Auditing and Event Logs
Chronological records of events and actions. Sources include firewalls, IDS/IPS devices, proxy servers, OS, and databases
IOAs
Indicators of Attacks. Behaviors or actions that suggest an attack that is happening or is about to happen
IOCs
Indicators of Compromise. Evidence that a system may have been compromised
SIEM
Security Information and Event Management. Automation tool for real-time data capture event correlation analysis and reporting
TIP
Threat Intelligence Platform. Automation tool that combines multiple threat intelligence feeds and integrates with existing SIEM feeds
UEBA
User and Entity Behavior Analytics. Automation tool that models the behavior of humans and machines to identify abnormal behavior
SOAR
Security Orchestration, Automation, and Response. Responds to the alerts, triaging the data, and taking retaliation steps.
SNMP
Simple Network Management Protocol. Allows administrators to monitor and manage network services. Provides a standardized framework, SNMP queries are GET requests
SNMP Agent
Modules installed on managed devices
Netflow
Cisco device that monitors network traffic and data by analyzing flow data. Is used for traffic analysis, capacity planning, bandwith utilization, malocious sources, detect anomalies.
IPFIX
Industry standard protocol based on Netflow to give a vendor-agnostic format
Flow
Sequence of events that share common characteristics
SCAP
Security Content Automation Tool. A collection of open standards developed by NIST to automate the process of managing and evaluating security in computers.
CVE
Common Vulnerabilities & Exposures
CCE
Common Configuration Enumeration
CPE
Common Platform Enumeration
CVSS
Common Vulnerability Scoring System
OVAL
Open Vulnerability and Assessment Language
Incident Playbook
Set of Instructions for planning for an attack
Threat Modeling
Process of anticipating threats
Escalation Thresholds
The point which an incident or issue requires a higher level of response
IR Exercise- Walkthrough
Review plans & procedures for completeness. Obj- accuracy
IR Exercise- Tabletop
Scenario based group worship focused on the application of plans. Obj- familiarity, coordination, accuracy
IR Exercise- Simulation
Scenario that simulates actual event. Obj- readiness
Validation
If the incident has occurred, and the extent of the problem if it has
RCA
Root Cause Analysis
Direct Evidence
Supports the truth of an assertion directly
Circumstantial Evidence
Relieds on an inference to connect it to a conclusion of fact. IE a fingerprint on a crime scene
eDiscovery
Electronic Discovery
Legal Hold
Order that suspends changing digital data
Evidence Spoilation
Manipulating digital data
Admissibility of Evidence
Can it be used in court?
Weight of Evidence
Quality and completeness of evidence
Order of volatility
Acquisition of evidence before it disappears
Volatile Data
Data that is easily degradable
Evidentiary Chain
Chain of custody- chronological documentation
GDPR
General Data Protection Regulation. EU regulation that has very stringent breach disclosure and notification requirements
Checksum
Value to detect errors
Cluster
Fixed length blocks of disk space indexed in a table
Slack Space
Space between the end of file and end of cluster
Unallocated (free) Space
Clusters that aren't allocated to a file
Carving
Process by which deleted files are recovered
Metadata
Data about data
ISAC
Information Sharing and Analysis Center
STIX
Structured Threat Information Expression. Standardized language developed by MITRE for describing cyber threat info
TAXII
Trusted Automated eXchange of Intelligence Information. Defines shared cyber info. 3 models: Hub & Space, Source, and Peer-To-Peer