Hadoop - open-source software framework for distributed storage and processing of very large data sets on computer clusters built from commodity hardware
Honeypots/Honeynets - a trap set to detect, deflect or in some manner, counteract attempts at unauthorized use of information systems. Consists of computer data or a network site that appears to be part of a network but is actually isolated and monitored.
HUMINT - human intelligence - intelligence gathered by means of interpersonal contact; a category of intelligence derived from information collected and provided by human sources.
HIPS - host-based intrusion prevention system - HIPS is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible to help keep your system secure without depending on a specific threat to be added to a detection update.
IAM - Identity and Access Management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IDPS - Intrusion Detection and Prevention Systems are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it. [Wikipedia]
IDS - software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
ILDP - information leak detection and prevention
IMINT - imaginary intelligence - intelligence gathering discipline which collects information via satellite and aerial photography. IMINT is complemented by non-imaging MASINT electro-optical and radar sensors
Incident - a security event that compromises the integrity, confidentiality or availability of an information asset.
Incident Management - is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the organization whilst the incident is dealt with, to restore normal functions.
IOCs - Indicators of Compromise is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software. [Wikipedia]
IPS - intrusion prevention system (IDS) - network security appliances that monitor network or system activities for malicious activity, log information, attempts to block and report it. (Extension of IDS but are placed in line and are able to actively prevent/block intrusions that are detected.
ISAC/ISAO - Information Sharing and Analysis Centers - a nonprofit org that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the public and private sector.
MASINT - measurement and signature intelligence - a technical branch of intelligence gathering, which serves to detect, track and identify or describe the signatures (distinctive characteristics) of fixed or dynamic target sources. This often includes radar, acoustic, nuclear, chemical and biological intelligence.
MSSP - managed security service provider - outsourced network security services. [Wikipedia] Businesses turn to managed security services providers to alleviate the pressures they face daily related to information security such as targeted malware, customer data theft, skills shortages and resource constraints. Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies.
MRTI - machine-readable threat intelligence is a capability that allows SIEM and other security controls to make operational security decisions based on information about the prevailing threat landscape. Security leaders should understand how MRTI operates, and how it can be used to mitigate threats.
MDM - master data management is a comprehensive method of enabling an enterprise to link all of its critical data to one file, called a master file, that provides a common point of reference.
NGFW - Next Generation Firewall is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory). Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks."
NGIPS - next generation intrusion prevention system offers protection against advanced and evasive targeted attacks with high accuracy. Usually using a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis, it provides enterprises with a proactive approach to security.
NIPS - network intrusion prevention system examines network traffic flows to detect and prevent vulnerability exploits. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.
Offensive Technology Data - checksums, signatures, file names; vulnerability and associated exploits
Operational Threat Intelligence - Information about specific impending attacks against the organization and is initially consumed by higher-level security staff, such as security managers or heads of incident response.
OPSEC - operations security - process by which we protect unclassified information that can hurt us.
OSINT - open source threat intelligence is data collected from publicly available Web sources such as social media, blogs, news publications, and forums. With an estimated 90% of required intelligence available in open source, it is imperative intelligence analysts become adept at mining open sources.
pDNS (passive DNS) - passive domain name system consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.
Phishing - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Python - is a widely used high-level, general-purpose, interpreted, dynamic programming language. Its design philosophy emphasizes code readability, and its syntax allows programmers to express concepts in fewer lines of code than would be possible in languages such as C++ or Java. The language provides constructs intended to enable clear programs on both a small and large scale. [Wikipedia]
QoS - Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network.
Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers. Remote Access tools, when used for malicious purposes, are known as a Remote Access Trojan (RAT). They can be used by a malicious user to control the system without the knowledge of the victim. Most of the popular RATs are capable of performing key logging, screen and camera capture, file access, code execution, registry management, password sniffing etc. [InfoSec Institute]
Sandboxes - In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.
SEG - secure email gateway - Email security gateways protect enterprises from threats such as spam and phishing attacks.
SIEM - Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization's information technology (IT) security. The acronym is pronounced "sim" with a silent e.
SIGINT - signals intelligence - intelligence gathering by interception of signals, whether communications are from people or from electronic signals not directly used in communication
Snort rules/Snort signatures - Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works. Through protocol analysis and content searching and matching, Snort detects attack methods, including denial of service, buffer overflow, CGI attacks, stealthport scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate 'alerts' file, or to a pop-up window.
SOC - security operations center - A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology.
Software Development Kit (SDK) - A software development kit (SDK or "devkit") is typically a set of software development tools that allows the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform.
STIX - STIX is a language for having a standardized communication for the representation of cyberthreat information. Similar to TAXII (see below), it is not a sharing program or tool, but rather a component that supports programs or tools. One of the things that sometimes causes confusion with STIX constructs is whether to use incident or indicator. If you are aiming to provide a history for further analysis or follow-up, you have to use an incident construct. If you want to build a list of items to look for, use an indicator construct.
With 8 constructs:
- Observable (activity)
- Indicator (what to watch)
- Incident (where)
- Exploit Target
- Campaign (why)
- Threat actor - (who)
- Course of action
Strategic Threat Intelligence - high level information, consumed at board level or by other senior decision-makers. It is almost exclusively in the form of prose, such as reports, briefings or conversations.
SWG (Secure Web Gateway) - A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance.
SSL secure sockets layer - The Secure Sockets Layer (SSL) is a computer networking protocol that manages serve authentication, client authentication and encrypted communication between servers and clients.
Tactical Threat Intelligence - often referred to as tactics, techniques and procedures (TTPs) and is information about how threat actors are conducting attacks
TAXII (Trusted Automated Exchange of Indicator Info) - TAXII is not an information sharing program and does not define trust agreements. Rather, it is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.
TAXII has the following three sharing models:
- Hub and Spoke: One central clearinghouse.
- Source/Subscriber: One organization is the single source of information.
- Peer-to-Peer: Multiple organizations share their information.
TAXII defines the following four services, where each service is optional and services can be combined in different ways for different sharing models:
- Inbox: A service to receive pushed content (push messaging).
- Poll: A service to request content (pull messaging).
- Collection Management: A service to learn about and request subscriptions to data collections.
- Discovery: Learn which services are supported and how to interact with them.
TCP - The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP
TECHINT - technical intelligence
Technical Threat Intelligence - information (or more often, data) that is consumed through technical means. For example, a feed of IP addresses suspected of being malicious or implicated as command and control servers. OFTEN has a short lifespan.
- The fact that an attacker uses a particular piece of malware would be tactical intelligence, while an indicator against a specific compiled example would be technical intelligence.
Tenable Network Security - continuous visibility and critical context, enabling decisive action. A ThreatConnect partner.
Tor - is a free software for enabling anonymous communication - or is free software for enabling anonymous communication. The name is an acronym derived from the original software project name The Onion Router,however, the correct spelling is "Tor", capitalizing only the first letter. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". [Wikipedia]
TTPs - Tools, Techniques and Processes
Types of Threat Actors an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact -- an organization's security. Examples: Hacktivists, Cyber Criminals, Nation State
Typical Threat Indicators - IP Address, hosts, eMail addresses, URLs, Files
UTM/USM - Unified Threat Management/Unified Security Management is a solution in the network security industry, and since 2004 it has become established as a primary network gateway defense solution for organizations. In theory, UTM is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting. [Wikipedia]
VCDB- is a community data initiative to catalog security incidents in the public domain using the VERIS framework. The database contains raw data for thousands of security incidents shared under a creative commons license. You can download the latest release, follow the latest changes on github, and even help catalog and code incidents to grow the database.
VERIS - The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others.
VA - vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
WAF (Web Application Firewall) - is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.
Watering Hole - a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.
Whols - a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format. [Wikipedia]
YARA - is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.