Glossary of Terms
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. However, Active Directory eventually became an umbrella title for a broad range of directory-based identity-related services.
Advanced Persistent Threat (APT) is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. APT usually targets organizations and or nations for business or political motives. APT processes require high degree of covertness over a long period of time. As the name implies, APT consists of three major components/processes: advanced, persistent, and threat. The advanced process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The persistent process suggests that an external command and control is continuously monitoring and extracting data off a specific target. The threat process indicates human involvement in orchestrating the attack.
A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.
Malicious use of BOTs is the coordination and operation of an automated attack on networked computers, such as a denial-of-service attack by a botnet. Internet bots can also be used to commit click fraud and more recently have seen usage around MMORPG games as computer game BOTs. A spambot is an internet bot that attempts to spam large amounts of content on the Internet, usually adding advertising links.There are malicious BOTs (and botnets) of the following types:
- Spambots that harvest email addresses from contact or guestbook pages
- Downloader programs that suck bandwidth by downloading entire web sites
- Web site scrapers that grab the content of web sites and re-use it without permission on automatically generated doorway pages
- Viruses and worms
- Botnets / zombie computers; etc.
A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks. The word botnet is a combination of the words robot and network. The term is usually used with a negative or malicious connotation. Botnets sometimes compromise computers whose security defenses have been breached and control conceded to a third party. Each such compromised device, known as a “BOT,” is created when a computer is penetrated by software from a malware (malicious software) distribution. The controller of a botnet is able to direct the activities of these compromised computers through communication channels formed by standards-based network protocols such as IRC and Hypertext Transfer Protocol (HTTP).
Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)—refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.
Cloud Infrastructure Entitlement Management (CIEM)
CIEM solutions manage identities and access privileges to cloud and multi-cloud infrastructure and services.
Cloaking is the ability to hide critical data, Active Directory objects, credentials, storage locations and accounts from unauthorized view.
Information systems commonly use credentials to control access to information or other resources. The classic combination of a user's account number or name and a secret password is a widely used example of IT credentials. An increasing number of information systems use other forms of documentation of credentials, such as biometrics (fingerprints, voice recognition, retinal scans), X.509, public key certificates, and so on.
A botnet’s originator (known as a “BOT herder” or “BOT master”) can control the group remotely, usually through an IRC, and often for criminal purposes. This server is known as the command-and-control (C&C) server. Though rare, more experienced botnet operators program command protocols from scratch. These protocols include a server program, a client program for operation, and the program that embeds the client on the victim’s machine. These communicate over a network, using a unique encryption scheme for stealth and protection against detection or intrusion into the botnet.
Deception and concealment technologies offer visibility, misdirection, and early detection of in-network threats successfully evading perimeter defenses. They project decoys that mimic production assets, hide and deny (“cloak) sensitive or critical data and Active Directory (AD) objects from unauthorized access, and seed lures leading to decoys at the endpoint to obfuscates the attack surface.
Endpoint Detection & Response (EDR)
Endpoint detection and response (EDR) is a system to gather and analyze security threat-related information from computer workstations and other endpoints, with the goal of finding security breaches as they happen and facilitating a quick response to discovered or potential threats.
Entitlement explicitly lists (describes) resources allowed to be accessed by user. It varies with business context. Entitlements are figured out by applying authorization prescriptions (restrictions) to available data.
Extended Detection and Response (XDR)
As defined by Gartner Research, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.”
XDR enables an enterprise to go beyond typical detective controls by providing a holistic and yet simpler view of threats across the entire technology landscape. XDR delivers real-time information needed to deliver threats to business operations for better, faster outcomes. XDR is a logical evolution of endpoint detection and response (EDR) solutions into a primary incident response tool.
A honeypot is a trap set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. This is similar to the police baiting a criminal and then conducting undercover surveillance.
Identity Detection & Response (IDR)
Identity Detection and Response is an industry category to includes the ability to detect credential theft, privilege misuse and attacks on Active Directory and risky entitlements that create attack paths. IDR solutions are specifically about protecting identities, entitlements, and the systems that manage them.
Identity Access Management (IAM)
IAM focuses on managing general users through to customers, controlling the access and experience that those users are granted within an application.
Lateral movement refers to the techniques that a cyberattacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets.
A penetration test, or pen test, is an attempt to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities.
Privileged access management (PAM)
Privileged access management (PAM) consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment.
Ransomware is malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, these malware place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.
A red team is a group that plays the role of an enemy or competitor and provides security feedback from that perspective. Red teams are used in many fields, especially in cybersecurity, airport security, the military, and intelligence agencies.
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites.The sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted. In this sense, sandboxes are a specific example of virtualization. Sandboxing technology is frequently used to test unverified programs which may contain a virus or other malignant code, without allowing the software to harm the host device.
An IP address in the Whitelist instructs the System to ignore any and all traffic from that IP address.