There are a lot of terms that get thrown around in the threat hunting world. If you are new to all of this, here is a quick guide to some of the high level terms that get thrown around that you might not know just by being a common garden computer nerd.
- EDR (Endpoint Detection and Response) - A category of software tools which focus on detection of attacks by monitoring an endpoint (i.e. a workstation, server etc.) and often allow further response and investigation by allowing further information from the endpoint to be obtained, artefact collection, including memory dumps and so on. Endpoints are rich data sources and some kind of EDR is usually a critical part of effective threat hunting.
- MDR (Managed Detection and Response) - MDR is a managed service provided by a third party to detect and respond to attacks. MDR is often contrasted with EDR, but while EDR is just a software tool, MDR makes use of people that may be using tools such as EDR as well as network sensors, log sources and so on.
- Use case / Hypotheses - Largely synonymous in threat hunting, these are questions a threat hunter asks about how an attacker may be present in an environment. Executing a hypotheses involves interrogating data from various sources (endpoints, network sensors etc.) to find whether an attacker is in fact present. For example, a hypotheses may ask, has an attacker used process hollowing to execute malware?
- MSSP (Managed Security Service Provider) - An MSSP is a provider of outsourced security services which can include management of firewalls and security appliances, vulnerability scanning, and monitoring of alerts in a Security Operations Centre (SOC).
- Security Operations Centre (SOC) - A centre within an organisation (or sometimes outsourced) which usually operates 24/7 to monitor security alerts, and often provide an initial response to security incidents. Advanced SOCs may include subject matter experts such as malware analysts or forensic investigators.
- SIEM (Security Information and Event Management) - A product which combines disparate sources of security events and contextual information (alerts, logs etc.) to allow analysis, correlation and reporting.
- Tactics, Techniques, and Procedures (TTPs) - Often used in the context of IOCs of Threat Intelligence, TTPs are what attackers use to perform their attacks.
- Indicator of Compromise (IOC) - An indicator with high confidence that can point to an intrusion or piece of malware. IOCs might include for example hashes, IP addressed, URLs, or filenames
- Threat Intelligence (TI) - Information or intelligence about threats that may affect security. This information can come in many forms and is sometimes broken down into tactical, technical, operational and strategic. Technical TI may include a set of IOCs for a certain malware, or known "bad" IP addresses, whereas tactical TI may include information on the attacker methodologies currently in use.
Implant - Another word for malware, usually with the goal of maintaining access to a system. Like a trojan but more military sounding.
- C2 / C&C / Command and Control - The channel and method through which an implant or other malware is controlled by an attacker. For example, the malware may connect out to a certain domain name or IP address periodically to receive instructions. Many other C2 techniques exist that aim for stealthy and/or resilience.
- Cyber Kill Chain - A chain of stages for a successful cyber attack, including phases like reconnaissance, exploitation and actions on objectives. Generally as a threat hunter having visibility of actions across the kill chain is a good thing, and being able to stop attacks early in the kill chain is preferable.
- Next Gen AV - Anti-virus software that uses "next generation" techniques to identify bad software from more than just signatures, but using other more modern techniques to identify software behaving maliciously, possibly including elements of machine learning and anomaly detection.
- User and Entity Behaviour Analytics (UEBA) - Once known simply as UBA, this is the analysis of the behaviour of users or other entities in the environment to identify malicious behaviour. This can include modelling of normal behaviour and identification of deviations from this, or correlation with other data sources to identify anomalous or unexpected situations.