-
Notifications
You must be signed in to change notification settings - Fork 0
Cybersecurity DFIR Terminology
What could be more fun than a glossary of cybersecurity terms? Almost anything! However, communicating clearly and accurately during cybersecurity crisis, otherwise known as "incident response" is ABSOLUTELY CRITICAL! Check the links for "extensive" glossaries of terms or review the DFIR keywords below (prioritized by category)!
NIST Computer Security Resource Center: Glossary (it's searchable, many are not!)
NICSS: Glossary (it's NOT searchable, but it IS downloadable in CSV!)
Palo Alto: Glossary (it's NOT searchable/downloadable, but it's NOT a gov site, so different perspective!)
Adversary: The "adversary" is our enemy, the "antagonist" in our IR story, sometimes referred to as a "threat actor," shortened as to "TA."
DFIR: Digital Forensics and Incident Response...these are NOT the same thing, though often closely related. DF is the process of acquiring, retaining, and analyzing digital evidence. IR is the process of responding to and recovering from a cybersecurity incident.
CIRT: Cybersecurity Incident Response Team...a.k.a. CSIRT...this is the technical team, usually outlined in an Incident Response plan, engaged to manage/perform the PICERL process (see below).
PICERL: Pronounced "pick earl" (more or less!) is an "incident response methodology," sort of a high-level standard operating procedure. P = Prepare; I = Investigate; C = Contain; E = Eradicate; R = Remediate; L = Lessons Learned. See individual definitions above/below!
Containment: Stopping the bleeding! This is often an urgent part of dealing with an active attack/intrusion and entails stopping the ongoing attack.
Eradication: This is usually two-pronged: mitigating vulnerabilities that allowed this incident to occur, and undoing the unauthorized activity/changes to your environment, in anticipation of moving towards "recovery."
Recovery: This is the process of returning to "business as usual" by restoring systems, services, and data to "production," while simultaneously ensuring their integrity and security.
Kill Chain: The "Lockheed Martin Cyber Kill Chain" is a model for the typical stages of a cyber attack: recon-->weaponization-->delivery-->exploitation-->installation-->command and control-->actions on objective (see additional definitions below).
MITRE ATT&CK Framework: A knowledgebase of adversary tactics and techniques...MITRE ATT&CK
General Adversary (Threat Actor) Behaviors/Standard-Operating-Procedures (Priority 2...in "attack" order)
Exploitation: Taking advantage of a vulnerability to gain (initial access) or extend (pivot/escalate) unauthorized access and/or make unauthorized changes.
Escalation: The process of increasing access/capabilities by elevating permissions and/or acquiring additional access, e.g. going from "local admin" to "domain admin."
Pivot: The general process moving laterally within an environment, e.g. gaining unauthorized access to HostA, then accessing (pivoting) to gain access to HostB.
Persistence: Maintaining unauthorized access through system changes/reboots and/or attempts at discovery and eradication.
Command and Control (C2): This is how the adversary communicates and interacts with compromised systems, almost always via the Internet.
Exfiltration: "Exfil" is unauthorized transfer of data out of an environment.
Actions on Objective: This refers to the adversary's goals and associated actions to achieve those goals. Determining what these are is generally speculative!
Golden Ticket: On a criticality scale of 1-10, this is a 10! A "Golden Ticket" refers to a forged Kerberos ticket allowing perpetual, high-privileged access to your Active Directory Domain (a.k.a. almost everything you care about).
Kerberoasting: This is a technique used to attack "Service Principal Names" (SPNs) within Active Directory. These are usually high-privileged accounts, and the attacks are hard to detect because they take advantage of the way Kerberos is designed to work. On a criticality scale of 1-10, if successful, depending on the permissions assigned to a compromised SPN, this is often an 8 or 9!
Living off the Land: This is sometimes referred to as "LOLBINs" (living off the land binaries) or "LOLBAS" (living off the land binaries and scripts) and basically means the adversary is using tools already available in the environment, often tools that are commonly included in an Operating System (OS).
RMM: This generally refers to "remote monitoring and management" tools, which are often "legit" applications, repurposed and abused by adversaries.
Shell: Very generally, this is a way to interact with and issue commands to the Operating System (OS) of a host, e.g. "cmd" or "PowerShell" or "bash."
SMB: "Server Message Block" is a very common protocol used for resource sharing on a network, e.g. file sharing, print sharing, etc. It has been abused/exploited FREQUENTLY over the years and is sometimes jokingly translated as "Shell My Box."
Web Shell: Generally, this is a way to interact with and issue commands to the underlying Operating System (OS) of a web server and is more limited than a full "Shell" (see definition above).
EDR: "Endpoint detection and response" refers to a security solution (technical control) that runs on a host (endpoint) to detect, prevent, and aid in response to unauthorized activity. It is sometimes generally referred to as "next generation antivirus" (next-gen AV) because of it's similarity in goals/functions with deep visibility into memory, process, behaviors on an endpoint, e.g. CrowdStrike Falcon, SentinelOne, CarbonBlack, Huntress, etc.
IAM: "Identity and access management" is a general term for how an environment manages resource access via users, roles, and permissions, e.g. Microsoft Active Directory (on-prem identity management), AWS IAM, Google Workspace Identity, etc.
SIEM: "Security information and event management" refers to a log aggregation and analysis platform, which incorporates security alerting and event correlation across multiple logging datasets to help defenders detect and investigate unauthorized access/activity.
UEBA: "User and entity behavior analytics" refers to monitoring user/entity authentication and access "behaviors" to identity unusual/abnormal activity.
Stay tuned...more to come!