Analysis

ACL

Access Control  List (ACL) is a list of permissions associated with a system resource. An ACL  specifies which users or system processes are granted access to objects, as  well as what operations are allowed on given objects.

APT

Advanced  Persistent Threat (APT) is a stealthy Threat Actor, typically a nation state  or state-sponsored group, which gains unauthorized access to a computer  network and remains undetected for an extended period.

BEC

Business Email  Compromise (BEC) is a specific type of phishing attack, a spear phishing  attack – with the objective being to trick employees into taking harmful  actions, typically sending money to the attacker.

Brute Force

Brute Force  attack consists of an attacker submitting many passwords or passphrases with  the hope of eventually guessing correctly.

C2/C2C

Complete  Command and Control/Command and Control (C2C). Technique that Threat Actors  use to control compromised devices.

Dark Web

The dark web  is the World Wide Web content that exists on darknets: overlay networks that  use the Internet but require specific software, configurations, or authorization to access.

Hash

Hash is a  mathematical function that converts an input of arbitrary length into an  encrypted output of a fixed length.

Honeypot

Honeypot is a  computer security mechanism set to detect, deflect, or, in some manner,  counteract attempts at unauthorized use of information systems.

IoC

Indicator of  Compromise (IoC) is an artifact observed on a network or in an operating  system that, with high confidence, indicates a computer intrusion.

LSASS

Local Security  Authority Server Service (LSASS) is a process in Microsoft Windows operating  systems that is responsible for enforcing the security policy on the system.  It verifies users logging on to a Windows computer or server, handles  password changes, and creates access tokens.

MFT

Master File  Table (MFT) on New Technology File System (NTFS) system  contains all information about a file, including its size, time and date  stamps, permissions, and data content, is stored either in MFT entries, or in  space outside the MFT that is described by MFT entries.

MITM

Man-In-The-Middle (MITM) or person-in-the-middle (PITM) attack is a cyberattack where the  attacker secretly relays and possibly alters the communications between two  parties who believe that they are directly communicating with each other, as  the attacker has inserted themselves between the two parties.

MITRE ATT&CK

MITRE  ATT&CK® is a globally accessible knowledge base of adversary tactics and  techniques based on real-world observations.

NACL

Network Access  Control List (NACL) is made up of rules that either allow access to a  computer environment or deny it.

NSRL

National  Software Reference Library (NSRL), is a project of the National Institute of  Standards and Technology that maintains a repository of known software, file  profiles and file signatures for use by law enforcement and other  organizations involved with computer forensic investigations.

OTX

Open Threat  Exchange (OTX) is a crowd-sourced computer-security platform. OTX information  sharing covers a wide range of issues related to security, including viruses,  malware, intrusion detection and firewalls. Its automated tools cleanse,  aggregate, validate, and publish data shared by participants.

OWASP

Open Web  Application Security Project (OWASP) is an online community that produces freely  available articles, methodologies, documentation, tools, and technologies in  the field of web application security.

Privilege Escalation

Privilege  Escalation consists of techniques that adversaries use to gain higher-level  permissions on a system or network.

RCE

In computer  security, arbitrary code execution (ACE) is an attacker's ability to run any  commands or code of the attacker's choice on a target machine or in a target  process. An arbitrary code execution vulnerability is a security flaw in  software or hardware allowing arbitrary code execution. A program that is  designed to exploit such a vulnerability is called an arbitrary code  execution exploit. The ability to trigger arbitrary code execution over a  network (especially via a wide-area network such as the Internet) is often  referred to as remote code execution (RCE)).

RDP

Remote Desktop  Protocol (RDP) is a proprietary protocol developed by Microsoft that provides  a user with a graphical interface to connect to another computer over a  network connection.

Rule

General term  for a series of events that can be matched against and then create an alert  or log entry when matched.

SMB

Server Message  Block (SMB) is a communication protocol that Microsoft created for providing  shared access to files and printers across nodes on a network.

Spear Phishing

Spear phishing  is a technique typically used in targeted attack campaigns to gain access to  an individual's account or impersonate a specific individual, through sending  messages (emails most common channel) that look "real," however in  fact either contain malicious links or attachments that help to compromise  end user machine.

SQL Injection

SQL injection  is a common attack vector that uses malicious SQL code for backend database  manipulation to access information that was not intended to be displayed

TA

Threat Actor  (TA) or malicious actor is either a person or a group of people that take  part in an action that is intended to cause harm to the cyber realm  including: computers, devices, systems, or networks.

TCP

Transmission  Control Protocol (TCP) is one of the main protocols of the Internet protocol  suite. It originated in the initial network implementation in which it  complemented the Internet Protocol.

Telnet

Telnet is an  application protocol used on the Internet or local area network to provide a  bidirectional interactive text-oriented communication facility using a  virtual terminal connection.

Tor

Tor is free  and open-source software for enabling anonymous communication. Commonly used  to access Dark web sites.

TTP

Tactics,  Techniques, and Procedures (TTPs) is an essential concept cyber security  studies. The role of TTPs in analysis is to identify individual patterns of  behavior of a particular activity, or a particular organization.

Web shell

Web shell is a  shell-like interface that enables a web server to be remotely accessed.

WHOIS

WHOIS is a  query and response protocol that is widely used for querying databases that  store the registered users or assignees of an Internet resource, such as a  domain name, an IP address block, or an autonomous system, but is also used  for a wider range of other information.

YARA

YARA is the  name of a tool primarily used in malware research and detection. It is used  to detect pieces of malware; they are used to identify unique patterns and  strings within the malware.

AWS

AMI

Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information required to launch an instance.

ARN

Amazon  Resource Names (ARNs) uniquely identify AWS resources.

AWS

Amazon Web  Services provides on-demand cloud computing platforms and APIs to individuals,  companies, and governments, on a metered pay-as-you-go basis. These cloud  computing web services provide distributed computing processing capacity and  software tools via AWS server farms.

AWS Lambda

AWS Lambda is  an event-driven, serverless computing platform provided by AWS.

AWS RDS

Relational  Database Service (RDS) is a managed SQL database service. RDS supports an  array of database engines to store and organize data.

CloudFormation

CloudFormation  is an AWS service that helps model and set up AWS resources with less time managing  those resources.

CloudTrail

CloudTrail is  an AWS service that enables governance, compliance, and operational and risk  auditing of your AWS account. Actions taken by a user, role, or an AWS  service are recorded as events in CloudTrail.

CloudWatch

CloudWatch is  a monitoring and observability service built for DevOps engineers,  developers, site reliability engineers (SREs) , and so on., in order to  provide data and actionable insights to monitor applications, respond to  system-wide performance changes, and optimize resource utilization.

CMK

Customer  Master Key (CMK) is a logical representation of a master key. The CMK  includes metadata, such as the key ID, creation date, description, and key state.

EBS

Elastic Block  Store (EBS) provides raw block-level storage that can be attached to Amazon  EC2 instances and is used by Amazon Relational Database Service.

EC2

Elastic Compute Cloud (EC2) is a part of AWS that allows users to rent virtual computers on which to run their own computer applications.

EKS

Elastic  Kubernetes Service (EKS) is a managed container service to run and scale  Kubernetes applications in the cloud or on-premises.

GuardDuty

GuardDuty is a  threat detection service that continuously monitors your AWS accounts and  workloads for malicious activity and delivers detailed security findings for  visibility and remediation.

IAM

Identity &  Access Management (IAM) provides fine-grained access control across all AWS  resources.

KMS

Key Management  Service (KMS). KMS presents a single control point to manage keys and define  policies consistently across integrated AWS services and your own  applications.

Route 53

Route 53 is a  scalable and highly available Domain Name System (DNS) service.

S3

Simple Storage  Service (S3) is an object storage service that offers industry-leading  scalability, data availability, security, and performance.

SNS

Simple Notification Service (SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and  consumers).

STS

Security Token  Service (STS) is a web service that enables the request of temporary security  credentials that can be used to access AWS resources.

VPC

Virtual  Private Cloud (VPC) is an on-demand configurable pool of shared resources  allocated within a public cloud environment, providing a certain level of  isolation between the different organizations (denoted as users hereafter)  using the resources.

Azure

Azure

Microsoft  Azure, often referred to as Azure, is a cloud computing service operated by  Microsoft for application management via Microsoft-managed data centers.

GCP

GCP

Google Cloud  Platform (GCP), offered by Google, is a suite of cloud computing services  that runs on the same infrastructure that Google uses internally for its  end-user products

General

API

Application  Programming Interface (API) is a connection between computers or between  computer programs. It is a type of software interface, offering a service to  other pieces of software.

CI/CD

Continuous Integration/Continuous Deployment

CISO

Chief  Information Security Officer

CLI

Command Line Interface (CLI). Often used to receive/execute commands from users in the form of lines of text.

Container

A container is  a standard unit of software that packages up code and all its dependencies,  so the application runs quickly and reliably from one computing environment  to another.

CSPM

Cloud Security  Posture Management (CSPM) is a market segment for IT security tools that are  designed to identify misconfiguration issues and compliance risks in the  cloud.

DevOps

DevOps is a  set of practices that combines software development and IT operations. It  aims to shorten the systems development life cycle and provide continuous  delivery with high software quality.

DLL

Dynamic Link  Library (DLL) is a collection of small programs that larger programs can load  when needed to complete specific tasks. The small program, called a DLL file,  contains instructions that help the larger program handle what may not be a  core function of the original program.

DLP

Data loss  prevention software detects potential data breaches/data ex-filtration  transmissions and prevents them by monitoring, detecting, and blocking  sensitive data while in use, in motion, and at rest.

DNS

Domain Name  System (DNS) is the hierarchical and decentralized naming system used to  identify computers reachable through the Internet or other Internet Protocol  (IP) networks.

EDR

Endpoint  Detection and Response (EDR), also known as endpoint threat detection and  response (ETDR), is a cybersecurity technology that continually monitors an  "endpoint" (for example, mobile phone, laptop, Internet-of-Things  device) to mitigate malicious cyber threats.

ETL

Extract,  Transform, Load (ETL) is a three-phase process where data is first extracted  then transformed (cleaned, sanitized, scrubbed) and finally loaded into an  output data container. The data can be collated from one or more sources, and  it can also be outputted to one or more destinations.

EULA

End User  License Agreement (EULA) is a legally binding agreement between the owner of  a product (often software) and the end-user – more specifically a contract  between the licensor of a product and the licensee.

EWS

Identity &  Access Management (IAM) provides fine-grained access control across all AWS  resources.

Firewall

A firewall is  a network security device that monitors and filters incoming and outgoing  network traffic based on an organization's previously established security  policies.

Git

Git is  software for tracking changes in any set of files, usually used for  coordinating work among programmers collaboratively developing source code  during software development.

IaC

Infrastructure  as code (IaC) is the process of managing and provisioning computer data  centers through machine-readable definition files, rather than physical  hardware configuration or interactive configuration tools.

IDS

Intrusion  Detection System (IDS) is a device or software application that monitors a  network or systems for malicious activity or policy violations.

Incident Response (IR)

Incident  Response (IR) is an organized approach to addressing and managing the  aftermath of a security breach or cyberattack.

IP

Internet  Protocol (IP) address, but also Intellectual Property

IPS

Intrusion  Prevention System (IPS) is a network security tool (which can be a hardware  device or software) that continuously monitors a network for malicious  activity and takes action to prevent it, including reporting, blocking, or  dropping it, when it does occur.

Kubernetes

Kubernetes is  an open-source container orchestration system for automating software  deployment, scaling, and management.

Load Balancer

A load  balancer is a device that acts as a reverse proxy and distributes network or  application traffic across a number of servers.

LoE

Level of  Effort (LoE) links multiple tasks and missions using the logic of  purpose—cause and effect—to focus efforts toward establishing operational and  strategic conditions.

MDR

Managed detection and response (MDR) is a cybersecurity service that combines  technology and human expertise to perform threat hunting, monitoring, and  response.

MFA

Multi-factor  authentication (MFA or 2FA) is an electronic authentication method in which a  user is granted access to a website or application only after successfully  presenting two or more pieces of evidence (or factors) to an authentication  mechanism: knowledge (something only the user knows), possession (something  only the user has), and inherence (something only the user is).

Microsoft IIS

Internet Information Services is an extensible web server software created by  Microsoft for use with the Windows NT family.

MSSP

Managed Security Service Provider.

Ngnix

Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy  and HTTP cache.

NIST

National  Institute of Standards and Technology (NIST). Commonly referred to as  "best practice" in cybersecurity given number of publications and  standards published that became industry practice.

NOC

Network  Operations Center

NTLM

Windows New  Technology LAN Manager (NTLM) is a suite of security protocols offered by  Microsoft to authenticate users' identity and protect the integrity and  confidentiality of their activity.

PowerShell

PowerShell is a task automation and configuration management program from Microsoft,  consisting of a command-line shell and the associated scripting language.

Proxy

Proxy server is a server application that acts as an intermediary between a client  requesting a resource and the server providing that resource.

RDC

Remote Desktop Connection.

RDS

Remote Desktop  Services (RDS) is one of the components of Microsoft Windows that allow a  user to take control of a remote computer or virtual machine over a network  connection.

Root

Root is the username  or account that by default has access to all commands and files on a Linux or  other Unix-like operating system.

RPC

Microsoft  Remote Procedure Call is a software communication protocol that one program  can use to request a service from a program located in another computer on a  network without having to understand the network's details. RPC is used to  call other processes on the remote systems like a local system.

S1/S2

Severity  1/ Severity 2 incidents

SAML

Security Assertion  Markup Language (SAML) is an open standard for exchanging authentication and  authorization data between parties, particularly between an identity provider  and a service provider.

Security Operations Center (SOC)

A Security  Operations Center is a centralized unit that deals with security issues on an  organizational and technical level. It comprises the three building blocks  for managing and enhancing an organization's security posture: people,  processes, and technology.

SIEM

Security  Information and Event Management (SIEM) is a field of computer security,  where software products and services combine security information management  and security event management.

SOAR

Security Orchestration, Automation and Response (SOAR) is a stack of compatible  software programs that enables an organization to collect data about security  threats and respond to security events without human assistance.

SSH

Secure Shell  Protocol (SSH) is a cryptographic network protocol for operating network  services securely over an unsecured network. Its most notable applications  are remote login and command-line execution.

SSO

Single Sign-On  (SSO) is an authentication scheme that allows a user to log in with a single  ID to any of several related, yet independent, software systems.

TCP/IP

The Internet  protocol suite, commonly known as TCP/IP, is the set of communications  protocols used on the Internet and similar computer networks.

Terminal

The terminal  is a text-based interface used to control a computer.

VM

Virtual  Machine is the virtualization/emulation of a computer system. Virtual  Machines are based on computer architectures and provide functionality of a  physical computer.

WAF

Web  Application Firewall (WAF) is a firewall that monitors, filters, and blocks  data packets as they travel to and from a website or web application.

XDR

Extended  Detection and Response (XDR) is a cybersecurity technology that monitors and  mitigates cyber security threats.

Services

CA

Compromise Assessment

CASL

Cloud Attack Scenario Library (CASL). Proprietary library created and maintained by Mitiga  in order to detect malicious activities in the cloud.

Hypothesis

A threat hunt  hypothesis is a supposition or proposed explanation made on the basis of  limited evidence from a security environment, and this proposed explanation  is then used as a starting point for further investigation.

Inject

Real life-based  scenario developed to test during tabletop exercises.

Threat Hunting

Threat Hunting  is a proactive cyber defense activity. It is the process of proactively and  iteratively searching through networks to detect and isolate advanced threats  that evade existing security solutions.

TTX

Tabletop  Exercise. A cybersecurity incident response tabletop exercise (TTX) is an activity conducted as a discussion.