Cyber Glossary
A
Active Defense - process of personnel taking an active and involved role in identifying and countering threats to the network and its systems.
Adversary Data - profiles, names, capability assessments, historical attack data & associated trending
Adversary Intelligence Providers - CrowdStrike, FireEye,/Mandiant, iSight Partners, Symantec DeepSight, Verisign iDefense
APT (Advanced Persistent Threat) - a set of stealthy and continuous computer backing processes, often orchestrated by human(s) targeting a specific entity. APT usually targets nations or organizations for business or political motives.
APT1 - most persistent of China’s threat actors; likely 2nd Bureau of the PLA General Staff Dept 3rd department - commonly known by its military unit cover designator UNIT 61398
ACL - Access control list - An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.
ATD - advanced threat defense - enables organizations to detect advanced targeted attacks and convert threat information into immediate action and protection.
B
Breach - an incident that results in the disclosure of potential exposure of data
C
C2- command and control
C2 Infrastructure Data - domains, IP addresses, protocol signatures, email addresses, payment card data, etc.
CIF(Collective Intelligence Framework) - Collective Intelligence Framework
CISCP - Cyber Information Sharing and Collaboration Program - part of cert.uk is a joint industry government to share cyber threat and vulnerability information in order to increase overall situational awareness.
Compromised Host - credential sets, IP addresses, usernames, email addresses, browser agents, etc
CRC - cyclic redundancy check - an error-detecting code commonly used in digital networks and storage devices to detect accidental changes to raw data. Blocks of data entering these systems get a short check value attached, based on the remainder of a polynomial division of their contents.
Crimeware - a broad category covering any use of malware to compromise systems such as servers and desktops. Per Verizon 2014 DBIR: the majority of crimeware incidents start via web activity, not links or attachments in email
CRITs - Collaborative Research into Threats - CRITs (Collaborative Research Into Threats) is an open source malware and threat repository that leverages other open source software to create a unified tool for analysts and security experts engaged in threat defense. It's used in hundreds of organizations so internal groups can work cooperatively to centralize their intelligence.
CSIRT (CIRT) - computer security incident response team (usually outward facing)
CybOX - cyber observable expression - a standard language for cyber observables
D
Data Disclosure - a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party
Diamond Model - Developed by one of ThreatConnect’s founders, and the primary methodology used by ThreatConnect, the Diamond Model breaks each cyber event into four vertices or nodes. These vertices represent an Adversary, Capability, Infrastructure, and Victim. The connections between the vertices form a baseball diamond shape. Through this system analysts are able to derive a multidimensional picture of the underlying relationships between threat actors and their tools, techniques and processes.
DDoS - Distributed denial of service - is a type of DOS attack where multiple compromised systems, which are often infected with a Trojan, are used to target a single system causing a Denial of Service (DoS) attack. It is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations. Criminal perpetrators of DoS attacks often target sites or services hosted on high-profile web servers such as banks, credit card payment gateways; but motives of revenge, blackmail or activism can be behind other attacks.
DLP (Data Loss Prevention) - data loss prevention is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer.
DPP (Deep Packet Processing) -Deep Packet Processing delivers the ability to inspect, forward, drop, clone, or even modify network traffic, at line rates. With Deep Packet Processing and combinations of policies and/or programming, the lag time from inspection to action drops from minutes or hours or worse, days, to milliseconds.
DAP - database activity monitoring and protection is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. DAM is typically performed continuously and in real-time. Database activity monitoring and prevention (DAMP) is an extension to DAM that goes beyond monitoring and alerting to also block unauthorized activities.
DAST - dynamic application security testing are technologies are designed to detect conditions indicative of a security vulnerability in an application in its running state. Most DAST solutions test only the exposed HTTP and HTML interfaces of Web-enabled applications.
DBSM - database security monitoring -- see DAP
E
Email Ingest - Automated Email Ingest feature allows users to create structured, actionable threat intelligence with ease from emails originating from trusted sources and sharing partners or from suspected spearphishing emails.
Endpoint Security - In network security, endpoint security refers to a methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Each device with a remote connecting to the network creates a potential entry point for security threats.
EPP - endpoint protection, including host-based features like firewall, anti-malware, whitelisting and disk encryption
EVC - Endpoint Visibility and Control
ETDR - endpoint threat detection and response
F
False Positives - A false positive is normal behavior that is marked as 'different', or possibly malicious. Too many false positives can drown out true alerts. In ThreatConnect, you can easily mark an indicator as a 'false positive' when viewing the details for that indicator. This allows you and your team to focus your time and effort on real threats.
FIM - File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and the known, good baseline
Firewall - Monitors and controls the incoming and outgoing traffic based on predetermined security rules. Establishes a barrier between a trusted, secure internal network and untrusted networks like the internet.
G
GIT/Github - a web-based Git repository hosting service. It offers all of the distributed revision control and source code management (SCM) functionality of Git as well as adding its own features. Unlike Git, which is strictly a command-line tool, GitHub provides a Web-based graphical interface and desktop as well as mobile integration. It also provides access control and several collaboration features such as bug tracking,feature requests, task management, and wikis for every project.
GRC - governance, risk and compliance
H
Hadoop - open-source software framework for distributed storage and processing of very large data sets on computer clusters built from commodity hardware
Honeypots/Honeynets - a trap set to detect, deflect or in some manner, counteract attempts at unauthorized use of information systems. Consists of computer data or a network site that appears to be part of a network but is actually isolated and monitored.
HUMINT - human intelligence - intelligence gathered by means of interpersonal contact; a category of intelligence derived from information collected and provided by human sources.
HIPS - host-based intrusion prevention system - HIPS is an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host. In other words a Host Intrusion Prevention System (HIPS) aims to stop malware by monitoring the behavior of code. This makes it possible to help keep your system secure without depending on a specific threat to be added to a detection update.
I
IAM - Identity and Access Management is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IDPS - Intrusion Detection and Prevention Systems are network security appliances that monitor network and/or system activities for malicious activity. The main functions of intrusion prevention systems are to identify malicious activity, log information about this activity, attempt to block/stop it, and report it.
IDS - software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station.
ILDP - information leak detection and prevention
IMINT - imaginary intelligence - intelligence gathering discipline which collects information via satellite and aerial photography. IMINT is complemented by non-imaging MASINT electro-optical and radar sensors
Incident - a security event that compromises the integrity, confidentiality or availability of an information asset.
Incident Management - is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an Incident Response Team (IRT), or an Incident Management Team (IMT). These are often designated before hand, or during the event and are placed in control of the organization whilst the incident is dealt with, to restore normal functions.
IOCs - Indicators of Compromise is an artifact observed on a network or in an operating system that with high confidence indicates a computer intrusion.Typical IOCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain names of botnet command and control servers. After IOCs have been identified in a process of incident response and computer forensics, they can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
IPS - intrusion prevention system (IDS) - network security appliances that monitor network or system activities for malicious activity, log information, attempts to block and report it. (Extension of IDS but are placed in line and are able to actively prevent/block intrusions that are detected.
ISAC/ISAO - Information Sharing and Analysis Centers - a nonprofit org that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the public and private sector.
J
JavaScript - is a high-level, dynamic, untyped, and interpreted programming language. It has been standardized in the ECMAScript language specification.
K
L
M
MASINT - measurement and signature intelligence - a technical branch of intelligence gathering, which serves to detect, track and identify or describe the signatures (distinctive characteristics) of fixed or dynamic target sources. This often includes radar, acoustic, nuclear, chemical and biological intelligence.
MSSP - managed security service provider - outsourced network security services. Businesses turn to managed security services providers to alleviate the pressures they face daily related to information security such as targeted malware, customer data theft, skills shortages and resource constraints. Functions of a managed security service include round-the-clock monitoring and management of intrusion detection systems and firewalls, overseeing patch management and upgrades, performing security assessments and security audits, and responding to emergencies.
MRTI - machine-readable threat intelligence is a capability that allows SIEM and other security controls to make operational security decisions based on information about the prevailing threat landscape. Security leaders should understand how MRTI operates, and how it can be used to mitigate threats.
MDM - master data management is a comprehensive method of enabling an enterprise to link all of its critical data to one file, called a master file, that provides a common point of reference.
N
NGFW - Next Generation Firewall is an integrated network platform that combines a traditional firewall with other network device filtering functionalities such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS) and/or other techniques such as SSL and SSH interception, website filtering, QoS/bandwidth management, antivirus inspection and third-party integration (i.e. Active Directory). Gartner defines an NGFW as "a wire-speed integrated network platform that performs deep inspection of traffic and blocking of attacks."
NGIPS - next generation intrusion prevention system offers protection against advanced and evasive targeted attacks with high accuracy. Usually using a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis, it provides enterprises with a proactive approach to security.
NIPS - network intrusion prevention system examines network traffic flows to detect and prevent vulnerability exploits. Following a successful exploit, the attacker can disable the target application (resulting in a denial-of-service state), or can potentially access to all the rights and permissions available to the compromised application.
O
Offensive Technology Data - checksums, signatures, file names; vulnerability and associated exploits
Operational Threat Intelligence - Information about specific impending attacks against the organization and is initially consumed by higher-level security staff, such as security managers or heads of incident response.
OPSEC - operations security - process by which we protect unclassified information that can hurt us.
OSINT - open source threat intelligence is data collected from publicly available Web sources such as social media, blogs, news publications, and forums. With an estimated 90% of required intelligence available in open source, it is imperative intelligence analysts become adept at mining open sources.
OSINT - open source threat intelligence is data collected from publicly available Web sources such as social media, blogs, news publications, and forums. With an estimated 90% of required intelligence available in open source, it is imperative intelligence analysts become adept at mining open sources.
P
pDNS (passive DNS) - passive domain name system consists largely of referrals and answers from authoritative name servers on the Internet (along with errors, of course). This data is time-stamped, deduped, and compressed, then replicated to a central database for archiving and analysis.
Phishing - Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Python - is a widely used high-level, general-purpose, interpreted, dynamic programming language. Its design philosophy emphasizes code readability, and its syntax allows programmers to express concepts in fewer lines of code than would be possible in languages such as C++ or Java. The language provides constructs intended to enable clear programs on both a small and large scale.
Q
QoS - Quality of service (QoS) is the overall performance of a telephony or computer network, particularly the performance seen by the users of the network.
R
RAT - Remote Access Tool is a piece of software used to remotely access or control a computer. This tool can be used legitimately by system administrators for accessing the client computers. Remote Access tools, when used for malicious purposes, are known as a Remote Access Trojan (RAT). They can be used by a malicious user to control the system without the knowledge of the victim. Most of the popular RATs are capable of performing key logging, screen and camera capture, file access, code execution, registry management, password sniffing etc.
S
Sandboxes - In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third parties, suppliers, untrusted users and untrusted websites.
SEG - secure email gateway - Email security gateways protect enterprises from threats such as spam and phishing attacks.
SIEM - Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization's information technology (IT) security. The acronym is pronounced "sim" with a silent e.
SIGINT - signals intelligence - intelligence gathering by interception of signals, whether communications are from people or from electronic signals not directly used in communication
Snort rules/Snort signatures - Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table. Unlike signatures, rules are based on detecting the actual vulnerability, not an exploit or a unique piece of data. Developing a rule requires an acute understanding of how the vulnerability actually works. Through protocol analysis and content searching and matching, Snort detects attack methods, including denial of service, buffer overflow, CGI attacks, stealthport scans, and SMB probes. When suspicious behavior is detected, Snort sends a real-time alert to syslog, a separate 'alerts' file, or to a pop-up window.
SOC - security operations center - A security operations center (SOC) is a centralized unit that deals with security issues on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology.
Software Development Kit (SDK) - A software development kit (SDK or "devkit") is typically a set of software development tools that allows the creation of applications for a certain software package, software framework, hardware platform, computer system, video game console, operating system, or similar development platform.
STIX - STIX is a language for having a standardized communication for the representation of cyberthreat information. Similar to TAXII (see below), it is not a sharing program or tool, but rather a component that supports programs or tools. One of the things that sometimes causes confusion with STIX constructs is whether to use incident or indicator. If you are aiming to provide a history for further analysis or follow-up, you have to use an incident construct. If you want to build a list of items to look for, use an indicator construct with 8 constructs: (1) Observable (activity), (2) Indicator (what to watch), (3) Incident (where), (4) TTP, (5) Exploit Target, (6) Campaign (why), (7) Threat actor - (who), and (8) Course of action.
Strategic Threat Intelligence - high level information, consumed at board level or by other senior decision-makers. It is almost exclusively in the form of prose, such as reports, briefings or conversations.
SWG (Secure Web Gateway) - A secure Web gateway is a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance.
SSL secure sockets layer - The Secure Sockets Layer (SSL) is a computer networking protocol that manages serve authentication, client authentication and encrypted communication between servers and clients.
T
Tactical Threat Intelligence - often referred to as tactics, techniques and procedures (TTPs) and is information about how threat actors are conducting attacks
TAXII (Trusted Automated Exchange of Indicator Info) - TAXII is not an information sharing program and does not define trust agreements. Rather, it is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.
TAXII has the following three sharing models:
- Hub and Spoke: One central clearinghouse.
- Source/Subscriber: One organization is the single source of information.
- Peer-to-Peer: Multiple organizations share their information.
TAXII defines the following four services, where each service is optional and services can be combined in different ways for different sharing models:
- Inbox: A service to receive pushed content (push messaging).
- Poll: A service to request content (pull messaging).
- Collection Management: A service to learn about and request subscriptions to data collections.
- Discovery: Learn which services are supported and how to interact with them.
TCP - The Transmission Control Protocol (TCP) is a core protocol of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly referred to as TCP/IP
TECHINT - technical intelligence
Technical Threat Intelligence - information (or more often, data) that is consumed through technical means. For example, a feed of IP addresses suspected of being malicious or implicated as command and control servers. OFTEN has a short lifespan. The fact that an attacker uses a particular piece of malware would be tactical intelligence, while an indicator against a specific compiled example would be technical intelligence.
Tenable Network Security - continuous visibility and critical context, enabling decisive action. A ThreatConnect partner.
Tor - is a free software for enabling anonymous communication - or is free software for enabling anonymous communication. The name is an acronym derived from the original software project name The Onion Router,however, the correct spelling is "Tor", capitalizing only the first letter. Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms".
TTPs - Tools, Techniques and Processes
Types of Threat Actors - an entity that is partially or wholly responsible for an incident that impacts – or has the potential to impact -- an organization's security. Examples: Hacktivists, Cyber Criminals, Nation State
Typical Threat Indicators - IP Address, hosts, eMail addresses, URLs, Files
U
UTM/USM - Unified Threat Management/Unified Security Management is a solution in the network security industry, and since 2004 it has become established as a primary network gateway defense solution for organizations. In theory, UTM is the evolution of the traditional firewall into an all-inclusive security product able to perform multiple security functions within one single system: network firewalling, network intrusion prevention and gateway antivirus (AV), gateway anti-spam, VPN, content filtering, load balancing, data loss prevention and on-appliance reporting.
V
VCDB- is a community data initiative to catalog security incidents in the public domain using the VERIS framework. The database contains raw data for thousands of security incidents shared under a creative commons license. You can download the latest release, follow the latest changes on github, and even help catalog and code incidents to grow the database.
VERIS - The Vocabulary for Event Recording and Incident Sharing (VERIS) is a set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner. VERIS is a response to one of the most critical and persistent challenges in the security industry - a lack of quality information. VERIS targets this problem by helping organizations to collect useful incident-related information and to share that information - anonymously and responsibly - with others.
VA - vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure.
W
WAF (Web Application Firewall) - is an appliance, server plugin, or filter that applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. By customizing the rules to your application, many attacks can be identified and blocked.
Watering Hole - a computer attack strategy, in which the victim is a particular group (organization, industry, or region). In this attack, the attacker guesses or observes which websites the group often uses and infects one or more of them with malware. Eventually, some member of the targeted group gets infected.Relying on websites that the group trusts makes this strategy efficient, even with groups that are resistant to spear phishing and other forms of phishing.
Whols - a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. The protocol stores and delivers database content in a human-readable format.
X
Y
YARA - is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
Z
Did we miss a Cyber Term ?
If so, send us the term and a definition by using our Generay Inquiry Contact US Email Form.
You can Access it: 
