat actors usually employ various attack techniques to cause these incidents. After we identified the major cybersecurity incident report that is consolidated by the Center for Strategic & International Studies (CSIS) from which we derived the data of about the 803 major incidents that we analyzed, we then verified its (CSIS) credibility, non-partisan, global outreach and cybersecurity attack coverage by cross-referencing it with Data Breach Investigation Report (DBIR). We also through the lens of the Global Cybersecurity Index (GCI) ensured that this study is conducted within the context of cybersecurity principles. In reference to these attack techniques employed by threat actors, we conducted an exploratory investigation of 803 major cybersecurity incidents that were reported over the last decade. From a group of 244 of these major security incidents that happened and were reported between 2005 and 2021, this study reports that malware attack techniques were employed by threat actors to cause 48 percent of them and phishing attack techniques account for 19.7 percent of them. As many sources have confirmed the fact that major incidents will always happen, we echo the importance of readiness of organizations to conduct cybersecurity incident triage and or thorough investigation as necessary. Given the relevance of the guidelines outlined in the National Institute of Standards and Technology (NIST) incident response framework, we also recommend that organizations should adopt it or at least embrace similar guidelines as best as possible.


I. INTRODUCTION
The effectiveness of a cybersecurity incident investigation is largely dependent on sets of facts about what happened and insights which are available during the analysis and response to such incidents [1]. The availability of timely insights for cybersecurity incident response professionals and business The associate editor coordinating the review of this manuscript and approving it for publication was Yuan Gao . leaders will enable them to make better judgements when investigating a cybersecurity incident or when thinking about investing in a defense [2]. In this study we seek to unravel insights that might be learned from major historical cyberattacks, especially with respect to common attack techniques used to execute major cybersecurity incidents that happened and were reported between 2005 and 2021.
The dependency on information through the cyberspace creates a landscape of vulnerabilities that are constantly being analyzed or even exploited by threat actors [3]. Many private and public enterprises for example are not only vulnerable to cybersecurity threats on a daily basis but have also either directly or indirectly been impacted by at least a major cyberattack in the last decade [4]. Because threat actors exploit these vulnerabilities, major cybersecurity incidents coupled with financial or reputational loss for victims are often the result [5].
As many public and private organizations are developing cybersecurity programs and initiatives, cyber threat actors are also constantly conducting reconnaissance attacks to gather intel on how organizations are thinking, which create an ever-evolving cybersecurity threats [6]. As an evolving cybersecurity landscape creates virtual ecosystem, nefarious actors would continue to conduct sophisticated cyberattacks [6]. Another example of a virtual ecosystem is the darknet marketplaces and hacker forums where discussion threads are a source of knowledge exchange and learning as members are constantly exchanging information [7]. This study aims to reflect on those significant cybersecurity incidents, analyze methods of attack, identify commonality and patterns synonymous to each incident and more importantly understand attack technique most prominent about each of the incidents.

A. RESEARCH QUESTIONS
The Center for Strategic and International Study [8] published more than 800 major cybersecurity incidents that occurred between 2005 and 2021. Figure 1 summarizes the count of these major incidents. This paper attempted to learn about the methods of attack that led to these major incidents with the objective to answer the research questions listed below. As Figure 1 highlights, more than 800 major cybersecurity incidents happened from 2005 to 2021. Using the under-listed research questions, this study attempted to explore these significant cybersecurity incidents with the objective of obtaining insights about how threat actors behaved over the last decade. • RQ1: With reference to the major cybersecurity incidents that happened over the last decade as reported by the CSIS [8], what are some of the lessons learned from common attack techniques?
• RQ2: With reference to the major cybersecurity incidents that happened over last decade as reported by the CSIS [8], are there evidence of major data breach?

B. COMMON ATTACK TECHNIQUES INVESTIGATED
In our effort to understand threat actors behavior over the last decade, we looked for common cyber attack techniques which include the following: 1) Denial of service (DoS) & Distributed denial of service (DDoS) attack technique, 2) Malware attack technique, 3) Phishing attack technique, 4) Zero-day exploit attack technique, 5) Password related attack techniques, 6) Exploit of unpatched vulnerability attack techniques and 7) Internet of things (IoT) attack technique. There are many examples of common cyber attack techniques that threat actors usually employ to cause major incidents [8], [9] but this study focused on the ones listed above because they are very important and also very common with majority of the incidents that we investigated in this study. The frequency of the identified seven attack techniques is notable over the last decade [8] and hence another important reason we investigated them as part of this study.

II. BACKGROUND LITERATURE
Middleton [10] explored the history of cybersecurity attacks from 1980 to 2017, where he traced back cybersecurity incidents to 1976 when threat actors would use a combination of social engineering (and literally crawled into trash dumpsters to search through the garbage for computer information such as phone numbers, computer codes, technical information, usernames, and passwords) to circumvent a punch card system. Our study did not reflect on incidents beyond 2005 as Middleton [10] did but we explored up to 2021. Unlike Middleton, [10] our study did more thorough analysis and derived insights that business enterprises could consult when considering what cyber attack technique or method to pay most attention to. In Middleton's publication [10], he attempted to narrate some of the most notable attack techniques that threat actors leveraged to cause notable cybersecurity incidents but failed to share enough insights that might at least tell us what's trending in terms of attack techniques.
With reference to some of the major security incidents that happened from 2014 to 2018, Van's appraisal in his work [11] addressed the African perspective and as much as his publication articulated how those incidents impacted the African region, the outcome of that study did not provide sufficient analysis of cybersecurity threats and how they trended during the period investigated in that study. Unlike Van [11], our study is more inclusive of all the continents and have a more global perspective as no relevant nation state was was excluded. In this study, major cybersecurity incidents as VOLUME 10, 2022 they impacted every region of the world, with consideration to global businesses and governments were factored into our thought process of how threat actors behaved and what types of attack techniques or methods were mostly used.
While major trends and challenges associated with cybersecurity in the US is appraised in Fonseca's work [12], it seems to exclude other parts of the world and did not in our view provide adequate insight into how threat actors behaved with respect to major incidents that impacted all the regions across the globe. Fonseca [12] focused more on how major trends and challenges in cybersecurity impacted US with very little or no context about threat actors' behavior towards other regions while our study on the other hand investigated every major cybersecurity incidents that were reported or announced and met a very high bar in terms of scope and impact. With reference to the items listed below, as identified in some of the above literature, our study intended to do a more thorough analysis of what is most notable attack techniques that were used by threat actors with the goal of identifying useful insights. Below are recap of the pros and cons of some of the related literature:

1) PROS OF RELATED LITERATURE
1) Through the lens of cybersecurity incidents, the literature we surveyed were insightful to the extent that we were able to compare and contract how cybersecurity attacks are approached in Africa and United States. 2) Clear articulation and valuable information about how threat actors leveraged social engineering and combine it with other attack techniques to execute successful attacks against their victim. 3) Variants of different attack techniques were also discussed in manner that is very informative.
2) CONS OF RELATED LITERATURE 1) With respect to cybersecurity attack trends, we identified insufficient insights in the study conducted by Middleton [10]. 2) There seem to be exclusion of other continents in the analysis contained in van's paper [11] especially within the context of the impact of major cybersecurity incidents. 3) Lack of adequate information about how threat actors behaved in terms of attack techniques that lead to major incidents [12].

III. METHODOLOGY
The scope of this study centers around addressing the two research questions identified in the prior section of this paper. There is a report on Significant Cyber Incidents that ''focuses on cyber-attacks on government agencies, defense and hightech companies, or has economic crimes or with losses of more than a million dollars'' [8] and is being consolidated by the Center for Strategic and International Studies (CSIS) [13]. In order to understand the facts about every major incident that we investigated, we studied the description of every incident in this CSIS report from 2005 to 2021 out of which we derived data represented in Figure 2, This section provides an overview of the major concepts and terminologies that we used or referred to in this paper.

1) RECONNAISSANCE
Reconnaissance phase of any attack is where threat actors gather information about the weakness of the targeted entity by conducting assessment to discover more intel that will sooner or later be exploited [6]. A reconnaissance attack could either be passive or active one, active reconnaissance is where the threat actor gathers information about the target in very subtle way while active reconnaissance on the other hand involves much deeper profiling of the target which often includes some advance methodology which sometimes might even trigger an alert if the target has the adequate detection system in place [14]. Significant cybersecurity incident that impacts hundreds, thousands or even millions of individuals and creates impacts on personal identifiable information or leads to significant financial loss are usually orchestrated with some level of reconnaissance planning by threat actors [15]. These threat actors in many cases usually begin the attack by conducting reconnaissance on the targeted victim [6].

2) DoS/DDoS ATTACKS
While DoS is an acronym that stands for denial of service, DDoS on the other hand means distributed denial of service [16]. A DoS attack is simply when entities or persons are denied authorized access to resource or service because threat actor have used a specific method or a combination of attack techniques to destroy or disrupt the underlying infrastructure with aim of making resources unavailable [17]. DDoS attack is usually based on a DoS principle but involves the deployment of multiple computers to flood the target [18].

3) PHISHING ATTACKS
Phishing is a new term coined from the word 'fishing', it first appeared in the hacking community in 1990 and it is a type of attack that typically attempt to trick the victim into clicking on a malicious link with goal of obtaining sensitive information [19]. Phishing attack leverages a social engineering technique whereby a threat actor deceives the targeted victim in order to obtain valuable information and in most phishing attacks, the impacted person gets redirected to a malicious website [20]. Phishing attack could be targeted at a specific high value target or an organization or even an entire nation state, depending on the goal of the threat actor behind the attack [21], [22], [23].

4) MALWARE ATTACKS
This type of attack is very common in software [24]. Malware is a software that harmfully attacks other software in ways that causes the actual behavior to differ from the intended behavior [24]. Threat actors tend to use this type of method to execute many attacks that could be in form of viruses, ransomware, trojans, remote access trojans (RAT), advanced persistent threats (APT) and the list goes on [25], [26], and [27]. APT is one of the most concerning type of malware, as it persistently collects data from a specific target by exploiting vulnerabilities using diverse attack techniques [28].

5) DATA BREACH
A data breach is the intentional or inadvertent exposure of confidential or proprietary information to unauthorized parties which could lead to significant reputational damage, financial losses, and might be detrimental to the long-term stability of the impacted organization [29]. Data breach is often used interchangeably with network breach [29], [30].

6) PASSWORD ATTACKS
In attempt to either compromise systems or steal sensitive information, threat actors leverage different types of method and technique to conduct password related attacks [31], [32]. Access into any system requires some sort of credentials which typically include username and password or and code [31]. Threat actors persistently combine many techniques such as social engineering attack, dictionary attack, or brute force attacks to extract login credentials which include usernames and passwords in many cases [31], [32]. Millions of user login credentials have been compromised in the last decade with usernames and passwords exposed into the dark web [33]. In April 2020 for example, an estimate of 500,000 stolen zoom passwords including login credentials, victim personal meeting URLs, and host keys were available for sale in darknet markets while some account credentials were made available for free [33].

7) ZERO-DAY EXPLOIT
While many security systems have capability to detect known vulnerabilities due to the signatures associated with them, a zero-day vulnerability is hard to detect [34]. Zero-day exploits are very difficult to detect because of no previously known signature associated with them until its exploit is eventually announced to the public [35]. A zero-day attack may be executed in many forms, for example it could be application based or network based. A network based zero-day attack for example may be described as any new attack that seeks to exploit unknown vulnerabilities in a network system [36].

8) EXPLOIT OF UNPATCHED VULNERABILITIES
Unlike zero-day exploit, the exploit of unpatched vulnerabilities is predictable [37], [38]. Threat actors conduct reconnaissance to gather information about unpatched vulnerabilities as these are like the low-hanging fruits for hackers [6]. While many organizations and government institutions are doing Vulnerability Management program across their enterprises, it is impossible and not cost-effective to patch all detected known vulnerabilities, therefore many of these organizations end up focusing on the high to critical severity vulnerabilities while in some cases the low to medium severity vulnerabilities are either accepted as a risk or ignored as benign security issue [39], [40]. Threat actors never stop searching for those unpatched vulnerabilities to exploit [41], [42]. There are other scenarios where the design of software systems may contain flaws that negatively affect quality and maintainability [43], thereby creating a vulnerability that if exploited may be disruptive to an organization [39], [40].

9) IoT ATTACKS
IoT stands for internet of things which describes the interconnectedness of devices over the internet [44]. IoT devices underpin many technological trends and infrastructures, such as smart homes and smart cities [44], [45]. While these internet-connected devices generate, process, and exchange significant volumes of data during their operations, utilizing many internet protocols, in many cases they are exposed to cybersecurity threats [44], [45], [46].

B. STUDY STRATEGY
As part of the preliminary assessment to determined if this study was relevant or not, we searched Google database by querying for ''major cybersecurity incidents'' and the result of that search included non-independent or partisan reports from many organizations but after reading through and reviewing some of them, we decided to narrow down to the report from an independent and non-partisan organisation. We agreed to use the report titled 'Significant Cyber Incidents' from the Center for Strategic and International Study. In addition, we queried the Google scholar search engine database for literature that helped us understand prior research related to our study. During the selection of literature referenced in this paper, Google scholar search engine was where we identified relevant works that provided us with additional contexts of what have already been written about major cybersecurity incidents and what the trends are.

C. STUDY PROCEDURE & DATA EXTRACTION
After we studied the identified background literature to gather additional contexts and to learn from similar works, we identified gaps and limitations in those works which subsequently led to the beginning of our study. As part of our efforts to gather relevant information, we then analyzed the report titled 'Significant Cyber Incidents' [8] to identify useful data-point, VOLUME 10, 2022 metrics and other useful information that were instrumental in deriving the data referenced in figure 2, table 1 and table 2.

1) VALIDATION OF THE CSIS DATABASE
Even though we established the credibility, independence, non-partisan, global outreach and attack coverage of the CSIS major incident report [13], we also as part of our due diligent, used the Data Breach Investigation Report (DBIR) [47], [48], [49] to cross-validate the attack techniques that we analyzed. We also through the lens of the Global Cybersecurity Index (GCI) [50], [51], [52], ensured that this study is conducted within the context of cybersecurity principles

2) DATA BREACH INVESTIGATION REPORT
One of the most thorough cyber security reports available online is Verizon's Data Breach Investigation Report (DBIR) [47], [48], [49]. The DBIR is used by security professionals to gather first-hand accounts of potentially devastating data breaches based on data-driven analysis [47], [48], [49]. This report was also used to validate the occurrences of some of the cybersecurity incidents and attack methods that we looked at.

3) THE GLOBAL CYBERSECURITY INDEX
Due to the wide range of applications that cybersecurity has, the level of system development in each nation is evaluated using five categories: capacity building, organizational measures, technical measures, legal measures, and cooperation [50], [51], [52]. These categories are then combined to produce an overall evaluation by nations and oftentimes are also referenced by private organizations [50], [51], [52]. In this study, the GCI was consulted prior to our analysis of the cybersecurity incidents and the attack techniques that we looked at in order to enhance our awareness of the significance and various aspects of the Global Cybersecurity Index which is a reliable tool that tracks how governments throughout the world are carrying out their obligations to cyber security.

D. DATA COLLECTION
After the analysis of 803 incidents, we identified 244 major incidents that are related to the seven attack techniques highlighted in the prior subsections. The dataset in the figure 2 represents the breakdown of these 244 major cybersecurity incidents that happened during the period of 2006 and 2021 that subsequently emerged as the most relevant derived data used in this study. As part of our efforts to derive that data used in this study, our analysis included the studying of the consolidated major incident report obtained from Center for Strategic and International Study [8] and based on the facts presented in the description of each incidents, we made determination of what attack technique(s) was used by threat actors for each major incident. Another important reason for the selection of the CSIS database [8] as the source of major cybersecurity incidents that we analyzed is due to its inclusiveness of all the regions [53] of the world which includes the coverage of the following regions: 1) Africa 2) America 3) Arctic 4) Asia 5) Europe 6) Middle East 7) Russia and Eurasia The following are description of five examples out of the identified 803 significant cyber incidents reported in the CSIS report [8] that we analyzed for this study: 1) ''April 2021: Malware triggered an outage for airline reservation systems that caused the networks of 20 lowcost airlines around the world to crash'' [8]. 2) ''April 2021: Russian hackers targeted Ukrainian government officials with spearphishing attempts as tensions between the two nations rose during early 2021'' [8].   [8].

2) ANALYSIS OF INCIDENT
This section is additional description of how we analyzed the incidents in the CSIS [8] report. Looking at the first incidents in the 5 examples in the above subsection, malware attack technique is the most notable cause of that attack. The second example above also highlights how phishing attack was employed to conduct the hack [8] which validates that phishing attack technique as the notable method used to execute that attack. While the forth example suggests that threat actor(s) employed other attack technique(s) different from the techniques mentioned in Figure 2, the fifth example indicates evidence of a data breach because confidential documents were exposed to unauthorized parties. Analysis of these examples are similar to how we evaluated the entire 803 incidents that we investigated for this paper.

IV. RESULTS
In this study, we analyzed a total of 803 cybersecurity incidents of major significance from 2005 to 2021. With reference to figure 2 above, 30 percent of these 803 major cybersecurity incidents were caused by at least one of the following attack techniques or methods: malware attack technique, phishing attack technique, DoS/DDoS attack technique, zero-day exploit, exploit of unpatched vulnerabilities, password attack technique and IoT attacks. In respect to table 2, we also report that 38 percent of the major cybersecurity incidents (the total 803 incidents) analyzed were either caused because of cyber espionage, undisclosed causes, or a combination of multiple unclear attack techniques. We found 32 percent of the total 803 major incidents that we investigated to have evidence of notable data breach as highlighted in table 1. For the purpose of analysis of the data used in this study, all the major data breach incidents identified in table 1, which constitute the 32 percent of the total 803 incidents (we looked into) is labeled as Group A, while the incidents highlighted in figure 2, which constitute the 30 percent of the 803 incidents investigated is labelled as Group B and the last category of major incidents identified in table 2, which constitute 38 percent of the total 803 incidents are incidents that were either caused by cyber espionage or other undisclosed methods -this category is labelled as Group C. Overall, this study reports that significant cybersecurity incidents have been increasingly trending upward since 2005 to 2020 as highlighted in the trend line below:

A. MALWARE ATTACKS
This study reports that malware attacks (which includes ransomware, virus, worms, RAT, APT, etcetera) have been persistently, increasingly, and mostly being used by threat actors from 2005 to 2021. Out of the major cybersecurity incidents investigated in Group B category, malware attack techniques were the most notable cause of 48.0 percent of the group of

B. PHISHING ATTACKS
In the Group B category, it was also notable to find that threat actors successfully employed phishing attack methods to cause significant cybersecurity incidents between 2011 and 2021. Phishing in the framework of this study includes all the various types of phishing attacks such as vishing, smearphishing etc. This study reports 19.7 percent of all the major cybersecurity incidents analyzed in Group B category was caused by phishing attacks. It is also clear from the chart below (figure 5) that threat actors were more aggressive with use of phishing attacks from 2019 to 2021.

C. DoS/DDoS ATTACKS
This type of attack is very common as it is one of the techniques easily used by threat actors to disrupt services or VOLUME 10, 2022

D. ZERO-DAY EXPLOIT
From the major cybersecurity incidents that we investigated in the Group B category, this study reports zero-day exploit was announced to have been the notable cause of a major cybersecurity incident in 2013 and the following year but this type of attack later doubled in both 2018 and 2020 according to our study. This type of attack is accountable for less than 3 percent of the major cybersecurity incidents that we investigated in the Group B category.

E. EXPLOIT OF UNPATCHED VULNERABILITIES
This study reports that exploit of unpatched vulnerabilities makes up the cause of 9.4 percent of the major cybersecurity incidents we investigated in the Group B. This type of attack, according to our study, picked up the steam again in 2016 and have been increasingly causing significant cybersecurity incident up to 2021 as highlighted in the chart below:

F. PASSWORD ATTACKS
Password attacks which include among many, the dictionary password attacks, password brute force attacks, or password attack based on social engineering [31], [32], constitute less than 2 percent of the cybersecurity incidents that we investigated in Group B of this study. This study reports that threat actors started more recently in 2015 to engage in password related attack techniques to cause major cybersecurity incidents. This study also report that occurrences of major cybersecurity incidents caused by password related attacks in 2021 multiply by three from 2019, which is very significant.

G. IoT ATTACKS
From the major incidents that we investigated in Group B category of this study, we only observed two IoT cybersecurity incidents which were announced or disclosed in 2018 and 2019.

H. TRENDS OF ATTACK METHODS
Out of the common attack techniques that were used as a criteria to analyze the major cybersecurity incidents we investigated in this study, malware attack and DoS/DDoS attack have been persistently used by threat actors since 2006 in almost every year up to 2021. Malware attack techniques according to our study are the most likely to be used by threat actors, which we can derive from the chart below to be trending upward again from 2019.

I. COMPARISON OF ATTACK TECHNIQUES
Even when the seven attack methods we used as criteria to conduct our study is compared side-by-side as highlighted in figure 12, our study reports that malware attack techniques are employed by threat actors to cause the majority of the cybersecurity incidents that were reported between 2016 and 2021 more than other attack techniques.

J. TRENDS OF NOTABLE DATA BREACH INCIDENTS, COMPARED WITH 7 ATTACK TECHNIQUES
With reference to the chart in figure 13, this study reports notable drop in major cybersecurity incidents that were caused by either malware attacks and a drop in the number of incidents that resulted in a data breach in 2019. We also observe immediate upward trends in similar situations (malware attacks and data breach incidents) by 2020 and 2021. Regardless of these similarities, our study did not make any direct correlation between every data breach and every malware attacks that happened between 2019 and 2021.

K. OTHER ATTACK TECHNIQUES
Apart from the major cybersecurity incidents that resulted in data breach events as we investigated in Group A category and major cybersecurity incidents caused by the seven attack techniques that we studied from the Group B category, we also did a very limited exploration of incidents caused by other attack techniques. The incidents in this category (incidents caused by other attack techniques) were either caused by cyber espionage, other undisclosed attack methods, or had insufficient information [8]. Figure 14 below indicates that there are many other major cybersecurity incidents that were caused by different types of attack techniques and methods between 2006 and 2021.

A. THREAT ACTORS' BEHAVIOR:-ANALYSIS/LESSONS LEARNED
As observed in this study, phishing attacks are becoming more sophisticated as threat actors are adopting multiple new and creative methods through which to conduct this type of attacks. Distributed denial of service (DDoS) or denial of service (DoS) attacks remain a persistent nuisance on the Internet [54] and this is also confirmed by our study. Although zero-day exploit has been something threat actors have always used in many decades [55] but we did not observe many of it leading to major cybersecurity incident over the last decade.Unlike zero-day exploit, the exploit of unpatched vulnerability is predictable [38] and seems to be trending up since 2016 according to our finding.
Although this study reports one major incident from exploit of unpatched vulnerabilities in 2010 (as highlighted in figure 8) but the following four years later indicated that either government agencies and corporate organizations had a comprehensive patching programs together with system hardening programs in place or threat actors were focused on the use of other techniques to attack their victims. This type of techniques allows threat actors to easily conduct reconnaissance, gather information about unpatched vulnerabilities and then most likely exploit it [41].
Password attacks are very common and have always been a major concern in the cybersecurity space [31], [32]. This type of attack experienced a surge in 2021 as indicated in figure 9, especially when compared with other years since 2015. Although millions of devices are connected to the internet and there have always been IoT related cybersecurity incidents in last decade [44], [45] but our study did not report many of IoT related attacks. Given findings and observations obtained from this study, the two research questions posed at the beginning of this study have been reasonably addressed. Using the common attack techniques as one of the criteria used to evaluate the CSIS report [8], this study reports how threat actors behaved in terms of what common attack types were explored the most or the least over the last decade.

1) ADDITIONAL INSIGHTS FROM COMMON ATTACK TECHNIQUES
Based on insights derived from this study, the real-world impact of these major incidents are very significant. In reference to the dataset in Figure 2 for example, malware attacks were primarily responsible for 48.0 percent of major cybersecurity incidents while phishing attacks accounts for 19.7 percent of them. The percent of major incidents caused by malware attacks as reported in this study is very likely to be the result of the computerization of many enterprises and the user interaction with these computer attacks [56], [57]. DoS/DDoS on the other hand, caused 13.5 percent of the major cybersecurity incidents identified in this study. This is significant, but also expected, as a DoS attack can happen at every layer of the OSI model [58]. While this study indicates that, exploit of unpatched vulnerabilities resulted in 9.4 percent of major incidents, it is important to add that by remediating unpatched vulnerabilities, it has the likelihood to reduce incidents caused by the exploit of unpatched vulnerabilities [59], [60].

2) DATA BREACH INCIDENTS
This study also found evidence that some of the major cybersecurity events that happened over the last decade, lead to major data breach incidents. The data in Table 1 highlights our observation of data breach incidents between 2005 and 2021. These findings about major data breach incidents answers our second research question. The data about major data breach incidents as we observed in this study, suggests that the likelihood major incident will lead to a major data breach incident is certain. In addition to a thorough investigation, and incident response plan, it is also highly recommended that every organization have a recovery plan in place to address data breach incidents when it happens [30], [61], [62].

VI. CONCLUSION
No organization, including small, medium, and large businesses or government institutions, is safe from today's sophisticated cyberattacks, even those with the highest or most robust security controls in place [63]. This is also confirmed in the geographical distribution of all the different sizes of organizations impacted by cybersecurity incidents that were investigated in this study. Therefore, the outcome of this study vis-à-vis the analysis of these cybersecurity attack methods have indicated the importance of having a prepared incident management capability in place and by that we mean having a combination of both administrative and technical capabilities in place to respond when any of the attack methods mentioned in this study occurs.

A. ADMINISTRATIVE MITIGATION CONTROLS
In this part, we highlight a few administrative measures that businesses use, or at the very least consider, when getting ready for or responding to a cybersecurity attack. Although the list below is not exhaustive, it does at least outline some of these administrative mitigation controls:

1) COMMUNICATION
Leveraging effective internal and external communication during the handling of a cybersecurity attack (such as the ones mentioned in this study) may be valuable towards addressing identified cyber threats, especially given how in ''today's cyber threat landscape, a wide variety of skills and coordination are needed to combat increasingly complex challenges.'' [64]. The value of effective communication should not be undermined when addressing cybersecurity threats.

2) INFORMATION SHARING
Prior to the occurrence of a significant security attack or during active cybersecurity incident investigation, having the necessary information sharing strategy in place and effectively executing such strategy is very important for ensuring that all parties are kept informed in the prior, during, and post stages of any given cybersecurity incident handling [64], [65], [66], [67], [68], [69]. ''Information about threats can improve an organization's situational awareness, expand its understanding of the current threat horizon and increase its defensive agility by improving decision making'' [64].

3) TRAINING
An organization's information assets often leak out due to employees' careless behavior, such as downloading emails sent by an unknown sender, checking linked pages hastily, or setting passwords by their own birthdays [70]. Therefore, it is crucial to make the necessary investments and implement the appropriate programs to ensure the implementation of information security training and education for employees [70]. A routine tabletop exercise improves the knowledge, comprehension, and readiness of cybersecurity incident response teams, making it one of the ways to prepare for addressing a severe cybersecurity attack [71].

4) POLICIES, PROCESSES, PROCEDURE AND STANDARD FRAMEWORKS
In order to ensure readiness for a potential cybersecurity attack, it is essential to have an enterprise incident response policy, well-documented processes, clear procedures, defined standards, and other relevant artifacts in place [72], [73], [74]. If these artifacts are rigorously enforced, they could not only ensure adequate response during incident handling but may also help to avoid a disastrous situation [72], [73], [74].

B. TECHNICAL MITIGATION CONTROLS
Some of the major procedures necessary to address cybersecurity attacks include monitoring security events, compiling and keeping security logs, correlating and evaluating all data related to the incident that has occurred or is occurring [63]. This section focuses on some of the technical mitigation capabilities used by businesses to handle cybersecurity incidents.
The capabilities mentioned in this area frequently call for advanced technology and technical knowledge.

1) MONITORING AND DETECTION
Gaining visibility into the continuously changing security threats, spotting early warning signs of compromise, and correlating security logs to determine whether a cybersecurity event has taken place are crucial for successfully implementing a prompt and suitable reaction to cybersecurity attacks [63], [75], [76]. An organization may be able to achieve a reasonable mean-time-to-detect a major cybersecurity event by ensuring monitoring and detection capabilities are implemented [63], [75].

2) ANALYSIS AND CORRELATION OF SECURITY LOGS
As a result of the increasing frequency, scope, sophistication, and severity of cybersecurity attacks, which constantly pose a danger to organizations, governments, and enterprises, it is crucial to be able to undertake data-driven analysis as well as real-time analytics of the incident [63], [75], [75]. Unnecessary delays in cyber threat detection, analysis, and response may cost organizations a high price [63]. Therefore, by leveraging a Security Information & Event Management (SIEM) tool may enhance efficiency in detecting these attacks.

3) CONTAINMENT, REMEDIATION AND RECOVERY
After detection, analysis and investigation of a cybersecurity attack, the next phase usually involves containment, remediation, and, where necessary, ensuring recovery after the threat has been detected and analyzed [77]. Employing intrusion prevention systems, patching the vulnerable programs, hardening the operating system, changing passwords, blocking hash values of malicious files, and utilizing endpoint protection systems are some examples of containment capabilities [77], [78], [79], [80] that are applicable to deal with the cybersecurity attacks mentioned in this study.

C. LIMITATIONS
This study had limitations in some areas and given the limited scope of this study, we focused on the information that is available to us during our investigation and analysis. Below are some of the limitations associated with this study: 1) This study relied on the accuracy of the consolidated report of Significant Cyber Incidents [8] published by the Center for Strategic & International Studies, from which we derived the dataset used in this study. We leveraged DBIR reports to validate the credibility and accuracy of this CSIS data. 2) In this study, we did not have the resources to obtain the root cause analysis of each of the incidents we analyzed, therefore, no rigorous investigation was done. Root cause of every incident was irrelevant to our study, hence out of scope. 3) While our study provided insights on how threat actors have behaved over the last decade, it did not sufficiently VOLUME 10, 2022 addressed real-world impacts such as financial losses, legal liability, privacy violations, reputational damage, sensitive data compromises, as well as national security implications etc. Future study will address this gap. 4) The decision of what is most notable technique or method in each of the incidents investigated was solely based on the professional experience and interpretation of the authors of this study and may reflect some subjective views. 5) Some of the security incidents investigated were based of combination of more than one attack techniques or methods in some scenarios but the determination of what's most notable about each of these incidents was decided based on the experience and interpretation of the authors of this study and may reflect some subjective views.

D. FINAL THOUGHTS
Given how malware, phishing, DoS/DDoS and the exploit of unpatched vulnerabilities attacks have been very prominent in the cause of major cybersecurity incidents over the last decade according to our study, one of our future works will include the reflection and investigation of how government entities, individuals and many organizations have been significantly impacted by these types of attack techniques, especially in relation to financial, privacy or legal impacts. Following the indicators in this study that threat actors have constantly aimed to cause data breach, execute malware and phishing attacks, we recommend that organizations and government agencies should expect these attacks and not just be prepared to respond with mitigation controls in place but should enhance their cybersecurity programs to ensure defense in depth. Below are some ideas on how to manage or handle the cybersecurity attacks that we mentioned in this study.

1) IMPORTANT INCIDENT RESPONSE FRAMEWORKS
Identified here are two of the most widely used guidelines for handling cybersecurity attacks i.e. (1) The National Institute of Standards and Technology (NIST) and (2) Sysadmin, Audit, Network, and Security (SANS) incident response frameworks [81]. Both of these incident response frameworks concur on the following steps necessary for an efficient incident response, as shown in the ''incident response steps'' (figure 15): The National Institute of Standards and Technology, or NIST for short, is a branch of the U.S. government that specializes in all things technological [2], [81], [82]. One of the most well-known methods for better comprehending and managing cybersecurity risk is the Cybersecurity Framework it provides [2], [81], [82]. A component of the NIST overall guidelines is the NIST Incident Framework, one of the most commonly used incident response standards in the world [2], [81], [82]. Sysadmin, Audit, Network, and Security (SANS) is a private organization that carries out research and educates the industry in cyber disciplines. In contrast to the NIST framework, which has a wider operational scope, the SANS framework primarily focuses on security [2], [81], [82]. For the fact that cybersecurity attacks will always happen, the readiness of organizations to conduct triage and in-depth investigations are crucial. Using the NIST framework as an example, we recommend that organizations decide which stages of the NIST framework are applicable to them.

2) GLOBAL PRIVACY & CYBERSECURITY REGULATIONS
It is also a fact and a common knowledge that with regards to how organizations respond to cyberattacks, ensuring compliance with the law of any given country is very important. Hence, besides leveraging either the NIST or the SANS incident response framework as we highlighted in this study, we also recommend that organizations must regularly evaluate how their cybersecurity incident and data breach response strategies will be impacted by the constantly changing regulatory requirements / laws. As of the time of this study, there are many of these laws in various countries but below in table 3 are very few examples of these regulatory and privacy laws.

3) POTENTIAL SIZE BIAS
Considering the fact that there are many thousands of IoT related attacks, password attacks or attacks caused by exploits of unpatched vulnerabilities etc., which do not reflect in our derived data, it is pertinent to reiterate that we only focused on cyber-attacks on government agencies, defense and high technology companies, or economic crimes with losses of more than a million dollars. While our primary data provided empirical content on major organizations, there is no evidence that suggested or provided hints on small and medium sizes of organizations. While small and medium-sized businesses make up the vast majority of businesses in the United States of America [96] as well as in the Organisation for Economic Co-operation and Development (OECD) countries where 95 percent of businesses in these countries are small and medium-sized [97], [98], we primarily focused on large-size organizations in this study. Given the enormous number of small and medium-sized businesses, it is highly possible that the empirical inputs from the majority of the cybersecurity incidents that we analyzed may also be size-biased, and consequently, our output may have differed slightly.
In response to the size-bias, we also recommend further research in near future to investigate possible impacts and trends caused by these cybersecurity attack methods on small and medium size businesses.

ACKNOWLEDGMENT
The authors would like to thank the School of Information Technology, University of Cincinnati, OH, for providing them with the tools, environment, and guidance to conduct this study. The primary dataset used or referenced in this study is derived from the Significant Cyber Incidents report that is consolidated by the Center for Strategic & International Studies (CSIS), but cross-referenced and validated with Data Breach Investigation Reports (DBIR). Any perspective, findings, observation, interpretations, recommendation, and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of either the CSIS or the DBIR. The data used or referenced in this study is derived from the Significant Cyber Incidents report that is consolidated by the Center for Strategic & International Studies but cross-referenced and validated with Data Breach Investigation Reports. He is currently pursuing the Ph.D. degree in information technology with the School of Information Technology, University of Cincinnati, OH. He has been a Certified Information Systems Security Professional, since 2017, a Certified Information Security Manager, since 2020, a Certified Computer Hacking Forensic Investigator, since 2011, and a Certified Security Analyst, since 2010. His research interests include cloud security, security information and event management, security incident detection and response, ethical computer hacking, and digital forensic investigation among others. He is also a member of the International Information System Security Certification Consortium and a member of the Information Systems Audit and Control Association.

SAHEED POPOOLA is currently an Assistant
Professor with the School of Information Technology, University of Cincinnati. His research interest includes the area of software engineering. For more information visit the link (http://sopopoola.github.io).
JOSETTE RIEP is currently pursuing the Ph.D. degree in information technology with the School of Information Technology, University of Cincinnati. She is also the Executive Director for Development in Information Technology at the University of Cincinnati, Innovations & Partnerships. She has worked in the field of software development for over 20 years. Her current research interests include leadership over custom development initiatives spanning education, research, patient care and administration, equity and inclusion sponsorship activities, customer relationship management, budget planning and resource allocation, project planning, establishment of methods to share lessons learned, and implementation of best practices among developers with an emphasis on creating and sustaining secure platforms for broad use.