Threat Intelligence Glossary

This glossary defines common industry terms. You can find our Recorded Future glossary here, which includes terms specific to our technology.

Advanced Persistent Threat (APT)

APT describes technically sophisticated cyber threat actors that apply sophisticated methodologies and advanced technical capabilities generally required to compromise target information systems and maintain persistent unauthorized access to enable long term information exploitation objectives. APT actors generally use multiple attack vectors and vulnerabilities to conduct network breach or exploitation campaigns.

Asset

An asset refers to data or information, property, or components of an information system that would cause loss if compromised.  Loss types and quantifiability may vary (e.g., as with reputation or monetary losses), but an asset generally does not refer to the type of loss so much as the mechanism through which it is accessed or compromised.

Common Vulnerabilities and Exposures (CVEs)

CVEs are the industry standard for high credibility data about vulnerabilities in software and hardware systems. This information includes the specific versions and configurations of the vulnerable systems, the nature and severity of the vulnerability, and options to mitigate or remediate the vulnerability. The MITRE Corporation maintains the system.

Dark Web

The Dark Web is accessible only using specific technology protocols and capabilities (including but not limited to The Onion Router), often requiring unique credentials or access development capabilities. The Dark Web includes underground forums and criminal markets where stolen and illegal goods are traded. See also: Special Access Sources.

Deep Web

The Deep Web refers to content that is accessible on the internet but is not indexed by web search engines in the Surface Web or “clear net.” Deep Web content may be missing from web search engines for many reasons, including required authentication, special protocols beyond basic web browsers, or content policies (e.g., web search indexing exclusion policies).

Denial of Service (DoS) and Distributed Denial of Service (DDoS)

A Denial-of-Service (DoS) attack occurs when the target system is rendered inoperable by flooding it with traffic that exhausts the resources of the targeted system, such as a website. A Distributed Denial-of-Service (DDoS) attack involves high volume, coordinated attacks on the target actions from a network of compromised systems, often infected bots in a botnet, and generally has much greater chance of disrupting business operations to internet-connected services.

Exploit

An exploit is malicious code that is designed to take advantage of a specific vulnerability. An exploit enables a threat actor to compromise or abuse resources of the target system. For example: to execute additional malicious programs on the compromised system, or to gain unauthorized access to data or application resources.

Executive Cyber Leadership

E.g., Chief Information Security Officer (CISO). As defined by NIST Special Publication 800-181: Executes decision-making authorities and establishes vision and direction for an organization's cyber and cyber-related resources and/or operations.

Finished Intelligence

Finished intelligence, sometimes called “FINTEL,” is an analytic assessment or position based on raw intelligence reporting and represents the synthesized analyses of processed evidence from multiple sources.  Finished intelligence products typically state confidence levels when presenting key analytic judgments and assessments to reflect analytic assumptions or the quality of evidence available in raw intelligence. Finished intelligence is often produced explicitly to support security, risk, or business decisions.

Firewall

A security program that filters inbound and outbound network connections. Firewalls determine whether to allow network traffic based on a set of security control rules that implement the organization’s network security policy. Most endpoints (desktop and laptop computers) include firewall software. More importantly, enterprises and large organizations deploy firewall devices to filter traffic at network boundaries, and remotely manage the security control rules of these firewalls.

Forensics (Digital Forensics)

The act of collecting, processing, preserving, analyzing, and presenting computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence, or law enforcement investigations (NIST Special Publication 800-181).

Hash

In an information security context, a hash (more formally, the output value of a hash function) is a number generated by an algorithm or hash function that takes data (message, password, file, etc.) as an input. The hash is usually smaller than the input data, and any change in the input data (even small changes) results in a different hash. Ideally, hashes should be unique and no two different input data should generate the same hash. In practice, hash value "collisions" where two different inputs product the same output hash are rare, when an appropriate hash algorithm is selected for the domain. Therefore, hashes are a good way to fingerprint files. Finally, hash functions are one-way algorithms; you can generate a hash with a given piece of data, but you can’t reverse this (algorithmically) to figure out the original data if you know the hash.

Hashes are used in several contexts, including the following:

• Fingerprinting files

• Encrypting passwords

• Ensuring data transfer fidelity

• Improve search performance

Many hash algorithms are commonly used. Here are three that are commonly used in information security.

MD5 - Message Digest algorithm invented in 1991 by Ronald Rivest of MIT. Generates a 32 digit hexadecimal (128 bit) hash value. MD5 has known vulnerabilities and was infamously exploited in 2012 by the Flame malware.

SHA-1 - Secure Hash Algorithm created by the US National Security Agency and was first published by NIST in 1995. Generates a 40 digit hexadecimal (160 bit) hash value. While required by law to be used in certain US Government applications, SHA-1 is no longer considered secure and will be discontinued for many cryptographic applications in 2017. 

SHA-2 - A set of Secure Hash Algorithms created by the US National Security Agency and were first published in 2001. Six variants exist with different hash lengths: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.

Incident Response (IR)

Incident Responders resolve computer and network-related incidents. IR teams usually engage with incidents after the SOC team confirms and  escalates an incident.

Some IR teams specialize in security incidents (SIRT) or are escalation teams reserved for emergencies (CERT) or critical incidents (CIRT.) IR teams can have a wide variety of names indicating their specialization. Many IR teams have a broader mission, and will also handle non-security incidents (crashes, unplanned downtime) and non-emergency incidents (violation of workplace policies, abuse of company resources.)

Indicators of Compromise

Indicators of Compromise (IOCs) are hashes, URLs, domains, DNS names, IP addresses, and other observable technical metrics that security teams use to detect a threat or compromise. IOCs are also called technical indicators or tactical indicators and represent a type of raw intelligence.

IOCs can be used in forensic investigations, during incident response, to detect or prevent incidents using security control rules, and to research threat actors tools (malware) and TTPs in threat intelligence research. In all of these applications, the value of the IOC increases with additional context. Context can reveal the specific malware or malicious activity that produces this IOC, what type of telemetry to scan for the IOC, which threat actors engage in actions with this IOC, whether the IOC is fresh and active, or historic and useful only for forensics and log searches, etc.

Information Environment

The January 2017 edition of the U.S. Department of Defense’s Joint Publication 3-0 (Joint Operations) defines the information environment as, “the aggregate of individuals, organizations, and systems that collect, process, disseminate, or act on information.” In general, this definition applies to information systems and the activities therein across both government and commercial spaces.

Malware

Malware is malicious software used by threat actors to compromise and abuse computer systems. Malware can be a single purpose tool, some of which are described below, or can combine several of these in one multipurpose tool.

Backdoor - malware that provides remote access to the compromised system.

Downloader - malware than is design to download an additional malware payload. The download may then remove itself to evade detection.

Exploit Kit - malware that probes the target computer system for a wide variety of unpatched vulnerabilities, and then provides a tailor exploit based on that system’s flaws. Often used to build a botnet of infected computers, and then rent or sell access for other fraud and crime schemes.

Spyware: A type of malware that is designed to spy on the victim's activities, capturing sensitive data such as the person's passwords, online shopping, and screen contents. One popular type of spyware, a keylogger, is optimized for logging the victim's keyboard activity and transmitting the captured information to the remote attacker.

Trojan - originally, malicious software that is disguised a normal benign software - hence the Trojan Horse reference. In current usage, trojans are malware programs that evade detection by antivirus protection and wait for specific conditions to capture and exfiltrate data (often credentials to banking sites) or take other actions. Trojans communicate with command and control servers.  

Remote Access Trojan - a versatile Trojan that can be remotely controlled by the operator. Useful for cyber espionage tactics like hijacking audio and video, keylogging, etc.

Worm - malware that can propagate automatically from one infected computer to another, typically without requiring any human interaction for it to spread. Worms often spread across networks, though can also infect systems through other means, such as USB keys.

Managed Security Service Provider (MSSP)

MSSPs provide a range of specialized security functions for enterprises. While small MSSPs may have a narrow focus like remote administration of security controls, large MSSPS offer a broad range of services include SOC, Incident Response, Threat Hunting, and Threat Intelligence. Staffing models also vary widely, from full outsourcing to staff augmentation of client on-premise teams.

Nation State Sponsored Threat Actors

Threat actors and groups that operate with active or tacit support (top cover) from their national law enforcement and intelligence organizations. Some nation state sponsored threat actors are acknowledged government organizations such as the US NSA and UK GCHQ. The attribution of many national state sponsored groups is unclear or disputed. Also see Advanced Persistent Threat.

National Vulnerability Database

The National Vulnerability Database (NVD) is a master cumulative database of vulnerability information, maintained by the National Institute of Standards and Technology (NIST). The NVD assigns unique Common Vulnerabilities and Exposures (CVE) identifiers to vulnerabilities to facilitate discussion and data exchange between information security products and services.

Open Sources

Open Sources are sources that analysts can access, generally over the internet, without specific credentials or access technology. The Surface Web, Social Media, and Deep Web are open sources. Contrast the Open Sources with Closed Sources and Technical Sources.

Patch

A patch is a software update to a vulnerable program or system. For consumer endpoints and mobile devices, a common practice to automate the timely installation of the vendor’s latest patches in a timely fashion. For enterprise systems, patching is much more complicated because patches often make disrupt other important or even critical business systems, either running on those endpoints or servers or more likely accessed through those computers. Enterprises also have the scale challenges of many systems to patch, and maintaining an accurate inventory, and therefore turn to Vulnerability Risk Management processes and tools.

Phishing

Phishing is a set of technical and social engineering techniques used by threat actors to fool victims into taking a specific action in response to an email. Often, the target victim action is clicking on a link. This action may infect victims with vulnerable computers with malware, but it is more likely to simple lead to a malicious phishing site that records information about the victim (victim system demographics, email tracking code) and attempts to victim steal credentials to a 3rd party site. These are two of many phishing scenarios. Many involve malicious email attachment files, either executable or containing malicious script logic (especially Microsoft Office documents with macros.) Also see Spearphishing.

Raw Intelligence

Raw Intelligence is data that has been collected from any of a variety of sources (see Open Sources, Closed Sources, Technical Sources) and processed (see Entity Detection, Event Detection, Analytics) but has not synthesized into actionable analytic positions by human analysts.   

Risk

The potential for loss, damage or destruction of an asset as a result of a threat exploiting a vulnerability; or formulaically threat + vulnerability + probability of event occurrence.

Risk Management

Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives (NIST Special Publication 800-181).

Security Automation / Security Orchestration

Many security workflows involve a preparation phase where data is collected from various internal systems, and an execution phase where technical actions are taken in various internal systems. For example, a SOC analyst responding to an antivirus alarm may pull technical data from the endpoint and network data from the network the endpoint is connected to, analyze that data and make a verdict that it is infected, and then take actions to quarantine the endpoint and pass the incident case to the IR team to be disinfected or burned down. Security automation and orchestration products and technologies seek to automate these tasks. Most products can be applied to both preparation and execution phases. Security automation suggests that the vendor focuses more on automating the preparation phase, and Security orchestration suggests that the vendor focuses more on automating the execution phase.

Security Incident and Event Management (SIEM)

The SIEM is the central data management system for the Security Operations Center. Data from many internal systems flows into the SIEM: firewalls, URL filters, email protection gateways, antivirus, IDS/IPS, user access and identity, web application security, application alerts, mobile device security, and more. The SIEM is responsible for capturing this information for search, investigation, and compliance reporting for a short time period (30 days is common.) Further, the SIEM is responsible for analyzing these data flows to identify definite or potential security incidents. This analysis can be based on a single stream of data (like antivirus alerts from an infected endpoint) but is often based on linking events across streams of data, which is called correlation. Threat Intelligence, especially Indicators of Compromise, are commonly used in correlation rules.

Security Operations Center (SOC)

The SOC is a central monitoring and command and coordination center for information security processes. The SOC centralizes monitoring of alarm and sensor information from many internal systems into a SIEM product to manage and monitor these data flows. A central team of SOC analysts monitor this information to identify incidents. A mature SOC is often staffed 24x7 and requires a team of dozens of analysts to staff shifts and stand watch around the clock. SOC teams are usually organized into levels, where Level 1 analysts are asked to triage high volumes of information and identify incidents, then escalate to Level 2 and Level 3 for deeper investigation or incident response.

Between staffing, tools and technology, and management costs, a mature SOC is an extremely expensive operation. Many enterprises, both small and large, work with a Managed Security Service Provider to reduce these costs and gain access to specialized skills that are not economical to build in their own security team.

Sensor Data - see Technical Sources

Signal Alert

An alert that is triggered when a Trend experiences an atypical volume of references or a sudden change in the trend of references, raising the threat level for a signal.

Social Engineering

Social engineering means researching victims to understand them socially (their profession, age, gender, friends and family, business associates, etc.) and then using this social information to improve attack tactics. For example, threat actors may engage with a victim via voice call, text message, personal emails, or social media platforms and induce them to reveal sensitive information without using any technical means such as malware. Social engineering attacks generally refer to hybrid attack tactics, where there is a technical component (like a phishing email) and the effectiveness of that technical component is greatly improved by social engineering research of the victim or victims. 

Social Media

Most data from source media sources is not indexed by web search engines, so it is outside the Surface Web. Social Media sources vary widely in their content format (text, video, etc.), data volume, terms of use, privacy policies, and user options.

Spearphishing

Spearphishing is highly targeted phishing. A phishing campaign is driven with large lists of potential victims, often in the thousands, and the phishing email content is minimally personalized to the victim. The victims of the phish are victims of opportunity drawn from the campaign email lists. Spearphishing campaigns target carefully chosen victims - sometimes less than a dozen - and use email content that is more carefully engineered to each victim. Phishing campaigns are generally financially motivated (cybercrime) while spearphishing campaigns are indicative of more capable cybercriminals or cyber espionage.

Special Access Sources

Special Access Sources are restricted to trusted communities of threat actors using technical and social authentication methods. Threat intelligence and law enforcement groups invest significant effort to establish and maintain access to Special Access sources. Administrators often demand evidence of language skills, knowledge of underground markets, and even current members who will vouch for the new applicant. Also see Dark Web.

Surface Web

The Surface Web refers to internet content that is indexed by web search engines like Google and Bing. Content in the surface web is readily and freely accessible. The volume of content in the surface web is large, but much smaller than the Deep Web. Content in the surface web may change rapidly and can be removed at any time.

Technical Sources

Technical sources (AKA sensor data or telemetry) are raw data derived from an internet service, from traffic on a private network, or from internal operation of computer systems. Technical sources is an extremely broad term, and includes some extremely high volume data streams such as packet capture and netflow. 

The term Sensor Data generally means technical sources that are designed to detect anomalies and security incidents. The term Telemetry generally means log data from normal system operation, which may also includes traces of data about abusive and malicious activity.

Techniques, Tactics, Procedures (TTPs)

TTPs are the methods used by threat actors to compromise target systems, breach target networks, and generally speaking achieve their goal. TTPs represent the knowledge and skills of the threat actor group, which are harder and slower to change than their tools. A threat actor can rapidly move to different infrastructure and change the Indicators of Compromise, or upgrade their toolset with a new piece of malware. It is much harder for the threat actor to adopt new TTPs - for example to become skilled at Social Engineering methods and begin running precise Spearphishing campaigns instead of broad, untargeted Phishing campaigns.

Telemetry - see Technical Sources

Threat

Anything with the capability and intent to exploit a vulnerability or obtain, damage, or destroy an asset. 

Threat Hunting

Threat Hunting refers to a set of practices, often focused on large scale automated analysis of historic data and logs, to gain visibility into network blind spots. Enterprises that are targets of high end criminal organizations and Advanced Persistent Threats will add threat hunting methodologies and tools as they mature their security practice.  

Vulnerability

A vulnerability is a specific weakness in a system which threat actors can use to exploit a victim’s deployment a that system (the exploit target.) For large enterprises, identifying and resolving vulnerabilities is a complex and important process called Vulnerability Risk Management.

Vulnerability Management (VM)

Vulnerability Risk Management (VM) teams reduce risk from computer or network-related incidents by correcting vulnerabilities. The VRM action can be a remediation such as patching the system to remove the vulnerability, or applying a security configuration to prevent exploitation of the vulnerability. The VRM action can also be a mitigation that allows defenders to rapidly detect and respond to exploitation, or limits the potential damage from exploitation.

Zero Day Exploit (zero-day)

A zero day exploit is an exploit disclosed publicly without prior notification to developers of affected software. Defenders have “zero days” to react to the vulnerability before disclosure to product vendors and security teams, which means current security rules have limited ability to detect compromise and exploitation. The impact of zero day exploits can be severe.