Cybersecurity Vocabulary & Glossary


Term Definition
  What is a SOC
CERT Computer Emergency Response Team
CIRC Computer Incident Response Center (or Capability)
CIRT Computer Incident Response Team
CND computer network defense
Constituency A bounded set of users, sites, IT assets, networks, and organizations which are served by a SOC
CSIRC Computer Security Incident Response Center (or Capability)
CSIRT Computer Security Incident Response Team
CSOC Cybersecurity Operations Center
Incident an assessed occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures or acceptable use policies.
SIEM Security Information and Event Management
SOC Security Operations Center
A SOC is a team primarily composed of security analysts organized to detect, analyze, respond to, report on, and prevent cybersecurity incidents.
Must Provide:
1. means to report suspected incidents
2. incident handling assistance
3. Share incident information to constituents and external parties
Tier 1 real-time monitoring, fielding phone calls
Tier 2 in-depth analysis
  Mission and Operations
CIO Chief Information Officer
CISO Chief Information Security Officer
Event May be simply benign or can spawn an incident
Forensic analysis determine the nature of the attack using artifacts such as hard drive images or full-session packet capture (PCAP), or
malware reverse engineering on malware samples collected in support of an incident
HIPS Host intrusion prevention system
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISCM Information Security Continuous Monitoring
responsible for incident detection and response
ISSO Usually involved with IT compliance and ensuring the security of specific systems
NIPS Network intrusion prevention system
NOC Network Operations Center
PSM Physical security monitoring
(e.g., “gates, guards, and guns”)
COTS Commercial Off-The-Shelf
FOSS Free or Open Source Software
Characteristics of the SOC 1. Organizational relationship
2. Distribution of resources
3. Authority
Coordinating SOC SOC mediates and facilitates CND activities between mul- tiple subordinate distinct SOCs.
Internal centralized SOC A dedicated team of IT and cybersecurity professionals reports to a SOC manager who is responsible for overseeing the CND program.
Internal distributed SOC One person or a small group is responsible for coordinating security operations, but the heavy lifting is carried out by individuals who are matrixed in from other organizations
MSSP Managed security service providers (External SOC)
Security team No dedicated team, resources are gathered (usually from within the constituency) to deal with the problem, reconstitute systems, and then stand down.
  Organizational Model
No authority A SOC can suggest or influence
Shared authority Make recommendations, giving the SOC a vote but not the final say.
Full authority SOC can direct, without seek- ing or waiting for the approval or support (is never absolute)
Reactive Incident is either suspected or con- firmed. Actions are usually more tactical in nature—they are temporary
Proactive Preemption of a perceived threat, before direct evi- dence of an incident is uncovered. These actions are more strategic
Real-Time Analysis Call Center, monitoring
Intel and Trending Trending, Analysis, Response
Artifact Analysis Artifact Handling, Malware Analysis,
SOC Tool Life-Cycle Support Border Protection Device, Sensor Tuning, Tool Research
Audit and Insider Threat Audit Data, Insider Threat Support and Investigation, Network Mapping, Vulnerability Scanning, Penetration Testing
Outreach Product Assessment, Security Consulting, Training and
Awareness, Media Relations
  Situational Awareness
SA Situational Awareness
Perception of the elements of the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. (Aviation example)
1. Information: Sensor data, cyber intel, news, product vulnerabilities
2. Interpreting and processing
3. Depicting information visually
Network assets, topology, applications, vulnerability of hosts and applications from network
Adversaries’ 1. Capability, including skill level and resources
2. Intent and motivation
3. Probability of attack
4. access (legitimate or otherwise)
5. Impact
6. Actions: past present and projected
  Incident Tip-offs
Cyber attack life cycle 1. Recon - identifies and investi- gates targets
2. Weaponize - tools are pack- aged for delivery and execution
3. Deliver - attack tools are delivered
4. Exploit - initial attack
5. Control - direct the victim system
6. Execute - fulfilling his mission
7. Maintain - Long-term access
  Tools and Data Quality
  From Tip-offs to Ground Truth
False positives a positive indicator is incorrect
Intrusion detection approaches 1. Signature-based detection – has a priori knowledge of how to characterize malicious behavior
2. Anomaly detection - what normal or benign behavior looks like and alerts whenever it observes something that falls outside
  Data Quantity
Too much data 1. Signal is lost in the noise
2. Systems cannot handle the data load
  Agility (2.8)
Lack of Agility of SOC The lack of speed and freedom of the SOC may undermine the SOC’s ability to spot and repel attacks.
APT Advanced Persistent Threat
TTP Tactics, Techniques, and Procedures
OODA Loop observe–orient–decide–act
If they can process this cycle quickly, observing and reacting to unfolding events more rapidly than an opponent can thereby "get inside" the opponent's decision cycle and gain the advantage.

Information Handling

Hacker Steps



Microsoft Security Video

BlueHat IL 2018 - John Lambert - The New Paradigm of Security Controls (10:18 start)