Analysis
ACL
Access Control List (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.
APT
Advanced Persistent Threat (APT) is a stealthy Threat Actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period.
BEC
Business Email Compromise (BEC) is a specific type of phishing attack, a spear phishing attack – with the objective being to trick employees into taking harmful actions, typically sending money to the attacker.
Brute Force
Brute Force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.
C2/C2C
Complete Command and Control/Command and Control (C2C). Technique that Threat Actors use to control compromised devices.
Dark Web
The dark web is the World Wide Web content that exists on darknets: overlay networks that use the Internet but require specific software, configurations, or authorization to access.
Hash
Hash is a mathematical function that converts an input of arbitrary length into an encrypted output of a fixed length.
Honeypot
Honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
IoC
Indicator of Compromise (IoC) is an artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion.
LSASS
Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.
MFT
Master File Table (MFT) on New Technology File System (NTFS) system contains all information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.
MITM
Man-In-The-Middle (MITM) or person-in-the-middle (PITM) attack is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two parties.
MITRE ATT&CK
MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.
NACL
Network Access Control List (NACL) is made up of rules that either allow access to a computer environment or deny it.
NSRL
National Software Reference Library (NSRL), is a project of the National Institute of Standards and Technology that maintains a repository of known software, file profiles and file signatures for use by law enforcement and other organizations involved with computer forensic investigations.
OTX
Open Threat Exchange (OTX) is a crowd-sourced computer-security platform. OTX information sharing covers a wide range of issues related to security, including viruses, malware, intrusion detection and firewalls. Its automated tools cleanse, aggregate, validate, and publish data shared by participants.
OWASP
Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the field of web application security.
Privilege Escalation
Privilege Escalation consists of techniques that adversaries use to gain higher-level permissions on a system or network.
RCE
In computer security, arbitrary code execution (ACE) is an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE)).
RDP
Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection.
Rule
General term for a series of events that can be matched against and then create an alert or log entry when matched.
SMB
Server Message Block (SMB) is a communication protocol that Microsoft created for providing shared access to files and printers across nodes on a network.
Spear Phishing
Spear phishing is a technique typically used in targeted attack campaigns to gain access to an individual's account or impersonate a specific individual, through sending messages (emails most common channel) that look "real," however in fact either contain malicious links or attachments that help to compromise end user machine.
SQL Injection
SQL injection is a common attack vector that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed
TA
Threat Actor (TA) or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks.
TCP
Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol.
Telnet
Telnet is an application protocol used on the Internet or local area network to provide a bidirectional interactive text-oriented communication facility using a virtual terminal connection.
Tor
Tor is free and open-source software for enabling anonymous communication. Commonly used to access Dark web sites.
TTP
Tactics, Techniques, and Procedures (TTPs) is an essential concept cyber security studies. The role of TTPs in analysis is to identify individual patterns of behavior of a particular activity, or a particular organization.
Web shell
Web shell is a shell-like interface that enables a web server to be remotely accessed.
WHOIS
WHOIS is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.
YARA
YARA is the name of a tool primarily used in malware research and detection. It is used to detect pieces of malware; they are used to identify unique patterns and strings within the malware.
AWS
AMI
Amazon Machine Image (AMI) is a supported and maintained image provided by AWS that provides the information required to launch an instance.
ARN
Amazon Resource Names (ARNs) uniquely identify AWS resources.
AWS
Amazon Web Services provides on-demand cloud computing platforms and APIs to individuals, companies, and governments, on a metered pay-as-you-go basis. These cloud computing web services provide distributed computing processing capacity and software tools via AWS server farms.
AWS Lambda
AWS Lambda is an event-driven, serverless computing platform provided by AWS.
AWS RDS
Relational Database Service (RDS) is a managed SQL database service. RDS supports an array of database engines to store and organize data.
CloudFormation
CloudFormation is an AWS service that helps model and set up AWS resources with less time managing those resources.
CloudTrail
CloudTrail is an AWS service that enables governance, compliance, and operational and risk auditing of your AWS account. Actions taken by a user, role, or an AWS service are recorded as events in CloudTrail.
CloudWatch
CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs) , and so on., in order to provide data and actionable insights to monitor applications, respond to system-wide performance changes, and optimize resource utilization.
CMK
Customer Master Key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state.
EBS
Elastic Block Store (EBS) provides raw block-level storage that can be attached to Amazon EC2 instances and is used by Amazon Relational Database Service.
EC2
Elastic Compute Cloud (EC2) is a part of AWS that allows users to rent virtual computers on which to run their own computer applications.
EKS
Elastic Kubernetes Service (EKS) is a managed container service to run and scale Kubernetes applications in the cloud or on-premises.
GuardDuty
GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.
IAM
Identity & Access Management (IAM) provides fine-grained access control across all AWS resources.
KMS
Key Management Service (KMS). KMS presents a single control point to manage keys and define policies consistently across integrated AWS services and your own applications.
Route 53
Route 53 is a scalable and highly available Domain Name System (DNS) service.
S3
Simple Storage Service (S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance.
SNS
Simple Notification Service (SNS) is a managed service that provides message delivery from publishers to subscribers (also known as producers and consumers).
STS
Security Token Service (STS) is a web service that enables the request of temporary security credentials that can be used to access AWS resources.
VPC
Virtual Private Cloud (VPC) is an on-demand configurable pool of shared resources allocated within a public cloud environment, providing a certain level of isolation between the different organizations (denoted as users hereafter) using the resources.
Azure
Azure
Microsoft Azure, often referred to as Azure, is a cloud computing service operated by Microsoft for application management via Microsoft-managed data centers.
GCP
GCP
Google Cloud Platform (GCP), offered by Google, is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products
General
API
Application Programming Interface (API) is a connection between computers or between computer programs. It is a type of software interface, offering a service to other pieces of software.
CI/CD
Continuous Integration/Continuous Deployment
CISO
Chief Information Security Officer
CLI
Command Line Interface (CLI). Often used to receive/execute commands from users in the form of lines of text.
Container
A container is a standard unit of software that packages up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another.
CSPM
Cloud Security Posture Management (CSPM) is a market segment for IT security tools that are designed to identify misconfiguration issues and compliance risks in the cloud.
DevOps
DevOps is a set of practices that combines software development and IT operations. It aims to shorten the systems development life cycle and provide continuous delivery with high software quality.
DLL
Dynamic Link Library (DLL) is a collection of small programs that larger programs can load when needed to complete specific tasks. The small program, called a DLL file, contains instructions that help the larger program handle what may not be a core function of the original program.
DLP
Data loss prevention software detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting, and blocking sensitive data while in use, in motion, and at rest.
DNS
Domain Name System (DNS) is the hierarchical and decentralized naming system used to identify computers reachable through the Internet or other Internet Protocol (IP) networks.
EDR
Endpoint Detection and Response (EDR), also known as endpoint threat detection and response (ETDR), is a cybersecurity technology that continually monitors an "endpoint" (for example, mobile phone, laptop, Internet-of-Things device) to mitigate malicious cyber threats.
ETL
Extract, Transform, Load (ETL) is a three-phase process where data is first extracted then transformed (cleaned, sanitized, scrubbed) and finally loaded into an output data container. The data can be collated from one or more sources, and it can also be outputted to one or more destinations.
EULA
End User License Agreement (EULA) is a legally binding agreement between the owner of a product (often software) and the end-user – more specifically a contract between the licensor of a product and the licensee.
EWS
Identity & Access Management (IAM) provides fine-grained access control across all AWS resources.
Firewall
A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies.
Git
Git is software for tracking changes in any set of files, usually used for coordinating work among programmers collaboratively developing source code during software development.
IaC
Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.
IDS
Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.
Incident Response (IR)
Incident Response (IR) is an organized approach to addressing and managing the aftermath of a security breach or cyberattack.
IP
Internet Protocol (IP) address, but also Intellectual Property
IPS
Intrusion Prevention System (IPS) is a network security tool (which can be a hardware device or software) that continuously monitors a network for malicious activity and takes action to prevent it, including reporting, blocking, or dropping it, when it does occur.
Kubernetes
Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management.
Load Balancer
A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers.
LoE
Level of Effort (LoE) links multiple tasks and missions using the logic of purpose—cause and effect—to focus efforts toward establishing operational and strategic conditions.
MDR
Managed detection and response (MDR) is a cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response.
MFA
Multi-factor authentication (MFA or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).
Microsoft IIS
Internet Information Services is an extensible web server software created by Microsoft for use with the Windows NT family.
MSSP
Managed Security Service Provider.
Ngnix
Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache.
NIST
National Institute of Standards and Technology (NIST). Commonly referred to as "best practice" in cybersecurity given number of publications and standards published that became industry practice.
NOC
Network Operations Center
NTLM
Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users' identity and protect the integrity and confidentiality of their activity.
PowerShell
PowerShell is a task automation and configuration management program from Microsoft, consisting of a command-line shell and the associated scripting language.
Proxy
Proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
RDC
Remote Desktop Connection.
RDS
Remote Desktop Services (RDS) is one of the components of Microsoft Windows that allow a user to take control of a remote computer or virtual machine over a network connection.
Root
Root is the username or account that by default has access to all commands and files on a Linux or other Unix-like operating system.
RPC
Microsoft Remote Procedure Call is a software communication protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network's details. RPC is used to call other processes on the remote systems like a local system.
S1/S2
Severity 1/ Severity 2 incidents
SAML
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
Security Operations Center (SOC)
A Security Operations Center is a centralized unit that deals with security issues on an organizational and technical level. It comprises the three building blocks for managing and enhancing an organization's security posture: people, processes, and technology.
SIEM
Security Information and Event Management (SIEM) is a field of computer security, where software products and services combine security information management and security event management.
SOAR
Security Orchestration, Automation and Response (SOAR) is a stack of compatible software programs that enables an organization to collect data about security threats and respond to security events without human assistance.
SSH
Secure Shell Protocol (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.
SSO
Single Sign-On (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.
TCP/IP
The Internet protocol suite, commonly known as TCP/IP, is the set of communications protocols used on the Internet and similar computer networks.
Terminal
The terminal is a text-based interface used to control a computer.
VM
Virtual Machine is the virtualization/emulation of a computer system. Virtual Machines are based on computer architectures and provide functionality of a physical computer.
WAF
Web Application Firewall (WAF) is a firewall that monitors, filters, and blocks data packets as they travel to and from a website or web application.
XDR
Extended Detection and Response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.
Services
CA
Compromise Assessment
CASL
Cloud Attack Scenario Library (CASL). Proprietary library created and maintained by Mitiga in order to detect malicious activities in the cloud.
Hypothesis
A threat hunt hypothesis is a supposition or proposed explanation made on the basis of limited evidence from a security environment, and this proposed explanation is then used as a starting point for further investigation.
Inject
Real life-based scenario developed to test during tabletop exercises.
Threat Hunting
Threat Hunting is a proactive cyber defense activity. It is the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.
TTX
Tabletop Exercise. A cybersecurity incident response tabletop exercise (TTX) is an activity conducted as a discussion.