Glossary of Terms
Internet Security Explained
Enter Search Term:
Analyst (Cyber Threat)
A cyber threat analyst or researcher is a professional who specializes in identifying, analyzing, and understanding cyber threats and vulnerabilities. They study the techniques, motivations, and tactics of threat actors, assess potential risks, and make contributions towards strategies to mitigate and respond to cyber attacks. Their work involves monitoring, investigating, and providing actionable insights to enhance cybersecurity defenses.
APT (Advanced Persistent Threat) refers to a highly sophisticated and targeted cyber attack conducted by skilled threat actors, often nation-states or well-funded groups. APTs involve a prolonged and stealthy approach, aiming to gain unauthorized access, gather sensitive information, or disrupt systems without detection. These attacks can persist for extended periods, making them particularly challenging to defend against.
ASN (Autonomous System Number) is a unique numeric identifier assigned to a network or internet service provider (ISP) that participates in the Border Gateway Protocol (BGP). ASNs play a crucial role in routing internet traffic by enabling the identification and differentiation of individual networks, facilitating efficient communication between autonomous systems on the internet.
BGP (Border Gateway Protocol) is a core routing protocol used to exchange routing information and make decisions on how to route internet traffic between autonomous systems (AS). BGP enables the efficient and dynamic exchange of routing information, allowing routers to determine optimal paths and make informed routing decisions across interconnected networks on the internet.
BOGON refers to an IP address or network block that is invalid or unallocated. These addresses are typically reserved or designated for private use, testing, or future allocation. Drawing inspiration from "Hitchhiker's Guide to the Galaxy," a BOGON falls outside the allocated address space. Similar to the infinite improbability drive, these addresses are unassigned or reserved, necessitating filtering measures. Network administrators employ BOGON filtering to mitigate potential risks and ensure a secure and stable network environment. For example, they are used in network security to block or discard incoming and outgoing traffic from BOGON addresses, preventing potential threats or unauthorized access.
C2 infrastructure (Command and Control infrastructure) refers to the network of servers, communication channels, and tools that threat actors employ to manage and control compromised systems or a botnet. It includes servers for hosting command servers, control panels, communication protocols, and other components that enable remote control and coordination of cyberattacks or malicious activities.
C2 (Command and Control) refers to the infrastructure and communication channels used by threat actors to remotely manage and control compromised systems or a network of bots. It enables malicious actors to issue commands, receive data, and coordinate cyberattacks or unauthorized activities, often remaining hidden to evade detection and maintain control over compromised systems..
A CDN (Content Delivery Network) is a distributed network of servers strategically placed across various geographic locations. It helps deliver web content, such as images, videos, and other static or dynamic files, to end-users more efficiently. By caching and delivering content from nearby servers, CDNs reduce latency, improve website performance, and enhance user experience.
CSIRT (Computer Security Incident Response Team) is a dedicated group or team responsible for managing and responding to cybersecurity incidents within an organization or network. CSIRTs are trained to handle and investigate security breaches, provide incident response, coordinate remediation efforts, and implement proactive measures to prevent future incidents, ensuring the overall security and resilience of the organization's digital infrastructure.
DDoS (Distributed Denial of Service) is a type of cyber attack where multiple compromised computers, often forming a botnet, flood a target system or network with an overwhelming volume of requests or traffic. This flood of data exhausts the target's resources, causing service disruptions or rendering it inaccessible to legitimate users.
A digital asset refers to any form of content or information that exists in a digital format and holds value to individuals or organizations. It can include various types of files, such as documents, images, videos, audio recordings, software, cryptocurrencies, and other digital representations of value that can be stored, accessed, and transferred electronically.
A digital certificate, also known as an SSL/TLS certificate or X.509 certificate, is a cryptographic document that verifies the authenticity and integrity of digital information. It binds an entity's identity to a public key and is used to establish secure communication, verify website authenticity, and ensure data integrity in online transactions and communications.
DNS (Domain Name System) is a decentralized naming system that translates human-readable domain names, such as example.com, into the numeric IP addresses understood by computers. It acts as a directory for the internet, facilitating the efficient resolution of domain names to their corresponding IP addresses, enabling communication between devices.
External Digital Asset
An external digital asset refers to any digital content or information that is hosted or stored outside of an organization's internal systems or infrastructure. These assets can include files, documents, media, or other digital resources that are accessible or shared with external parties, such as clients, customers, or partners, through online platforms or cloud services.
Fraud (Digital Systems)
Fraud in digital systems refers to deceptive and unlawful activities conducted through electronic means with the intent to deceive or obtain unauthorized benefits. It involves deliberate manipulation, misrepresentation, or exploitation of digital technologies, platforms, or transactions for financial gain or other illicit purposes, often targeting individuals, organizations, or financial systems.
HTTP & HTTPS
HTTP (Hypertext Transfer Protocol) is an application protocol that allows the retrieval and display of web resources, such as HTML pages and images, over the internet. HTTPS (Hypertext Transfer Protocol Secure) is a secure version of HTTP that adds an encryption layer, ensuring that data transmitted between clients and servers is encrypted and protected from unauthorized access, providing a higher level of security for online communication and transactions.
IP (Internet Protocol) is a fundamental network protocol that provides a unique address to each device connected to a computer network. It facilitates the routing and delivery of data packets across the internet by assigning an IP address to devices, allowing them to communicate and exchange information within the network and with other networks.
An IP address (Internet Protocol address) is a numerical label assigned to each device connected to a computer network. It serves as a unique identifier, allowing devices to communicate and exchange data within the network and across the internet. IP addresses enable the routing and delivery of data packets to the intended recipients.
ISP (Internet Service Provider) is a company or organization that provides internet access to customers. ISPs connect users to the internet by offering various connection types, such as dial-up, broadband, or fiber optic. They typically offer additional services like email accounts, web hosting, and virtual private networks (VPNs) to facilitate internet connectivity for individuals and businesses.
Malicious infrastructure refers to the network, servers, domains, or other digital resources that are intentionally set up or exploited by threat actors for malicious activities. This infrastructure is used to host and distribute malware, launch cyber attacks, carry out phishing campaigns, facilitate command and control operations, or engage in other malicious activities aimed at compromising systems or stealing data.
Malware, short for malicious software, refers to any software or code specifically designed to harm or exploit computer systems, networks, or devices. It encompasses a range of threats such as viruses, worms, trojans, ransomware, and spyware. Malware can compromise data integrity, steal sensitive information, disrupt operations, or gain unauthorized access to systems.
Devices referred to as NAS (Network Attached Storage) devices are commonly utilized as file servers on local networks, as they make data available over a network.
Introduced by Cisco Systems in 1996, NetFlow provides the ability to collect metadata on IP network traffic as it enters or exits an interface. A typical NetFlow monitoring setup consists of three main components
Flow exporter: aggregates packets into flows and exports flow records towards one or more flow collectors.
Flow collector: responsible for reception, storage and pre-processing of flow data received from a flow exporter.
Analysis application: analyzes received flow data in the context of intrusion detection or traffic profiling, for example.
For more information about NetFlow, see here: team-cymru.com/netflow
PDNS (Passive DNS) is a method of collecting historical DNS data by capturing and storing DNS query and response information. It allows the reconstruction of past DNS resolutions, providing insights into domain activity and mapping changes over time. PDNS is useful for cybersecurity investigations, threat intelligence, and network analysis.
A port refers to a numbered endpoint or communication channel through which network services and applications send and receive data. Ports allow for the identification and differentiation of specific network services or processes running on a device. Each port number is associated with a specific protocol or service, facilitating the exchange of data between different systems. Examples include Port 25 for SMTP (Simple Mail Transfer Protocol or Email), and Port 80 for HTTP (Hyper Text Transfer Protocol or Web Traffic).
In digital systems, a protocol refers to a set of rules and guidelines that govern the communication and interaction between devices or entities. It defines the format, sequence, and procedures for exchanging data and establishing connections. Protocols ensure compatibility, reliability, and standardization, enabling effective communication and interoperability in various networked environments.
In the context of network architecture, proxies can operate as are intermediary servers between clients and other servers, bridging the communication between these two ends. Proxies can be used to mask IP addresses of either the server or the client on either side, adding a layer of security/privacy.
Ransomware is a form of malicious software that encrypts files or locks computer systems, rendering them inaccessible to the victim. The attacker demands a ransom payment, usually in cryptocurrency, in exchange for decrypting the files or restoring system functionality. Ransomware attacks can have severe consequences, causing data loss, financial damage, and operational disruptions.
Cyber risk refers to the potential harm or adverse impact that can arise from the occurrence of a cyber threat or attack. It encompasses the likelihood of a security breach, data loss, financial loss, reputation damage, or operational disruption resulting from vulnerabilities or weaknesses in information systems, networks, or digital assets. Managing cyber risk involves implementing preventive measures, detection mechanisms, and effective response strategies.
Router (SOHO versions)
Small Office/Home Office (SOHO) routers are the ubiquitous home or small office device used to the connect to the internet. In the context of Cyber Threats, these devices are frequently targeted by cyber criminals, aiming to capitalize on potential inherent security weaknesses.
Scanners are devices that have been observed scanning the Internet. This scanning activity could potentially signify the presence of compromised machines, potentially harnessed by malicious actors to identify and exploit vulnerabilities in other systems connected to the network.
SMTP (Simple Mail Transfer Protocol) is a widely used network protocol for sending and delivering email messages over the internet. It enables the transmission of email between servers and supports the routing and delivery of messages to the intended recipients. SMTP is responsible for the reliable and efficient transfer of email across different mail servers and networks.
SSL (Secure Sockets Layer) is a cryptographic protocol that provides secure communication over the internet. It establishes an encrypted connection between a client and a server, ensuring the confidentiality, integrity, and authentication of data transmitted between them. SSL is commonly used to secure sensitive information such as credit card details, login credentials, and personal data during online transactions and communication.
A cyber threat refers to a potential attack or malicious activity targeting computer systems, networks, or digital infrastructure with the intent to compromise confidentiality, integrity, or availability of data or disrupt normal operations. It encompasses various forms, including malware, phishing, hacking, data breaches, ransomware, or any unauthorized activity aimed at exploiting vulnerabilities in digital environments.
Threat Actor (Cyber)
A threat actor refers to an individual, group, or entity that possesses the intent, capability, and resources to carry out malicious activities. These actors can be hackers, cybercriminals, nation-states, or insiders who launch cyber attacks, exploit vulnerabilities, steal data, disrupt systems, or engage in other malicious behaviors, posing a threat to digital infrastructure and security.
Threat Hunting (Cyber)
Cyber threat hunting is a proactive cybersecurity practice that involves actively searching for signs of malicious activity or potential threats within an organization's network or systems. It goes beyond traditional security measures by utilizing advanced techniques, tools, and intelligence to detect and respond to threats before they cause significant harm.
Threat Reconnaissance (Cyber)
Threat Reconnaissance is the proactive and human-driven approach of collecting intelligence about potential threats and adversaries outside the network perimeter. Elite threat hunters track, trace, and monitor threat actors operating beyond their borders, observing their tactics, techniques, and procedures (TTPs), and gather valuable threat intelligence to inform defensive measures. It involves researching OSINT, leveraging external and internet threat intelligence sources, and focusing on identifying and understanding adversaries, including their IP addresses and infrastructure.
TLS (Transport Layer Security) is a cryptographic protocol that enables secure communication over computer networks, such as the internet. It ensures privacy, data integrity, and authentication during data transmission between clients and servers. TLS is widely used to establish secure connections for activities like online banking, e-commerce, and secure email communication.
TTP (Tactics, Techniques, and Procedures) is a term used in cybersecurity and intelligence analysis to refer to the methods, strategies, and processes employed by threat actors or adversaries. It encompasses the specific tactics and techniques used in carrying out attacks or malicious activities, as well as the overall procedures and behaviors observed in their operations. TTP analysis helps identify patterns, signatures, and indicators of compromise for threat detection and response.
Victimology refers to the practice of understanding and studying the characteristics of victims versus focusing on the perpetrators. In cyber threat research, victim to C2 communications enable analysts to understand trends in threat activity and TTP (Tactics, Techniques, and Procedures) used by threat actors.
A VPN (Virtual Private Network) is a technology that establishes a secure and encrypted connection over a public network, such as the internet. It creates a private network by routing the user's internet traffic through a remote server, masking their IP address and encrypting the data, ensuring privacy, security, and anonymity while browsing the internet or accessing remote resources.
Vulnerability (Digital Systems)
In the context of digital systems, a vulnerability refers to a weakness or flaw that exists in software, hardware, or network infrastructure, which can be exploited by attackers to compromise the confidentiality, integrity, or availability of the system. Vulnerabilities can be caused by programming errors, misconfigurations, or design flaws and pose a potential risk to the security of the system.
The ISO/ITU-T standard for public key certificates.
Zero Day Attack
An attack on a computer system which exploits a vulnerability of which the software or anti-malware vendor is not aware.