Isaiah Voiland-
Auditing and Event Logs
Chronological records of events and actions. Sources include firewalls, IDS/IPS devices, proxy servers, OS, and databases
-
IOAs
Indicators of Attacks. Behaviors or actions that suggest an attack that is happening or is about to happen
-
IOCs
Indicators of Compromise. Evidence that a system may have been compromised
-
SIEM
Security Information and Event Management. Automation tool for real-time data capture event correlation analysis and reporting
-
TIP
Threat Intelligence Platform. Automation tool that combines multiple threat intelligence feeds and integrates with existing SIEM feeds
-
UEBA
User and Entity Behavior Analytics. Automation tool that models the behavior of humans and machines to identify abnormal behavior
-
SOAR
Security Orchestration, Automation, and Response. Responds to the alerts, triaging the data, and taking retaliation steps.
-
SNMP
Simple Network Management Protocol. Allows administrators to monitor and manage network services. Provides a standardized framework, SNMP queries are GET requests
-
SNMP Agent
Modules installed on managed devices
-
Netflow
Cisco device that monitors network traffic and data by analyzing flow data. Is used for traffic analysis, capacity planning, bandwith utilization, malocious sources, detect anomalies.
-
IPFIX
Industry standard protocol based on Netflow to give a vendor-agnostic format
-
Flow
Sequence of events that share common characteristics
-
SCAP
Security Content Automation Tool. A collection of open standards developed by NIST to automate the process of managing and evaluating security in computers.
-
CVE
Common Vulnerabilities & Exposures
-
CCE
Common Configuration Enumeration
-
CPE
Common Platform Enumeration
-
CVSS
Common Vulnerability Scoring System
-
OVAL
Open Vulnerability and Assessment Language
-
Incident Playbook
Set of Instructions for planning for an attack
-
Threat Modeling
Process of anticipating threats
-
Escalation Thresholds
The point which an incident or issue requires a higher level of response
-
IR Exercise- Walkthrough
Review plans & procedures for completeness. Obj- accuracy
-
IR Exercise- Tabletop
Scenario based group worship focused on the application of plans. Obj- familiarity, coordination, accuracy
-
IR Exercise- Simulation
Scenario that simulates actual event. Obj- readiness
-
Validation
If the incident has occurred, and the extent of the problem if it has
-
RCA
Root Cause Analysis
-
Direct Evidence
Supports the truth of an assertion directly
-
Circumstantial Evidence
Relieds on an inference to connect it to a conclusion of fact. IE a fingerprint on a crime scene
-
eDiscovery
Electronic Discovery
-
Legal Hold
Order that suspends changing digital data
-
Evidence Spoilation
Manipulating digital data
-
Admissibility of Evidence
Can it be used in court?
-
Weight of Evidence
Quality and completeness of evidence
-
Order of volatility
Acquisition of evidence before it disappears
-
Volatile Data
Data that is easily degradable
-
Evidentiary Chain
Chain of custody- chronological documentation
-
GDPR
General Data Protection Regulation. EU regulation that has very stringent breach disclosure and notification requirements
-
Checksum
Value to detect errors
-
Cluster
Fixed length blocks of disk space indexed in a table
-
Slack Space
Space between the end of file and end of cluster
-
Unallocated (free) Space
Clusters that aren't allocated to a file
-
Carving
Process by which deleted files are recovered
-
Metadata
Data about data
-
ISAC
Information Sharing and Analysis Center
-
STIX
Structured Threat Information Expression. Standardized language developed by MITRE for describing cyber threat info
-
TAXII
Trusted Automated eXchange of Intelligence Information. Defines shared cyber info. 3 models: Hub & Space, Source, and Peer-To-Peer
