Threat Feeds are feeds (think: news feeds) of threat intelligence that can be used for threat hunting. Often, threat feeds contain information about Indicators of Compromise (IOC) that indicate a threat is present.
Maneuvering refers to the actions of threat actors and defenders using different strategies to gain the upper hand.
Threat Hunting the act of proactively searching for threats using threat intelligence, digital forensics techniques, and other analytical detection and engineering skills.
Cybersecurity Advisories and Bulletins are intelligence sources used to see if there are new threats and specific information about threats.
Intelligence Fusion refers to the process of searching and correlating data from many sources, in order to look for indicators that a threat is present.
Non-Intrusive Scanning (or Passive Scanning) is a scanning technique that is passive and doesn’t directly interact with target systems. In contrast, Intrusive Scanning (or Active Scanning) actively interacts with target machines to gain information about those systems.
The two main types of vulnerability scans are Network Vulnerability Scanning and Application Vulnerability Scanning.
Network vulnerability scans are designed to scan hosts on a network, such as computers, smartphones, and networking equipment.
Application scanning is more specific, designed to search for vulnerabilities within specific applications or types of applications, such as web applications or database software.
A Vulnerability Scan is an automated scan that searches for vulnerabilities in a network devices, computer systems, or application.
Credentialed Network Scans refer to scans given extra access (think: authenticated roles), similar to the access an insider would have. Compared, Non-Credentialed Network Scans have no special access to hosts being scanned. It may be able to send, receive, or inspect packets, but it cannot do anything an unprivileged user on the network couldn’t do.
A CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities, with each entry consisting of a unique identifier, a description of the vulnerability, a list of references for more information, and entry timestamp metadata.
CVSS (Common Vulnerability Scoring System) is a public standard for rating the severity of vulnerabilities in software.
CVSS scores are assigned based on vulnerability severity, ranging from 0 to 10, with 10 being the most severe. This score is based off how easy the vulnerability is to exploit, and how much damage can be done by exploiting it.
A Configuration Review requires a credentialed scan, and it requires the scanner to have information about best practices for configuring the software being scanned. It is good practice to perform periodic configuration reviews, as well as reviews immediately upon any system changes.
In network and vulnerability scanning, a false positive is when the scanner says there is a vulnerability, but actually a vulnerability isn’t present. A false negative is when the scanner says there isn’t a vulnerability, but there actually is.
SOARs (Security Orchestration, Automation, and Response) work very similarly to SIEMs, but they can be configured to respond automatically to certain types of incidents. This can decrease response time, and help prevent damage while security teams are getting up to speed.
SIEMs (Security Information and Event Management) are tools used in cybersecurity to aggregate large amounts of information collected from throughout a security environment, to present it in a way that is useful for security teams.
Log Aggregation refers to normalizing the consolidation of data from multiple sources so it can be consistent and searchable.
SIEMs produce reports that must be reviewed for Sentiment and User & Entity Behavior analysis.
A Packet Capture is the action of using a sniffer tool for packet and protocol analysis. Network traffic is captured by the sniffer tool where deep analysis may be conducted by a network analyst.