A TO Z GLOSSARY
An individual or group that uses a variety of attack vectors or exploits vulnerabilities to quietly gain access to corporate networks or systems. The ‘access’ is then advertised and sold online by the ‘Access Brokers’ to threat groups looking for initial access into a network of their desired target.
Common approaches used: Brute Force attacks, Stolen Credentials, Web Shells
A network of computers that have been infected by malware and are controlled remotely to carry out a variety of commands. These commands range from small to large scale coordinated cybercriminal activities.
Common approaches used: File Sharing, Email, Cracked Software
Business Email Compromise
Definition: An attack vector that leverages user trust and business processes being conducted via email; threat actors impersonate business representatives to scam organisations financially. The business email may also be used to target the supply chain of the initial email that is compromised.
Common approaches used: Email scams through similar names, domains or fake logos posing as legitimate organisations through compromised email accounts.
An intentional malicious act of clicking on Pay-per-click (PPC) ads to appear to increase site value or exhaust advertising budget from an organisation. There is no intention of purchasing or interest in the ad.
Common approaches: Through a compromise computer actioned by a person, click farms designed to click, competing business targeting your organisation, program or automated script posing as a legitimate user.
Services that are considered critical to the normal function of society. If impacted, degraded or made unavailable for an extended period of time, significant impacts to the social or economic wellbeing of the nation would likely occur. Examples include utilities such as electricity, water, gas and communications.
C2 or command-and-control is the channel by which threat actors establish direct communication to an infected computer to take full control of a device and carry out various commands and run codes. Can spread through an entire organisation’s network, creating a botnet.
Access points: Phishing Email, Security holes & vulnerabilities, infected software
Distributed Denial of Service (DDoS) or is a method of attack that will flood a site with connection requests from a network of compromised systems, resulting in website or server crashes and slow downs. Threat actors may use DDoS to extort organisations by threatening to attack them, using a small DDoS outage or a brief large-scale attack to prove their capability.
Attack surface: Internet-facing systems
Common approaches: Vulnerabilities in networking or application protocols, Botnets
Darknet Markets are untraceable e-commerce sites that lie beyond regular search engine reach. Sites are often hosted over multiple encrypted servers and accessible only via specialised identity cloaking mechanisms. Their primary function is as an ‘online black market’ for cybercriminals to access illegal goods such as stolen credentials, counterfeit currency, cyber-arms, purchase access to organisations, and drugs.
Exploit brokers are an individual or organisation that buys and sells exploit vulnerabilities as software. They often walk on the line of being perfectly legal, illegal or in between, depending on who’s buying.
Forums / cyber-crime forums
An online forum that focuses and specialises in cybercrime and internet fraud. These include hacking, identify theft, phishing, pharming, malware attacks or spam.
Virtual gambling conducted on the internet. These gambling sites are either legal, holding some form of licence to operate and protect customer information with proper security controls, or illegally run with limited or no protection for their customers. They are a prime target for threat actors and groups to gain credentials and generate funds.
Exploits used: DDoS or Ransomware attacks, Scraping, SQL injection, Account Takeovers, Identity Theft and Fraud
The process of gathering compromised user accounts for an organisation through various sophisticated attack vectors and technology such as phishing campaigns, MITM attacks or DNS poisoning. The goal of harvesting credentials is to gain access and collect large volumes of individual credentials for malicious intent.
Common exploits used: Phishing, Man in the middle, DNS attack, Password Dump
Intrusion Detection System
A device or software application that enables security teams to monitor networks for malicious activity and policy violations. Strategically placed Intrusion Detection Systems (IDS) will effectively analyse passing traffic and match these traffics to a library of known attacks to identify whether an alert needs to be sent due to abnormal behaviour that could indicate an actual attack.
Journalists are.. you know what journalists are. However, in terms of cybersecurity, they are often primary targets due to their access to sensitive information and persons. Journalists are often targets for cyberespionage, for government-backed cyber criminals using identity theft to spread and plant seeds of false stories and information in the news, and to gain access within organisations and politicians.
Approaches used: Phishing, social engineering, zero-day exploits, mobile phone compromise
A ‘blackhat’ SEO technique frequently used to add links to the website or service being promoted. These links are submitted to any public form that accepts user submissions that will be saved and displayed by the application in order to get them noticed by search engines. This can include forums, comments on articles or blogs or ‘guestbook’ entries.
Process of mining cryptocurrencies using high-powered computers solving cryptographic equations. This functionality has in recent years seen a significant increase in prevalence as desktop computers with high powered graphics cards are able to reliably mine substantial amounts of cryptocurrencies in relatively short timeframes.
When a server or website hosts a malware for download. These hosted files are often payloads for trojan downloads or are disguised as legitimate files.
Network Access Control
A set of protocols to ensure policies are implemented to keep unauthorized users and devices out of private networks.
That free anti-virus software commonly provided from a hardware purchase, promising that it will solve all your security problems. This software is not intended for securing corporate ICT environments and data.
Open Source Intelligence (OSINT)
Data and information that is found from publicly available sources. This type of information is perfectly legal, however, OSINT is commonly conducted by malicious actors during reconnaissance, before launching a cyberattack at the target. The OSINT enables the attacker to understand their target closely, and craft messaging or use attack vectors more likely to result in a positive outcome for the threat actor.
Phishing is a social engineering attack that uses disguised emails or websites as weapons, tricking users into trusting the source to give away personal information or their credentials. Phishing is commonly used as an initial step in an attacker’s plan to gain access or cause malicious damage, such as sending malware (view malware for more information).
An online scam that promotes the sales of health and medical products either as a miracle cure, without the need of a prescription, or tricks you into purchasing a product, without actually receiving the item. Threat actors often set up legitimate-looking websites and use popular social networks to deliver authentic e-email notifications for unsuspecting users to click on.
Attacks used: Phishing, Social Engineering, Identify Theft, Stolen Credentials
A broad term for a mostly theoretical field of computational science that focuses on exchanging information between two parties securely. The underlying principle is that if an attacker attempts to observe communications between two parties, they would modify the communications which would alert the communicating parties that their communications are being intercepted. There are currently a number of practical limitations when performing quantum cryptographic operations however should they be overcome they would represent a significant leap forward in state of the art secure communications.
Ransomware attacks commonly prevent users from accessing networks or files, with the intention to cause disruption for the victim organisation. These types of attacks go hand-in-hand with financially motivated cybercriminals, who will hold files or network access for ransom until the payment is provided. Attackers are now using a double extortion model that looks for payment on both providing the organisation access back to their environment and for non-disclosure of the information taken.
Spam services are designed to filter and identify malicious emails from threat actors looking to deliver dangerous emails. Spam services can have different filtering methods.
Common associated attacks: Phishing, Social Engineering, Identify Theft
Supply Chain Attack
A supply-chain attack, or third-party attack, is the sophisticated process of attacking an organisation by infiltrating an outside partner or supplier with access to the organisation’s data and systems.
Common associated attacks: Phishing, Social Engineering, Identify Theft, Stolen Credentials
An attack method of taking over an account through the control of an individual’s phone number. Threat actors typically use social engineering or identity theft to target telecommunication providers in order to take over targeted accounts. Phone numbers can then be used to receive password resets or SMS 2FA tokens for targeted victims.
Common associated attacks: Phishing, Social Engineering, Identify Theft, Stolen Credentials
Tor (The Onion Router) is a free open-source software that enables secure and anonymous communication. It is designed to conceal user locations and browsing activity from anyone conducting network surveillance.
User credential stuffing/User credential lists
An attack vector that utilises stolen usernames and passwords from one organisation to access accounts at another organisation. These stolen credentials are often gained through a breach or purchased from the dark web. The user credential lists can be added to botnets to automate the process of attempting access through multiple sites at speed.
A type of environmental scanning or testing that enables organisations to identify and understand weaknesses in systems such as infrastructure and applications. Vulnerability identification is commonly an initial step taken by threat actors to locate an initial access point for further exploitation.
Virtual Goods Theft
The act of stealing or illegally acquiring intangible objects such as items in online games or virtual gift cards sent via email. Virtual items have value as they are purchased with real forms of currency and can readily be used or re-sold.
Common associated attacks: Phishing, Malware, Social Engineering, Stolen Credentials
Web Application hacking
The exploitation of web applications via HTTP/HTTPS. Common attack vectors used: SQL Injection attacks, Cross Site Scripting (XSS), Server Side Request Forgery (SSRF) and XML External Entity (XXE) attacks.
Slang for software that has been pirated and distributed on the internet. Warez can contain malware that allow threat actors to gain unauthorised entry into networks and systems.
Your personal information can come in many forms, from obvious things like identity information (name, date of birth, identity documents etc) to less obvious things such as personal opinions on sensitive topics such as politics, religion and sexual orientation. Almost all information submitted to websites is stored and kept for either analytics and marketing purposes or to personalise the site experience. This information is frequently stolen and/or traded by both criminals and ‘legitimate’ businesses alike and can easily be used for criminal activities such as identity theft.
An individual or organisation that creates and sells malware to threat actors with the intention to exploit specific target organisations or other individuals using a vulnerability that is unknown or without a patch. Both illegal and legal zero-day broker services exist with prices varying significantly depending on the software being exploited and the quality and reliability of the exploit.