Terms and definitions from Course 6, course 6 glossary

 

A

Advanced persistent threat (APT): An instance when a threat actor maintains unauthorized access to a system for an extended period of time 

Analysis: The investigation and validation of alerts 

Anomaly-based analysis: A detection method that identifies abnormal behavior 

Array: A data type that stores data in a comma-separated ordered list

B

Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody

Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption

C

Chain of custody: The process of documenting evidence possession and control during an incident lifecycle

Command and control (C2): The techniques used by malicious actors to maintain communications with compromised systems

Command-line interface (CLI): A text-based user interface that uses commands to interact with the computer

Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values 

Computer security incident response teams (CSIRT): A specialized group of security professionals that are trained in incident management and response 

Configuration file: A file used to configure the settings of an application

Containment: The act of limiting and preventing additional damage caused by an incident

Crowdsourcing: The practice of gathering information using public collaboration

D

Data exfiltration: Unauthorized transmission of data from a system

Data packet: A basic unit of information that travels from one device to another within a network

Detection: The prompt discovery of security events

Documentation: Any form of recorded content that is used for a specific purpose 

E

Endpoint: Any device connected on a network

Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity

Eradication: The complete removal of the incident elements from all affected systems

Event: An observable occurrence on a network, system, or device

F

False negative: A state where the presence of a threat is not detected 

False positive: An alert that incorrectly detects the presence of a threat

Final report: Documentation that provides a comprehensive review of an incident

H 

Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders

Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed

I

Incident: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies

Incident handler’s journal: A form of documentation used in incident response

Incident response plan: A document that outlines the procedures to take in each step of incident response

Indicators of attack (IoA): The series of observed events that indicate a real-time incident

Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident 

Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel between devices on a network

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Intrusion prevention system (IPS): An application that monitors system activity for intrusive activity and takes action to stop the activity

K

Key-value pair: A set of data that represents two linked items: a key, and its corresponding value

L

Lessons learned meeting: A meeting that includes all involved parties after a major incident

Log analysis: The process of examining logs to identify events of interest 

Log management: The process of collecting, storing, analyzing, and disposing of log data

Logging: The recording of events occurring on computer systems and networks

M

Media Access Control (MAC) Address: A unique alphanumeric identifier that is assigned to each physical device on a network

N

National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity

Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data

Network data: The data that’s transmitted between devices on a network 

Network Interface Card (NIC): Hardware that connects computers to a network

Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network

Network traffic: The amount of data that moves across a network 

O

Object: A data type that stores data in a comma-separated list of key-value pairs

Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence

P

Packet capture (p-cap): A file containing data packets intercepted from an interface or network

Packet sniffing: The practice of capturing and inspecting data packets across a network

Playbook: A manual that provides details about any operational action

Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling

R

Recovery: The process of returning affected systems back to normal operations

Resilience: The ability to prepare for, respond to, and recover from disruptions

Root user (or superuser): A user with elevated privileges to modify the system

S

Search Processing Language (SPL): Splunk’s query language

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization 

Security operations center (SOC): An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks

Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that uses automation to respond to security events

Signature: A pattern that is associated with malicious activity

Signature analysis: A detection method used to find events interest

Standards: References that inform how to set policies

Sudo: A command that temporarily grants elevated permissions to specific users

Suricata: An open-source intrusion detection system and intrusion prevention system

T

tcpdump: A command-line network protocol analyzer

Telemetry: The collection and transmission of data for analysis

Threat hunting: The proactive search for threats on a network

Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats

Triage: The prioritizing of incidents according to their level of importance or urgency

True negative: A state where there is no detection of malicious activity

True positive An alert that correctly detects the presence of an attack

V

VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content

W

Wildcard: A special character that can be substituted with any other character

Wireshark: An open-source network protocol analyzer

Y

YARA-L: A computer language used to create rules for searching through ingested log data

Zero-day: An exploit that was previously unknown

 

---