Glossary
0-day: An exploit used by the attackers before the vulnerability is known to the defender. They are expensive on the black market. Typical malware does not need 0-days. As many users do not patch their systems.
ABAC: Attribute based access control. A logic decides based on attributes of different objects (subject, resource, action, environment) if access is permitted.
Adware: Malware that shows Ads. As the Ad ecosystem generates money for viewed Ads this is how attackers convert infections to money
Amplification attacks: Are attacks where a 3rd party is used to attack the target with amplified bandwidth. Services emitting more data than they receive are vulnerable. Often uses stateless protocols like UDP because the initiator is different from the victim.
Anycast: Servers share the same IP address. The client connects to the closest one. Relevant if only one of them is hacked and serves malware…
Approved List: A list of url/hashes/… that got approved as being harmless
APT: Advanced Persistent Threat. Advanced malware. Often government backed. Or just very advanced malware.
ASLR: Mitigation strategy to load code into random areas of the memory. Makes writing of exploits harder
ASVS: Application Security Verification Standard: This OWASP project lists different ways to verify the security of an application.
Backdoor: A constructed way for an attacker to connect to a vulnerable system and execute code
Beacon: The C2 server on the public internet which is contacted by the implants on the victims local network. Connection is usually done in a regular interval. Depending on the malware this can be from minuets to months. Using this short beacon messages the implant fetches new instructions
Blacklist: Deprecated, see “Block List”
Block List: A list of items like URLs, hashes, … that trigger a blocking
BLE: Bluetooth Low Energy
BLE Characteristic: Value + Descriptor
BLE GAP: Advertisements, connection handling, defining device roles in communication
BLE GATT: Organizes the data offered by the device
BLE L2CAP: Encapsulating data into packets
BLE Service: Several Characteristics combined create a service. A default service for BLE would contain device information
BLE Profile: Profiles combine several services. They standardize specific device classes
Bot: An infected machine that can be remote controlled by the attacker
Botnet: Infected machines centrally controlled by the attacker using a C&C
Bug: Error made in the programming phase. Not all bugs are vulnerabilities
Campaign: Malware campaigns are events where a malware actor spreads malware by phishing, infected sites, … As malware is a business with division of work, one malware type can be spread by different actors in separate campaigns in parallel
Canary: A trigger that will alert in an intrusion attempt. Code canaries for example are values in the code that trigger when being overwritten
CAPEC / Common Attack Pattern Enumeration and Classification: A MITRE taxonomy for attack patterns. https://capec.mitre.org/
C&C aka C2: Command and Control server. Central control over a botnet
Class break: A Class break is a vulnerability that breaks the whole device class. Instead of just one single device. Example: Same master key on all devices leaks
CORS/ Cross-origin-resource-sharing: Mechanism to define exceptions for the SOP (Same-origin-policy) in the HTTP header
CERT: Computer Emergency Response Team. Handles security breaches in organisations or nations.
Command injection: If the attacker is able to inject a command to the system shell (and the data is not sanitized) this is a command (line) injection. See OWASP
Common Platform Enumeration: A unique ID for software products, can be used to query vulnerability databases and software asset management
CRITs / Collaborative Research Into Threats Threat intelligence sharing platform by MITRE. See TIP. https://crits.github.io/
CSRF aka XSRF - Cross site request forgery: The attacker tricks the user to issue a HTTP requests on a site where the user has an open session. This HTTP request triggers an action on the server on behalf of the user.
Dark Web: Intentionally hidden parts of the web. Most common TOR pages
DAST: Dynamic Application Security Testing. Testing by executing the program in a special test harness. Maybe compiler flags like ASan
Deep Packet Inspection: A filter looks into the deeper layers of packets. Complex, and causes issues with encrypted data. Better don’t do it.
Deep Web: Parts of the web, that is not indexed by search engines (intranets, everything behind a login, ….)
Dedik: Stolen RDP access to a windows server. Used as first step for Ransomware attacks (2020: 70% of Ransomware attacks started that way). Dedik = Dedicated server
DEP: Data execution prevention. Parts of the memory are marked as non-execute (=NX)
DFIR: Digital forensics and incident response
DGA / Domain generation Algorithm: An malware algorithm generating domain names based on a counter/time to connect to.
Differential privacy: Is a way to collect statistical data on clients/users without compromising the privacy of specific users
Domain Flux: Way to hide C&C servers. A domain name generator creates changing domain names
DOS: Denial Of Service - Attack that exhausts resources of the target (CPU, memory, network, storage)
DDOS: Distributes DOS - Attack is done by many systems in parallel
DNG / Domain Name Generator: Part of a malicious script generating possible URLs for C&C servers by time. By registering some of them the attacker can reduce take downs and still get connecting bots.
DTLS: Datagram TLS - TLS for short UDP messages (see: IoT)
DVA / Damn Vulnerable Application (Also: Damn Vulnerable Web application): A insecure application to train hacking on or test tools
Dynamite phishing: Automated spear phishing. The malware silently collects mail communication to later fake new phishing mails for new victims
EDR /Endpoint Detection and Response: Endpoint protection with a deeper analysis system and an array of potential responses to attacks
ELF: Linux executable file format
EMET: Enhanced Mitigation Experience Toolkit for Windows hardening. Now integrated into Windows Defender Exploit Guard
EPP / End Point Protection: Passive Endpoint protection
Evercookies: Are snippets stored in the browser like cookies. Storage is JavaScript Local storage, Flash storage, … hard to delete those data snippets. AKA Zombie Cookies
Exploit: Attack on a vulnerability
Exploit Kit: A ready to run malware spreading tool. Normally uses infected web pages to spread the exploit.
Fast Flux: Using Round-Robin DNS to hide a C&C server. One URL gets multiple IPs that way.
Flaw: Error made in the design phase. Not all flaws are vulnerabilities
FP: False Positive. A harmless URL or file is detected as malicious
Firewall: Network filter. Can reduce allowed traffic on a network connection. Smarter firewalls can maintain some state and decided based on who initiated a connection - internal or external computer ?
Heap Spraying: Loading the exploit code several times into different memory areas. Also uses NOP slides
Honeypot: A Honeypot is a simulated vulnerable system to attract attackers. The attacks will then be analysed to learn about the attackers.
HVCI: Hypervisor Protected Code Integrity, aka “memory integrity”, a Windows feature HVCI
IDS / Intrusion Detection System: Monitor in a network to analyse that for malicious activity. Using rules it can notify admins if anomalies are detected
IPS / Intrusion Prevention System: IDS with the ability to automatically stop potential attacks (firewall up, terminate processes, …)
Implant: A tool used by the attacker to maintain access to an exploited system. Normally has some form of connection to the attacker’s infrastructure to be controlled
IOC: Indicator of Compromise. A file-hash, URL, registry key or similar feature left by the malware when a system is infected.
JWT: JSON web token. A “cookie” for authentication with added data. Stored on the client. The JWT is signed by the server.
Kerckhoff’s Principle: A cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.
Key rotation: Periodically change the encryption key
Kill chain: Phases of an attack
Living off the land: A tactics where the attacker uses pre-installed software for the attack. This reduces detectable malware on the system
MAEC5: Malware sample description language. Covers static features like hashes and behaviour. MAEC5
MBEC: mode-based execution control: Windows memory integrity feature, requires CPU support
Malware: Malicious software
MaaS / Malware as a service: Organised crime split malware creation and using malware against a target into different roles. Malware creators offer malware “as a service” to the second group
MISP: Open standard for threat information sharing. Also a sharing platform. Focus on IOC. MISP. See also. TIP
MISRA C: Guidelines for safe C programming. Tools (compiler and static code analyser) support it. Some of the safety issues are also security issues. Check it out. Low hanging fruit.
MITM: Man/Monster in the Middle. Network connections are broken up in the middle by the attacker to spy or modify network packets
MITRE: Non profit organisation doing security research
MITRE Att@ck: A taxonomy for attacker TTPs. see: MITRE
mutual TLS / mTLS: Both sides, client and server, authenticate to each other using certificates
NOP slide: Increases the target the instruction pointer has to hit to get to the exploit code. Done by adding NO operation codes to the beginning.
Open redirect: A vulnerability where a legitimate website can be tricked into HTTP redirecting a visitor to a url supplied by the attacker
Patch gap: Gap between a security patch in a 3rd party library and a patched release of the main product using this library
Patch Guard: Windows kernel patch protection, protects some memory structures from being modified
PE: Portable Executable file. On Windows .exe and .dll (and some others). Starts wit a DOS Header (MZ)
Persistence: Attackers can do a hit and run - stealing data - or try to maintain access to the target by running implants there or getting the credentials. That way the “attack survives a reboot”. This would be called “persistence”.
Persistence(system): System level persistence can be gained by running code on a single system. Often done as a hidden rootkit in kernel mode
Persistence(network): Persistence by controlling several systems by either stolen credentials or compromise of a core infrastructure in the network.
Phishing: Attack using social engineering to get credentials. Can involve malware or exploits as well
POLA / Principle Of Least Authortity see POLP
POLP / Principle Of Least Privilege: Users are granted the smallest set of privileges they need to get their assigned tasks done
POMP / Principle Of Minimal Privilege: see POLP
QUIC: A Google protocol based on UDP to replace TCP. By adding TCP features to UDP
RAT / Remote access trojan: An implant to gain persistence. Can remote control OS functionalities.
RBAC / Role based Access Control: Every user has a role. Those roles come with permissions
RBN / Russian Business Network: Rogue ISP offering bullet proof hosting (take downs by police not easy)
RCE: Remote Code Execution. An attacker is able to execute code without physical access to the system. Very bad.
Regular Expression DOS: Non optimized regular expressions can require lots of CPU. If the attacker is able to submit an own Regex, it is possible to DOS the target system OWASP
Reproducible Build: The software build chain must create hash-identical software on different build systems. That way some supply chain attacks can be mitigated.
Reverse shell: A command shell running on a hacked PC. To get out through NAT/Firewall it connects back from the infected PC to a server the attacker controls.
ROI: Return on investment. A business metric. But as attackers want to make money, make them pay for it by detecting their tools, sharing this knowledge. And make it very expensive for them to attack.
ROP / Return Oriented Programming: If an executable is compiled with DEP it is not possible to insert new shellcode to execute. ROP uses existing code from the victim-executable and chains those ROP gadgets into a new order to achieve the goal.
Round-Robin DNS: Old system for load balancing that does not work with modern clients or IPv6. TTL is short lived.
SafeSEH: A windows compiler feature to mitigate attacks abusing the Exception Handler. Attackers can modify the the exception table. The cause an exception. By that they then can control program flow. SafeSEH mitigates that.
SAST: Static Application Security Testing. This can be compiler warnings or special tools
SBOM Software Bill of Materials
SCA: Software Component Analysis: Check external software components for vulnerabilities and license compliance issues
Self guided malware: Malware for air-gapped systems. Does not need a connection to a control server. Has all the propagation/infection logic built in. Not a common thing. But Stuxnet was one of those.
Session fixation: Vulnerability caused by not creating a new session on login but recycling an old one. The attacker injects his token into the victims browser. As soon as the victim logs in, the attacker has parallel access to the account.
Session Hijacking: The login token of a session is stolen. While this is valid the attacker has access
Shellcode: The payload in an exploit. Shellcode either pops a shell or establishes a connection to the attacker in the internet, … This is where malicious things happen.
Side Channel: Using side effects to hack a system. For crypto a side channel can be timing differences between a right and a wrong password.
SIEM / Security Information and Event Management: Collect and analyse different security relevant data into logs. Actions are triggered based on this data.
Sigma rules: Sigma rules are for logs what Yara is for files https://github.com/Neo23x0/sigma
SKF: Security Knowledge Framework: OWASP expert system to build and verify secure software https://owasp.org/www-project-security-knowledge-framework/
SNI / Server Name Indicator: Part of the header to indicate which one of the hosted servers to contact. Could be encrypted if ESNI (Encrypted SNI) is used.
SOC / Security Operations Center: The team running SIEMs in an organisation.
SOP / Same-origin-policy: Web browser security principle: Elements of a web site must be from the same server
Spam: Unwanted Advertising mails. Or similar messages on other channels. Often sent from hacked PCs to abuse their bandwidth.
Spear Phishing: Targeted phishing. Learn about the target first to create better social engineering attack
SQLI / SQL Injection: SQL commands can be sent through the user interface to the database backend. Instead of just values (which was the developer’s intention)
Stack Clash: A vulnerability on Linux/BSD systems. Stack Guard Page should protect against Stack-Overflows. But it can be tricked into overwriting memory. A compiler switch can protect against Stack Clash.
Static Code analysis: Analyse code without executing it. Compiler warnings are the best known example. Also linters.
STIX2: A data format to exchange threat intel. More focused on Attack Groups/Identity/Threat actor/Campaign. STIX2
StrongNaming: Authentication for .NET libraries. Signed binaries with version verification and pinned key.
Sub domain hijacking aka sub domain takeover: The attacks is able to claim an abandoned web host with still existing DNS entries. Now it is compromised….
Supply chain attack: The attacker manipulates a software, library or compiler used by the victim to attack the victim or the victims’s customer
Suricata: Open Source IDS Suricata
Threat intelligence: A service offered by security companies (or peer-to-peer). Can start with sharing IOCs and end with detailed reporters on attacks and threat actors. Focus is on Advanced attacks
TIP / Threat intelligence platform: Threat intelligence sharing between organisations. See MISP or CRITs by MITRE
TLP / Traffic Light Protocol by DHS: defines threat intelligence information sharing policy. From public to secret. Using 4 coloured levels
TOR: The Onion Router. Overlay network over the internet to ensure anonymity of clients and servers
Trust boundary: Who do you trust with what ? If your project integrated 3rd party compilers, tools, library, … you are already trusting someone. Knowing who you trust and how far is the trick.
Trusted Computing Base (TCB): The part of a system that MUST work properly to ensure security. Keep this small.
UAF / Use After Free vulnerability: Typical memory corruption bug
VBS. Virtualization Based Security, a Windows feature to isolate parts of the memory from the OS. VBS
Vulnerability: A bug or a flaw that has security implications
Warning fatigue: A psychological aspect for secure UI design. If you display to many warning UIs your users will be trained to ignore them.
Waterhole attack: Targeted phishing attack using a hacked/manufactured homepage the victim is known to visit and trust
Weaponizing: Making an exploit easy and reliable to use.
Whitelist: Deprecated term. See “Approved List”
XSS, Persistent: An attacker can store a script on the web server that is for another user rendered. As it is a script it will execute in the context of the victim’s page.
XSS, Reflected: The attacker can add a script to a url parameter which is part of the rendered page. This script will then run in page context
XXE: XML External Entity injection: The attacker uses modified XML sent to the server to access internal data like files
Zero Trust: All network requests must be authenticated. Even those originating from the own network