Terms and definitions from Course 6, course 6 glossary
A
Advanced persistent threat (APT): An instance when a threat actor maintains unauthorized access to a system for an extended period of time
Analysis: The investigation and validation of alerts
Anomaly-based analysis: A detection method that identifies abnormal behavior
Array: A data type that stores data in a comma-separated ordered list
B
Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of custody
Business continuity plan (BCP): A document that outlines the procedures to sustain business operations during and after a significant disruption
C
Chain of custody: The process of documenting evidence possession and control during an incident lifecycle
Command and control (C2): The techniques used by malicious actors to maintain communications with compromised systems
Command-line interface (CLI): A text-based user interface that uses commands to interact with the computer
Common Event Format (CEF): A log format that uses key-value pairs to structure data and identify fields and their corresponding values
Computer security incident response teams (CSIRT): A specialized group of security professionals that are trained in incident management and response
Configuration file: A file used to configure the settings of an application
Containment: The act of limiting and preventing additional damage caused by an incident
Crowdsourcing: The practice of gathering information using public collaboration
D
Data exfiltration: Unauthorized transmission of data from a system
Data packet: A basic unit of information that travels from one device to another within a network
Detection: The prompt discovery of security events
Documentation: Any form of recorded content that is used for a specific purpose
E
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint for malicious activity
Eradication: The complete removal of the incident elements from all affected systems
Event: An observable occurrence on a network, system, or device
F
False negative: A state where the presence of a threat is not detected
False positive: An alert that incorrectly detects the presence of a threat
Final report: Documentation that provides a comprehensive review of an incident
H
Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of attracting potential intruders
Host-based intrusion detection system (HIDS): An application that monitors the activity of the host on which it’s installed
I
Incident: An occurrence that actually or imminently jeopardizes, without lawful authority, the confidentiality, integrity, or availability of information or an information system; or constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies
Incident handler’s journal: A form of documentation used in incident response
Incident response plan: A document that outlines the procedures to take in each step of incident response
Indicators of attack (IoA): The series of observed events that indicate a real-time incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security incident
Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel between devices on a network
Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions
Intrusion prevention system (IPS): An application that monitors system activity for intrusive activity and takes action to stop the activity
K
Key-value pair: A set of data that represents two linked items: a key, and its corresponding value
L
Lessons learned meeting: A meeting that includes all involved parties after a major incident
Log analysis: The process of examining logs to identify events of interest
Log management: The process of collecting, storing, analyzing, and disposing of log data
Logging: The recording of events occurring on computer systems and networks
M
Media Access Control (MAC) Address: A unique alphanumeric identifier that is assigned to each physical device on a network
N
National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A framework for incident response consisting of four phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-incident activity
Network-based intrusion detection system (NIDS): An application that collects and monitors network traffic and network data
Network data: The data that’s transmitted between devices on a network
Network Interface Card (NIC): Hardware that connects computers to a network
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network
Network traffic: The amount of data that moves across a network
O
Object: A data type that stores data in a comma-separated list of key-value pairs
Open-source intelligence (OSINT): The collection and analysis of information from publicly available sources to generate usable intelligence
P
Packet capture (p-cap): A file containing data packets intercepted from an interface or network
Packet sniffing: The practice of capturing and inspecting data packets across a network
Playbook: A manual that provides details about any operational action
Post-incident activity: The process of reviewing an incident to identify areas for improvement during incident handling
R
Recovery: The process of returning affected systems back to normal operations
Resilience: The ability to prepare for, respond to, and recover from disruptions
Root user (or superuser): A user with elevated privileges to modify the system
S
Search Processing Language (SPL): Splunk’s query language
Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization
Security operations center (SOC): An organizational unit dedicated to monitoring networks, systems, and devices for security threats or attacks
Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that uses automation to respond to security events
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events interest
Standards: References that inform how to set policies
Sudo: A command that temporarily grants elevated permissions to specific users
Suricata: An open-source intrusion detection system and intrusion prevention system
T
tcpdump: A command-line network protocol analyzer
Telemetry: The collection and transmission of data for analysis
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about existing or emerging threats
Triage: The prioritizing of incidents according to their level of importance or urgency
True negative: A state where there is no detection of malicious activity
True positive An alert that correctly detects the presence of an attack
V
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content
W
Wildcard: A special character that can be substituted with any other character
Wireshark: An open-source network protocol analyzer
Y
YARA-L: A computer language used to create rules for searching through ingested log data
Zero-day: An exploit that was previously unknown