Glossary¶
This glossary provides precise, ISO 11179-compliant definitions for key terms used throughout this textbook on cybersecurity incident response.
A¶
Advanced Persistent Threat (APT) A sophisticated, sustained cyber attack campaign conducted by well-resourced adversaries targeting specific organizations or sectors to steal information or disrupt operations over an extended period.
Anomaly Detection The identification of patterns in data that deviate significantly from expected baseline behavior, used in security systems to detect potentially malicious activity.
Antivirus (AV) Software designed to detect, prevent, and remove malicious software using signature-based and heuristic detection methods.
B¶
Backdoor A method of bypassing normal authentication or encryption in a computer system, often installed by malware to provide persistent unauthorized access.
Behavioral Analysis The examination of actions, processes, or network activity to identify suspicious patterns indicative of security threats, rather than relying solely on known signatures.
Brute Force Attack An attack method that systematically attempts all possible combinations of passwords or encryption keys until the correct one is discovered.
C¶
Chain of Custody The documented chronological record of the collection, transfer, control, analysis, and disposition of evidence, ensuring its integrity for legal proceedings.
Command and Control (C2) Infrastructure used by adversaries to communicate with and control compromised systems within a target network.
Common Vulnerabilities and Exposures (CVE) A standardized identifier for known security vulnerabilities in software and firmware, maintained by MITRE Corporation.
Common Vulnerability Scoring System (CVSS) An industry standard framework for assessing and communicating the severity of software security vulnerabilities using numerical scores from 0-10.
Containment Actions taken to limit the scope and impact of a security incident by isolating affected systems and preventing further spread or damage.
Credential Dumping The extraction of account login credentials (usernames and passwords) from operating system memory or storage, often using specialized tools.
D¶
Data Breach An incident where sensitive, protected, or confidential information is accessed, disclosed, or stolen by unauthorized individuals.
Data Exfiltration The unauthorized transfer of data from a computer system to an external location controlled by adversaries.
Denial of Service (DoS) An attack that disrupts the availability of a system or network resource by overwhelming it with excessive requests or malformed traffic.
Distributed Denial of Service (DDoS) A denial of service attack executed using multiple compromised systems coordinated to target a single victim.
Digital Forensics The application of scientific investigation techniques to identify, collect, preserve, analyze, and present digital evidence from computer systems and networks.
E¶
Endpoint Detection and Response (EDR) A security technology that continuously monitors endpoint devices to detect, investigate, and respond to cyber threats in real-time.
Eradication The phase of incident response focused on completely removing threat actors, malware, and unauthorized access from compromised systems.
Exploit A piece of software, data, or sequence of commands that takes advantage of a vulnerability to cause unintended behavior in computer systems.
F¶
False Positive A security alert or detection that incorrectly identifies benign activity as malicious, requiring analyst time to investigate and dismiss.
Firewall A network security system that monitors and controls incoming and outgoing traffic based on predetermined security rules.
Forensic Analysis The detailed examination of digital evidence to determine what happened during a security incident, how it occurred, and who was responsible.
I¶
Incident A violation or imminent threat of violation of computer security policies that compromises the confidentiality, integrity, or availability of information assets.
Incident Response (IR) The organized approach to preparing for, detecting, analyzing, containing, eradicating, and recovering from cybersecurity incidents.
Indicator of Compromise (IOC) Forensic artifacts or observable evidence suggesting that a system has been breached or is under attack.
Intrusion Detection System (IDS) A security technology that monitors network or system activities for malicious actions or policy violations and produces alerts.
Intrusion Prevention System (IPS) A security technology that monitors network traffic and can automatically block detected threats in real-time.
K¶
Kill Chain A model describing the sequential stages of a cyber attack from reconnaissance through data exfiltration, used to understand and disrupt adversary operations.
L¶
Lateral Movement The techniques adversaries use to progressively move through a network after initial compromise, searching for key assets and data.
Living off the Land Attack techniques that use legitimate system tools and features already present in the target environment to avoid detection.
Logs Records of events, activities, and transactions generated by computer systems, applications, and security devices, used for monitoring and investigation.
M¶
Malware Software intentionally designed to cause damage, disruption, or unauthorized access to computer systems, including viruses, worms, trojans, and ransomware.
Mean Time to Detect (MTTD) The average time elapsed between the occurrence of a security incident and its detection by security systems or personnel.
Mean Time to Respond (MTTR) The average time from incident detection to initial containment actions being executed.
MITRE ATT&CK A globally accessible knowledge base of adversary tactics and techniques based on real-world observations, used for threat modeling and detection.
P¶
Payload The component of malware that performs the malicious action, such as deleting files, stealing data, or encrypting systems.
Penetration Testing Authorized simulated cyber attacks conducted to evaluate the security of systems and identify vulnerabilities before adversaries can exploit them.
Persistence Techniques adversaries use to maintain access to systems across restarts, credential changes, and other interruptions.
Phishing A social engineering attack that uses fraudulent emails, messages, or websites to trick individuals into revealing sensitive information or installing malware.
Privilege Escalation The exploitation of vulnerabilities, misconfigurations, or design flaws to gain elevated access rights beyond what was initially granted.
R¶
Ransomware Malware that encrypts victim data or locks systems and demands payment for restoration of access.
Recovery The incident response phase focused on restoring affected systems to normal operations and validating that security has been restored.
Rootkit Malicious software designed to provide continued privileged access to a system while actively hiding its presence from security tools and administrators.
S¶
Sandboxing The execution of untrusted programs or files in an isolated environment to analyze behavior without risking production systems.
Security Information and Event Management (SIEM) A security solution that aggregates, correlates, and analyzes log data from multiple sources to detect security threats and support incident response.
Security Operations Center (SOC) A centralized facility staffed by security professionals who monitor, detect, analyze, and respond to cybersecurity incidents.
Security Orchestration, Automation, and Response (SOAR) Technologies that enable organizations to automate incident response workflows, integrate security tools, and improve response efficiency.
Social Engineering Psychological manipulation of individuals to divulge confidential information, perform actions, or compromise security controls.
SQL Injection An attack technique that inserts malicious SQL statements into application input fields to manipulate database queries and access unauthorized data.
T¶
Tactics, Techniques, and Procedures (TTPs) The patterns of activities and methods associated with specific threat actors, including their approach, tools, and operational behaviors.
Threat Hunting The proactive and iterative searching through networks and datasets to detect threats that evade existing automated security solutions.
Threat Intelligence Evidence-based knowledge about existing or emerging threats that informs decisions regarding response and defensive measures.
Triage The process of assessing and prioritizing security alerts and incidents based on severity, business impact, and available resources.
Trojan Malware disguised as legitimate software that provides unauthorized access or performs malicious actions without user knowledge.
V¶
Vulnerability A weakness in software, hardware, or procedures that could be exploited to cause harm, disclose information, or compromise system integrity.
Vulnerability Management The systematic identification, evaluation, prioritization, and remediation of security vulnerabilities in an organization's systems and applications.
Z¶
Zero-Day A previously unknown vulnerability in software or hardware that is exploited by adversaries before vendors have developed and distributed patches.
Zero Trust Architecture A security model based on the principle of "never trust, always verify," requiring strict identity verification for every person and device attempting to access resources.
Definitions compiled following ISO 11179 metadata standards emphasizing precision, conciseness, and non-circularity.