This glossary has been reproduced with permission from the National White Collar Crime Center (NW3C). Click on a letter below to navigate alphabetically.
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
A
Term |
Definition |
Advanced Persistent Threat (APT) |
1) An advanced persistent threat is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The purpose of an APT attack is to steal data rather than to cause damage (Rouse).2) APT are well funded, organized groups of attackers. They are not “hackers”. Their motivation, techniques and tenacity are different. They are professionals, and their success rate is impressive. The APT successfully compromises any target it desires. Conventional information security defenses don’t work. The attackers successfully evade anti-virus, network intrusion detection and other best practices. They can even defeat incident responders, remaining undetected inside the target’s network, all while their target believes they’ve been eradicated (Mandiant, 2010). |
American Standard Code for Information Interchange (ASCII) |
A 7-bit character code where every single bit represents a unique character (The ASCII Group Inc). Examples of ASCII would be the letters A-Z and the numbers 0-9 as well as the symbols found on a standard keyboard. See also Unicode and Hexadecimal. |
ARP |
See ARP Table (Cache) |
ARP Cache Poisoning Attack |
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol (Veracode, 2015). |
ARP Table (Cache) |
The table that the Address Resolution Protocol uses. Contains a list of known TCP/IP addresses and their associated physical addresses. The table is cached in memory so that ARP lookups don’t have to be performed for frequently accessed addresses (Dulaney, 2009). See also Media Access Control (MAC). |
Attack Surface |
We can define attack surface as our exposure, the reachable and exploitable vulnerabilities that we have (Northcutt, 2011). |
Attack vector |
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome (TechTarget SearchSecurity). |
Attribution |
Determining the identity or location of an attacker or an attacker’s intermediary. A resulting identity may be a person’s name, an account, an alias, or similar information associated with a person. A location may include physical (geographic) location, or a virtual location such as an IP address or Ethernet address (Wheeler & Gregory, 2007). |
Availability |
The ability of a resource to be accessed, often expressed as a time period. Many networks limit users’ ability to access network resources to working hours, as a security precaution (Dulaney, 2009). See also CIA Triad |
B
Banking Trojan |
Banking Trojans are among the stealthiest of all Trojans. After a banking Trojan infects a Web browser, it will lie dormant, waiting for the computer’s user to visit his or her online banking website. Once that happens, the Trojan silently steals the bank-account username and password and sends it to a computer controlled by cybercriminals, sometimes halfway around the world (Brooks, 2014). |
Barnyard2 |
Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic (Firnsy, 2013). See also Snort, Oinkcode, Pulledpork |
Baseline |
Hardware, software, databases, and relevant documentation for an information system at a given point in time (NIST, 2013). |
Beaconing |
In the world of malware, beaconing is the practice of sending short and regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive, functioning, and ready for instructions. Beacons often originate from infected internal enterprise hosts (e.g. bots or zombies) and are sent to command and control (C2 or C&C) servers outside the enterprise network. This “phone home” communication strategy allows botnet administrators to automatically track, manage, and control hundreds of thousands of infected hosts (VanBuskirk, 2014). |
BitTorrent Protocol |
BitTorrent (often abbreviated as BT) is a peer-to-peer (P2P) protocol (a description and set of rules on how to do things) created by Bram Cohen, designed to distribute data in such a way that the original distributor would be able to decrease bandwidth usage while still being able to reach at least the same amount of people (BItTorrent, Inc., 2014). See Also uTorrent, Torrents File. |
Botnet |
A malicious botnet is a network of compromised computers [zombies] that is used to transmit information, send spam, or launch denial-of-service (DoS) attacks. Essentially, a malicious botnet is a supercomputer created by and managed by a hacker, fraudster or cybercriminal (David Cowen, 2013). See also Zombie |
C
Cache poisoning |
Cache poisoning, also called domain name system (DNS) poisoning or DNS cache poisoning, is the corruption of an Internet server’s domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. At that point, a worm, spyware, Web browser hijacking program, or other malware can be downloaded to the user’s computer from the rogue location (Rouse, n.d.) |
Change Log |
1) A log that chronicles any changes made to a document, presentation, software applications, etc. Examples of some items programmers may wish to track include software version changes, program code changes, and meta data about files. Many open source tools list change logs on the download page to notify users and other developers of what has been updated in the latest version (NW3C, 2015).2) Microsoft sharepoint keeps track of all changes made to files (60 days by default). The change log is not a flat file stored somewhere on the file system, nor is it actually a single log. Every content database contains an EventCache table that is the “change log” for objects contained in the database. Each row in the table is an entry in the log. Columns in the table contain information such as the date and time of a change, the type of object that was changed, the nature of the change, and a unique identifier for the object. The change log keeps track of changes to: Items, files, and folders, List metadata, Site metadata, Security policy, users, and groups (Microsoft). |
CIA Triad |
The Network Security concepts of: Confidentiality, Integrity, and Availability. In this context, confidentiality is a set of rules that limits access to information, integrity is the assurance that the information is trustworthy and accurate, and availability is a guarantee of reliable access to the information by authorized people (TechTarget.com). See also Confidentiality, Integrity, and Availability |
Chief Information Security Officer (CISO) |
The CISO (chief information security officer) is a senior-level executive responsible for aligning security initiatives with enterprise programs and business objectives, ensuring that information assets and technologies are adequately protected (Rouse, CISO-chief-information-security-officer) |
CIRT |
See Computer Incident Response Team |
CISO |
See Chief Information Security Officer |
Cloud Based Storage |
Cloud storage is a service model in which data is maintained, managed and backed up remotely and made available to users over a network (typically the Internet) (Rouse, cloud storage). |
Cloud Computing |
As defined by the National Institute of Standards and Technology (NIST), a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computer resources (such as networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (David Cowen, 2013). |
Command and Control (C2) Server |
A command and control server (C&C server) is the centralized computer that issues commands to a botnet (zombie army) and receives reports back from the coopted computers (TechTarget). |
Compromised |
The disclosure of sensitive information to persons not authorized access or having a need-to-know (MS-ISAC). |
Computer Incident Response Team (CIRT) |
A CIRT is a carefully selected and well-trained group of people whose purpose is to promptly and correctly handle an incident so that it can be quickly contained, investigated, and recovered from. It is usually comprised of members from within the company (Borodkin, 2001). |
Confidentiality |
Assurance that data remains private and no one sees it except for those expected to see it (Dulaney, 2009). See also, CIA Triad |
Cyber Attack |
Any unauthorized intrusion into the normal operations of a computer or computer network. The attack can be carried out to gain access to the system or any of its resources (Dulaney, 2009). |
Cybersecurity |
The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation (US-CERT, 2015). |
Cyberspace |
The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers (US-CERT, 2015). |
Cyber Warfare |
Cyber warfare involves the actions by a nation-state or international organization to attack and attempt to damage another nation’s computers or information networks through, for example, computer viruses or denial-of-service attacks (Rand Corporation, 2014). |
Cyber Weapon |
Cyber weapons are cyber means of warfare that are by design, use, or intended use, capable of causing either injury to, or death of, persons. The ‘Methods’ of cyber warfare are the cyber tactics, techniques and procedures, by which hostilities are conducted. An example of Means and Methods could be provided referring to a DDoS attack conducted using a Botnet. In this case the botnet is the ‘means’ of cyber warfare while the DDoS attack is the ‘method’ (Paganini, 2013). See Stuxnet |
D
Data Breach |
The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information (Department of Homeland Security). See also Exfiltration |
Data Integrity |
A quality that provides a level of confidence that data won’t be jeopardized and will be kept secret (Dulaney, 2009). See also CIA Triad |
Data Link Layer |
Layer 2 of the OSI Model. The Data Link layer describes the physical topology of a network (Dulaney, 2009). See also OSI Model |
Data Packet |
A unit of data sent over a network. A packet includes a header, addressing information of the source and destination, and the data itself (Dulaney, 2009). |
Dead Box Forensics |
Traditional forensics involving the analyzing and study of non-volatile data such as hard drives and USB drives from a shut-down machine (Amari, 2009). |
Denial of Service(DoS) |
The process of flooding a server (email, web or resource) with packets to use up bandwidth that would otherwise be allocated to normal traffic and thus deny access to legitimate users (David Cowen, 2013). |
Domain Name Service (DNS) |
Domain Name Service – A TCP/IP name resolution service that translates FQDN’s (Fully qualified domain name) into IP addresses (Curtis & Taylor, 2005). |
Dynamic Host Configuration Protocol (DHCP) |
A set of rules used by communications devices such as computers, routers, or network adapters to allow the device to request and obtain an IP address from a server that has a list of addresses available for assignment (US DOJ, 2008). |
DHCP Server |
A computer or other device, such as a router, tasked with assigning unique IP addresses and additional IP settings to devices on the network when they are requested. The IP addresses are leased for a period of time which is user defined, typically at least 24 hours (NW3C, 2015). |
Direct Kernel Object Manipulation (DKOM) |
Rootkit process hiding technique. Common method is to gain kernel level access and then change the forward link (flink) and backward link (blink) pointers in the link list for a specific _EProcess in order to hide it. Even though the process is hidden, the threads inside the process are scheduled and run by a different set of data structures in the kernel than what is listed in the link list, so they still execute. Attackers can start a packet sniffer or remote command shell and hide the process from the system’s administrator (Pomeranz, 2012). |
Distributed Denial-of-Service (DDoS) Attack |
A denial of service attack committed by thousands (or tens of thousands) of computers, all against a single target. |
DLL Injection |
DLL injection is the process of inserting code into a running process. The code is usually inserted in the form of a dynamic link library (DLL), since DLLs are meant to be loaded as needed at run time. However, this doesn’t mean one cannot inject assembly in any other form (executables, handwritten, etc.). It’s important to note that an appropriate level of privileges on the system is necessary to start [affect] another program’s memory (Foundstone, 2013). |
E
Encryption |
A network security measure in which information is encoded or scrambled prior to transmission so that it cannot be read unless the recipient knows the decoding mechanism, or key (Curtis & Taylor, 2005). |
Enterprise Network |
These networks have unlimited users, file server(s), IT Staff or Consultant, and multiple routers and/or switches. They will most likely have an SIEM, IDS/IPS, a firewall, and a CISO or someone acting in the CISO capacity (NW3C, 2015). |
Ethernet |
A LAN technology used for connecting computers and servers in the same building or campus (Curtis & Taylor, 2005). |
Exfiltration |
The unauthorized transfer of information from an information system (Department of Homeland Security). See also data breach |
External Logs |
Logs kept in a location other than on the victim or suspect network, (i.e. Call Detail Logs, Alarm Company Logs, Utility Company Logs, ISP records, etc) (NW3C, 2015). |
F
FTP |
See File Transfer Protocol. |
File System Forensics |
Analysis of the File System for artifacts related to how files are stored and retrieved from the storage media, and recovery of the file content (NW3C, 2015). |
File Transfer Protocol |
A service that enables computers to transfer and store data files to and from FTP servers quickly using the FTP protocol. The FTP service is built into all modern network operating systems (Meyers, Network+ Certification All-In-One Exam Guide Third Edition, 2004). |
Firewall |
A security system that uses hardware and/or software mechanisms to prevent unauthorized users from accessing an organization’s internal computer network (MS-ISAC). |
Firewall Log |
A log of activity encountered by a firewall. The log may contain ip addresses and ports of the offending computer as well as the compromised (or attempted compromised) device, as well as other information depending on the manufacturer (NW3C, 2015). |
Footprint |
The changes in data caused by an intruder or investigator accessing files and running applications or processes on a target computer or network (NW3C, 2015). |
Forensics |
The practice of gathering, retaining, and analyzing computer-related data for investigative purposes in a manner that maintains the integrity of the data (NIST, 2013). |
G
Gateway |
A gateway is a network point that acts as an entrance to another network (Rouse, gateway definition). Commonly a router connecting a private network to the Internet. |
Guest Machine |
A guest virtual machine (guest VM) is the software component of a virtual machine (VM), an independent instance of an operating system (called a guest operating system) and its associated software and information (Rouse, guest-virtual-machine-guest-VM). |
H
Hacker |
Generally used to refer to someone who gains access to a system, software, or hardware without permission. Also can be called a cracker (Dulaney, 2009). |
Hacktivist |
Hacktivists form a small, foreign population of politically active hackers that includes individuals and groups with anti-U.S. motives. They pose a medium-level threat of carrying out an isolated but damaging attack. Most international hacktivist groups appear bent on propaganda rather than damage to critical infrastructures. Their goal is to support their political agenda. Their sub-goals are propaganda and causing damage to achieve notoriety for their cause (Wheeler & Gregory, 2007). |
Hashing |
The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data (NIST, 2013). |
Hexadecimal |
A notational numbering system that assigns 16 separate alphanumeric values to represent the first 16 half-bytes of binary data. Hexadecimal numbers can include the alphanumeric values from 0 to 9 and A to F (Curtis & Taylor, 2005). See also ASCII, Unicode |
Home Network |
Generally a small network with few users. Most often has one router to connect the devices to each other and to the Internet. Accessed by wired and/or wireless devices. Usually will not have a server in this type of network (NW3C, 2015). |
Honeypot |
A system (e.g., a Web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders and has no authorized users other than its administrators.(NIST, 2013). |
Host Machine |
A host virtual machine is the server component of a virtual machine (VM), the underlying hardware that provides computing resources to support a particular guest virtual machine (guest VM) (Rouse, host-virtual-machine-host-VM). |
HTTP |
Hyper Text Transfer Protocol. An extremely fast protocol used for network file transfers in the WWW environment (Meyers, 2004). |
HTTPS |
Hyper Text Transfer Protocol Over SSL. A secure form of HTTP, used commonly for Internet business transactions or any time where a secure connection is required (Meyers, 2004). See also HTTP and SSL |
Hub |
A networking device used to connect the drops [devices] in a physical star topology network into a logical bus topology. Hubs can be active or passive (Curtis & Taylor, 2005). |
HUMINT |
Human Intelligence (HUMINT) is the collection of information from human sources. The collection may be done openly, as when FBI agents interview witnesses or suspects, or it may be done through clandestine or covert means (espionage). Within the United States, HUMINT collection is the FBI’s responsibility. Beyond U.S. borders, HUMINT is generally collected by the CIA, but also by other U.S. components abroad. Although HUMINT is an important collection discipline for the FBI, we also collect intelligence through other methods, including SIGINT, MASINT, and OSINT (FBI). |
I
IEEE 802.11 |
A family of IEEE standards that extend the common wired Ethernet local network standard into the wireless domain. The 802.11 standards are widely known as “Wi-Fi” because the Wi-Fi Alliance provides certification for 802.11 products. There have been four major 802.11 standards designated with letter suffixes (a, b, g and n); the latest and fastest being 802.11n (the slowest is 802.11b, and the two medium speed are 802.11a and 802.11g) (PCmag Encyclopedia, n.d.). |
IEEE 802.3 |
The IEEE (Institute of Electrical and Electronic Engineers) standard for CSMA/CD local area network access method, which is used in Ethernet, the most common LAN technology. Following are the major Ethernet standards (10Base-T, 100Base-T, Gigabit Ethernet and CSMA/CD) (PCmag Encyclopedia, n.d.). |
Image |
An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered. SOURCE: SP 800-72 (NIST, 2013). |
IMAP4 |
See Internet Message Access Protocol |
IDS |
See Intrusion Detection System |
Incident |
An occurrence that actually or potentially results in adverse consequences to (adverse effects on) (poses a threat to) an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences. An occurrence that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies (Department of Homeland Security). |
Incident Response |
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs (Rouse, incident response). |
Indicators of Compromise |
Specific artifacts left by an intrusion, or greater sets of information that allow for the detection of intrusions or other activities conducted by attackers. The term is also used as the name for a file in the OpenIOC format that contains a set of data. The file extension for such files is .ioc Mandiant uses OpenIOC Rules (OpenIOC, 2015). See also YARA Rules |
Insider Threat Attack |
An insider threat is a malicious hacker (also called a cracker or a black hat) who is an employee or officer of a business, institution, or agency. The term can also apply to an outside person who poses as an employee or officer by obtaining false credentials. The cracker obtains access to the computer systems or networks of the enterprise, and then conducts activities intended to cause harm to the enterprise (Rouse, insider-threat). |
Integrity |
See Data Integrity. See also CIA Triad |
Internet Message Access Protocol, Version 4 |
A protocol with a store-and-forward capability. It can also allow messages to be stored on an e-mail server instead of downloaded to the client (Dulaney, 2009). |
Internet Protocol (IP) |
Found in the TCP/IP protocol, IP is responsible for the addressing and routing of data to the remote system – addressing meaning that IP is responsible for sort of addressing scheme used to identify each system on the network (or Internet) and for determining that address is used to route the data to the destination (Schwarz & Clark, 2005). |
Internet Service Provider (ISP) |
An organization that provides Internet access (MS-ISAC). |
Intrusion |
Definition: An unauthorized act of bypassing the security mechanisms of a network or information system (Department of Homeland Security). Synonym(s): penetration |
Intrusion Detection |
The process and methods for analyzing information from networks and information systems to determine if a security breach or security violation has occurred (US-CERT, 2015). |
Intrusion Detection System (IDS) |
Software that automates the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents (Scarfone & Mell, 2007). |
Intrusion Protection System (IPS) |
Software that has all the capabilities of an intrusion detection system and can also attempt to stop possible incidents. Also called an intrusion detection and prevention system (Scarfone & Mell, 2007). |
IP |
See Internet Protocol |
IP Address |
A 32-bit binary number that uniquely identifies a host connected to the Internet or to other Internet hosts for communication through the transfer of data packets. An IP address is expressed in “dotted quad” format consisting of decimal values of its four bytes separated with periods, e.g.,127.0.0.1 (US DOJ, 2008). |
IPS |
See Intrusion Protection System |
ISP |
See Internet Service Provider |
J
Jump Lists |
Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that used to open them. Users can use Jump Lists to open items, and can also pin favorites to a Jump List for quick access to items used frequently (Microsoft). |
K
Kali |
Kali Linux is an advanced penetration testing & security auditing Linux distribution. Kali is a complete re-build of BackTrack Linux (Cowen, 2014). |
Kernel |
The core of most operation systems, which controls hardware, performs low-level functions and manages tasks and user scheduling (Curtis & Taylor, 2005). |
Kernel Mode |
All code that runs in kernel mode shares a single virtual address space. This means that a kernel-mode driver is not isolated from other drivers and the operating system itself. If a kernel-mode driver accidentally writes to the wrong virtual address, data that belongs to the operating system or another driver could be compromised. If a kernel-mode driver crashes, the entire system crashes (Microsoft). |
Keylogger |
Software or hardware that tracks keystrokes and keyboard events, usually surreptitiously / secretly, to monitor actions by the user of an information system (Department of Homeland Security). |
Kinetic Attack |
Kinetic Cyber refers to a class of cyber-attacks that can cause direct or indirect physical damage, injury or death solely though the exploitation of vulnerable information systems and processes (Applegate, 2013). |
L
Live Response |
Responding to a computer incident and working with live machines and networking data to collect volatile information for a security event investigation (NW3C, 2015). See Also Incident Response |
Live Triage |
A systematic approach to the collection of volatile data from a compromised machine (NW3C, 2015). |
Log Analysis |
The process of examining the logs created by various processes and applications, either manually or with automated tools, to determine if incidents or attacks have been perpetrated or attempted against the computer or network in question (NW3C, 2015). |
Logical |
Logic in areas of Computer Science – architecture (logic gates), software engineering (specification and verification), programming languages (semantics, logic programming), databases (relational algebra and SQL), artificial intelligence (automatic theorem proving), algorithms (complexity and expressiveness), and theory of computation (general notions of computability) (http://www.cs.rice.edu/~vardi/comp409/). |
Login Sessions |
When a user connects to a computer or server over a network or the Internet, a login session is created and may be available in various logs such as Windows Event Logs, server logs, or network traffic logs (NW3C, 2015). |
M
MAC Address |
Also known as the hardware address or ether-net address. A unique identifier specific to the network card inside a computer. Allows the DHCP server to confirm that the computer is allowed to access the network. MAC addresses are written as XX–XX–XX–XX–XX–XX, where the Xs represent digits or letters from A to F (US DOJ, 2008). |
MAC Address Filtering |
MAC address filtering (aka link-layer filtering) is a feature for IPv4 addresses that allows you to include or exclude computers and devices based on their MAC address (Microsoft). See MAC Address |
MAC layer |
Media Access Control layer – The lower sublayer of the data-link layer in the OSI model and is responsible for moving data packets to and from one Network Interface Card (NIC) to another across a shared channel (Curtis & Taylor, 2005). |
Malware |
Software that compromises the operation of a system by performing an unauthorized function or process (Department of Homeland Security). |
Malware Analysis |
Analysis of malicious code to identify its purpose and payload on an affected system or network using various tools and techniques (NW3C, 2015). |
Man-in-the-Middle |
An attack that occurs when someone or something that is trusted intercepts packets and retransmits them to another party (Dulaney, 2009). |
Master File Table (MFT) |
The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries (Microsoft). |
Memory Forensics |
Analysis of collected memory using various tools and techniques to carve artifacts for an incident response investigation (NW3C, 2015). |
Memory Injection |
Code injected into the memory of a running process by an attacker, compromising the integrity of the system (NW3C, 2015). See also DLL Injection |
Mutually Exclusive |
Also, called mutex, is an executive object, typically used for interprocess synchronization that can be owned by only one process at a time. Malware variants create mutexes with predefined or pseudorandomly generated names such that other variants of the same malware can determine whether they have already infected a particular system. If the predefined mutex exists, there is no need to reinfect (Ligh, Case, Levy, & Walters, 2014, p. 434). See also Atoms |
N
Nation-State |
A political, economic, social and cultural actor in the international system. The modern nation-state refers to a single or multiple nationalities joined together in a formal political union. The nation-state determines an official language(s), a system of law, manages a currency system, uses a bureaucracy to order elements of society, and fosters loyalties to abstract entities like “Canada,” “the United States,” and so on (Townsend University, 2015). See also Nation, State |
Network Interface Card (NIC) |
A physical device that connects computers and other network equipment to the transmission medium (Dulaney, 2009). |
Network Layer |
Layer 3 of the OSI Model. Responsible for logical addressing and translating logical names into physical addresses. This layer controls the routing of data from source to destination as well as building and dismantling of packets (Curtis & Taylor, 2005). See also OSI Model |
Non-Public Information (NPI) |
Nonpublic personal information, the category of information protected by the privacy rule, consists of: Personally identifiable financial information that is not publicly available information; and lists, descriptions, or other groupings of consumers that were either created using personally identifiable financial information that is not publicly available information, or contain personally identifiable financial information that is not publicly available information (FDIC, 2001). |
Non-volatile Data |
Data that persists even after a computer is powered down (NIST, 2006) |
O
Open Files |
Files open at the time of examination of a suspected compromised computer. It should be determined who or what process or program opened the files and for what purpose (NW3C, 2015). |
Operating System Time |
System time is the current date and time of day. The system keeps time so that your applications have ready access to accurate time. The system bases system time on coordinated universal time (UTC). UTC-based time is loosely defined as the current date and time of day in Greenwich, England (Microsoft). |
Opportunistic Attack |
Typically a web-based attack on a network in which the attacker did not necessarily plan the attack. Instead the attacker was out “trolling” the Internet and found a vulnerability. Often the attacker is motivated by curiosity, showing off for friends, or is a “Script Kiddie” honing skills (NW3C, 2015). |
OSI Model |
Open Systems Interconnection Model – A seven layer framework for defining how a network handles data packets. The ISO began development of the OSI model in the early 1980 (Curtis & Taylor, 2005). |
OSINT |
Open-Source Intelligence (OSINT) refers to a broad array of information and sources that are generally available, including information obtained from the media (newspapers, radio, television, etc.), professional and academic records (papers, conferences, professional associations, etc.), and public data (government reports, demographics, hearings, speeches, etc (FBI). |
P
Packet Capture File |
A network traffic capture file. The default trace file format .pcap was for Wireshark before version 1.8. The .pcap also refers to the tcpdump or libpcap trace file format. The newer version .pcapng, also denoted as .pcap-ng (.pcan-Next Generation), is the successor to the .pcap format. The .pcapng format facilitates saving metadata such as packet and trace file comments, local interface details, and local IP address, with a trace file (Chappell, 2013, p. 337). |
Packet Sniffing |
Using a utility (sniffer) to capture data on the network to a buffer or a file for later review and filtering. This process can be useful for network troubleshooting, monitoring, and for capturing any type of data (Casad, 2001). |
Pagefile.sys |
A file used by the operating system to store information from RAM until it is needed. This makes more RAM available for programs actively in use. Memory content is transferred back and forth as needed in blocks called “pages”. The default size of the Pagefile.sys is 1.5 times the system RAM, although a user can adjust the size or even disable paging. There may be information in Pagefile.sys that is no longer available other places. Also called “swapfile” in earlier versions of Windows (NW3C, 2015). |
Payment Card Industry Data Security Standard (PCI DSS) |
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Instituted by credit card industry itself, not law (PCI Complicance Guide, 2014). |
Personally Identifiable Information (PII) |
Information security and privacy fields as any piece of information which can potentially be used to uniquely identify, contact, or locate a single person. PII can include: national identification numbers, street addresses, driver’s licenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages (Intrusion, 2006). |
Phishing Attack |
A Phishing attack is an attempt by a malicious actor to entice a victim into clicking on a link that appears to originate from a legitimate site, but actually performs a malicious action. Typical phishing attacks attempt to infect computers with malware (Security, 2012). |
Physical Image |
Imaging media in its entirety from the first bit to the last bit in exactly a bit-for-bit order (NW3C, 2015). |
Physical Layer |
Layer 1 of the OSI Model. The physical layer defines the network standard relating to electrical signal, connectors, and media types and the way that data is placed on the network media (Meyers, Mike Meyer’s Network+ Certification Passport, 2005). |
Post Office Protocol V3 (POP3) |
POP3 (Post Office Protocol 3) is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server (Rouse, POP). |
Port |
The endpoint of a logical connection that client computers use to connect to specific server programs (Curtis & Taylor, 2005). |
Process |
A process is a container for a set of resources used to execute a program (Russinovich & Margosis, Windows Sysinternals Administrator’s Reference, 2011). |
Process ID (PID) |
A unique identifier for a process (Dulaney, 2009). |
Pulledpork |
PulledPork is a helper script that will automatically download the latest rules for Snort. PulledPork will determine a version of snort (CISCO, 2014). See also Barnyard2, Oinkcode, Snort |
R
Radiotap Header |
Within 802.11 Wifi packets, signal strength db and dbm, noise level, signal quality, TX, and other values are contained within the Radiotap header. Technically signal strength is contained in Beacon frame; therefore Radiotap header is in the Beacon frame. The data must be captured in monitor mode. Analyzing the Radiotap header in Wireshark or other network analysis tools can reveal rogue wireless devices (Li & Fu, 2012). |
RAM |
Random Access Memory is used by the computer to hold temporary instructions and data needed to complete tasks. This process enables the computers CPU to access instructions and data stored in memory very quickly and thus speed up processing time for the user (Hansche, Berti, & Hare, 2004). |
RAM Dump |
Provides information about the last state of the programs, applications and system before they were terminated or crashed. This information consists of memory locations, program counters, program state and other related details. |
Recon Active Reconnaissance |
Active reconnaissance is a type of computer attack in which an intruder engages with the targeted system to gather information about vulnerabilities (TechTarget). |
Recycle Bin |
the Windows Recycle Bin acts as a repository for files deleted by the user through normal means, such as hitting the Delete key or right-clicking the file and selecting “Delete” from the context menu (files deleted from remote shares or from the command line are not sent to the Recycle Bin) (Carvey, 2014, p. 94). |
Remote Access (Administration) Trojan (RAT) |
A remote access (administration) Trojan (RAT) is a malware program that gives an intruder administrative control over a target computer. RATs are usually downloaded invisibly with a user-requested program — such as a game — or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute more RATs for a botnet (Rouse, RAT-remote-access-Trojan). |
Restore Points |
A restore point is a representation of a stored state of a computer’s system files. A user can use a restore point to restore your computer’s system files to an earlier point in time. Restore points are automatically created by System Restore weekly and when System Restore detects the beginning of a change to a computer, such as when installing a program or a driver (Microsoft). |
Rootkit |
A collection of tools used by hackers to cover their intrusion into a computer system or a network and to gain administrator-level access to the computer or network system. Typically, a back door is left for the intruder to reenter the computer or network at a later time (David Cowen, 2013). |
Router |
A device that connects two or more networks and allows packets to be transmitted and received between them. A router determines the best path for data packets from source to destination (Dulaney, 2009). |
Router Log |
A log of the activities occurring in a router. Fields may include ip address assignments, failed attempts to log into the router, access from the internet to the local network, ports used to access devices on the network, time of last log deletion, and other activities based on manufacturer of the router (NW3C, 2015) |
Routing Table |
A table that contains information about the locations of other routes on the network and their distance from the current router (Dulaney, 2009). |
Running Processes |
A process is a container for a set of resources used when executing the instance of a program that has been started (Russinovich & Solomon, Windows Internals, Part 1, 2012). Many tools including Windows SysInternals Process Explorer display all running processes (Russinovich, Process Explorer v16.04, 2014). These tools can be used to identify suspicious processes, and then followed up on with an online process library to learn research its reputation. |
S
Sandboxing |
1) A method of isolating application modules into distinct fault domains enforced by software. The technique allows untrusted programs written in an unsafe language to be executed safely within the single virtual address space of an application. Untrusted machine interpretable code modules are transformed so that all memory accesses are confined to code and data segments within their fault domain. Access to system resources can also be controlled through a unique identifier associated with each domain (NIST SP 800-19).2) A restricted, controlled execution environment that prevents potentially malicious software, such as mobile code, from accessing any system resources except those for which the software is authorized (NIST, 2013). |
Script Kiddy |
Script kiddy (sometimes spelled kiddie) is a derogative term, originated by the more sophisticated crackers of computer security systems, for the more immature, but unfortunately often just as dangerous exploiter of security lapses on the Internet (TechTarget, 2014). Also referred to as Skid or lamer. |
Secure Shell (SSH) |
An application, similar to Telnet, that allows a session to be opened on a remote host. SSH differs from Telnet in that it provides additional authentication methods and encryption for data as it traverses the network. SSH uses TCP/IP port 22 (Harwood & Bird, 2005). |
Secure Sockets Layer (SSL) |
A protocol that secures messages by operating between the Application layer (HTTP) and the Transport layer (Dulaney, 2009). |
Sensor |
A device that collects data from the data source and passes it on to the analyzer (Dulaney, 2009). |
Service Set Identifier |
The name of an access point or router. This can be changed by a user to identify a particular network. The SSID can be hidden or can be broadcast openly (NW3C, 2015). |
Services |
Microsoft Windows services, formerly known as NT services, enables the creation of long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. These features make services ideal for use on a server or whenever there is a need for a long-running functionality that does not interfere with other users who are working on the same computer. Services can also be run in the security context of a specific user account that is different from the logged-on user or the default computer account (Microsoft). |
Session Layer |
Layer 5 of the OSI Model. The Session layer determines how two computers establish, use, and end a session. Security authentication and network naming functions required for applications occur here. The Session layer establishes, maintains, and breaks dialogs between two stations (Dulaney, 2009). See also OSI Model |
Setupapi Logs |
The Plug and Play (PnP) manager and SetupAPI log information about installation events in the device installation text log (SetupAPI.dev.log) and the application installation text log (SetupAPI.app.log). The device installation text log contains information about device and driver installations and the application installation text log contains information about application software installations that are associated with device driver installations (Microsoft). |
SIEM |
Security Information and Event Management (SIEM) is an approach to security management that seeks to provide a holistic view of an organization’s information technology (IT) security. SIEM combines SIM (security information management) and SEM (security event management) functions into one security management system. The acronym is pronounced “sim” with a silent e (TechTarget). |
SIGINT |
Signals Intelligence (SIGINT) refers to electronic transmissions that can be collected by ships, planes, ground sites, or satellites. Communications Intelligence (COMINT) is a type of SIGINT and refers to the interception of communications between two parties. U.S. SIGINT satellites are designed and built by the National Reconnaissance Office, although conducting U.S. signals intelligence activities is primarily the responsibility of the National Security Agency (NSA). The FBI collects SIGINT through authorized wiretaps and other electronic intercepts of information (FBI). |
Simple Mail Transfer Protocol |
(SMTP) is the standard protocol for e-mail communications. SMTP allows e-mail clients and servers to communicate with each other for message delivery (Dulaney, 2009). |
Six stages of cyber incident response |
Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned (aka follow-up) (SANS Institute, 2007) (IMSI for FCC, 2001). |
SMTP |
See Simple Mail Transfer Protocol |
Small Business Network |
Usually has approximately 10-20 users, may have more than one router and/or a router and switch. Most likely will have a file server and an IT staff or consultant. Accessed by wired and/or wireless devices (NW3C, 2015). |
Smart Appliance |
A network aware, and often Internet capable appliance which could pose a vulnerability point in a network (NW3C, 2015). |
Sniffer |
A computer that is configured with software to collect data packets off the network for analysis (David Cowen, 2013). |
Snort |
Snort is an open source intrusion prevention system for Fedora, FreeBSD, Centos, or Windows capable of real-time traffic analysis and packet logging into unified2 binary format (CISCO, 2014). See also Barnyard2, Oinkcode, Pulledpork |
Social Engineering |
The use of nontechnical means (usually person-to-person contact) to gain access to information systems (David Cowen, 2013)Any act that influences a person to take an action that may or may not be in their best interest (Social-Engineer.Inc.). |
Socket |
A socket is one endpoint of a two-way communication link between two programs running on the same network. A socket is bound to a port number so that the TCP layer can identify the application that data is destined to be sent to (Oracle, 2014). |
SSH |
See Secure Shell |
SSID |
See Service Set Identifier |
SSL |
See Secure Sockets Layer |
State |
A state refers to a legal/political entity that is comprised of the following: a) a permanent population; b) a defined territory; c) a government; and d) the capacity to enter into relations with other states (Townsend University). |
String |
A string in a program is a sequence of characters such as “the.” A program contains strings if it prints a message, connects to a URL, or copies a file to a specific location. Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then the URL accessed can be found stored as a string in the program (Sikorski, 2012). |
Stuxnet |
In 2010, Symantec reported on a new and highly sophisticated worm,called Stuxnet. This worm became known as the first computersoftware threat that was used as a cyber-weapon. The worm wasspecifically designed to take control over industrial plant machinery and making them operate outside of their safe or normal performance envelope causing damage in the process. This was a first in the history of malware (McDonald, Murchu, Chien, & Doherty, 2013). |
Switch |
A networking device used to connect the drops [devices] in a physical star topology network into a logical bus topology. Unlike a hub, switches forward packets to only the correct port based on MAC addresses (Curtis & Taylor, 2005). |
T
Tactics, Techniques, and Procedures |
The Modus Operandi of an attacker or group of attackers. Sometimes called tools, tactics, and procedures (NW3C, 2015). |
Targeted Attack |
A targeted attack is one that seeks to breach the security measures of a specific individual or organization. Usually the initial attack, conducted to gain access to a computer or network, is followed by a further exploit designed to cause harm or, more frequently, steal data (TechTarget). |
TCP |
See Transmission Control Protocol |
Telnet |
Telnet is a user command and an underlying TCP/IP protocol for accessing remote computers. Through Telnet, an administrator or another user can access someone else’s computer remotely (Rouse, Telnet, n.d.). |
Threat |
A circumstance or event that has or indicates the potential to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational operations, organizational assets (including information and information systems), individuals, other organizations, or society. Includes an individual or group of individuals, entity such as an organization or a nation), action, or occurrence (Department of Homeland Security). |
Torrents |
Files that use the BitTorrent protocol for peer-to-peer file sharing. See also BitTorrent Protocol, Torrents File |
Torrents File |
TORRENT is a file extension for a BitTorrent file format used by BitTorrent clients. Torrent files contain text and point out the trackers for a download to begin downloading from distributors (known as seeders) and requesting clients (known as leachers) (TechTarget). |
Traceback |
Any attribution technique that begins with the defending computer and recursively steps backwards in the attack path toward the attacker. Thus, traceback techniques are a subset of attribution techniques (Wheeler & Gregory, 2007). |
Transmission Control Protocol |
A host-to-host protocol for reliable communication in internetwork environments (Information Sciences Institute, University of Southern California, 1981). |
Transport Layer |
Layer 4 of the OSI Model. Transport layer is responsible for checking that the data packet created in the Session layer was received. If necessary, it also changes the length of messages for transport up or down the remaining layers (Dulaney, 2009). See also OSI Model |
Trojan |
A Trojan horse, or Trojan for short, is a piece of malware that pretends to be something benign, such a media player, an emailed file, a smartphone app or even a Web page. Users are deceived into opening the file, which in most cases installs the malware. A Trojan can masquerade as almost any sort of file. Image files, office documents, sound files or online games are some other common examples (Staff, 2014). |
TTP |
See Tactics, Techniques, and Procedures |
U
Unicode |
Windows differs from most other operating systems in that most internal text strings are stored and processed as 16-bit-wide Unicode characters. Unicode is an international character set standard that defines unique 16-bit values for most of the world’s known character sets (Russinovich & Solomon, Windows Internals, Part 1, 2012). See also ASCII, Hexadecimal |
URL Poisoning |
In URL poisoning, also nown as location poisoning, Internet user behavior is tracked by adding an identification (ID) number to the location line of the browser that can be recorded as the user visits successive pages on the site (Rouse, n.d.). |
V
Virtual Machine |
Virtualization is the simulation of the software and/or hardware upon which other software runs. This simulated environment is called a virtual machine (VM). There are many forms of virtualization, distinguished primarily by computing architecture layer. Each instance of an operating system and its applications runs in a separate VM called a guest operating system (NIST, 2007). |
VM |
See Virtual Machine |
Volatile Data |
Data on a live system that is lost after a computer is powered down (NIST, 2006). |
VulnerabilityScan |
The process where a computer or network is checked for security issues, missing patches or misconfigurations. The scan results are typically compiled into a report, identifying the vulnerability along with remediation steps to correct the issue (MS-ISAC). |
W
Wardriving |
The term war driving refers to driving around town with a laptop looking for WAPs that can be communicated with. The network card on the laptop is set to promiscuous mode, and it looks for signals coming from anywhere. After intruders gain access, they may steal Internet access or start damaging data (Dulaney, 2009). |
Watering Hole Attacks |
Consist of cyber spies using a particular website to infect every visitor of the website with a certain virus. From then on, the hackers use this virus to gain access into the compromised computers and access sensitive information (Duke University, n.d.) |
Wi-Fi |
Although it has commonly been believed that Wi-Fi stands for “Wireless Fidelity,” it actually does not (Pogue, 2012). Rather, Wi-Fi is a consumer brand identity for the IEEE 802.11 High Rate (HR) Standard (Wireless Ethernet Compatibility Alliance (WECA), 1999). It is typically used to refer to wireless networks and devices. |
Windows Registry Files |
The registry is a database in Windows that contains important information about system hardware, installed programs and settings, and profiles of each of the user accounts on a computer. Windows continually refers to the information in the registry (Microsoft). The files that make up the registry are: SAM, SECURITY, SOFTWARE, SYSTEM, and NTUSER.DAT (NW3C, 2015). |
Wireshark |
Previously known as “Ethereal”, Wireshark is a network utility that allows you to browse packets from both live networks and capture files. Network administrators use Wireshark to monitor and troubleshoot networks and to watch out for intrusion attempts. It is also a great tool to help one learn about the different network protocols (Wireshark.com). |
Worm |
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses (Indiana university). |
Y
Yara_Rules |
YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA analysts can create descriptions of malware families (or whatever they want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic (YARA, n.d.). See also OpenIOC |
Z
Zeus Botnet |
In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information (Lemos, 2010). |
Zombie |
Zombies are a botnet of compromised hosts, controlled by a single entity, usually through the use of a server known as a botnet controller. The goal of a botnet is to compromise as many hosts as possible in order to create a large network of zombies that the botnet uses to spread additional malware or spam, or perform a distributed denial-of-service (DDoS) attack (Sikorski, 2012). |
References
• Amari, K. (2009, March 29th). Techniques and Tools for Recovering and Analyzing Data from Volatile Memory. Retrieved February 12th, 2015, from sans.org: http://www.sans.org/reading-room/whitepapers/forensics/techniques-tools-recovering-analyzing-data-volatile-memory-33049
• Applegate, S. D. (2013). The_Dawn_of_Kinetic_Cyber. Retrieved February 11th, 2015, from www.acadamia.edu: http://www.academia.edu/2376951/The_Dawn_of_Kinetic_Cyber
• BItTorrent, Inc. (2014, May 30). The Basics of BitTorrent. Retrieved from BitTorrent.com: http://help.bittorrent.com/customer/portal/articles/178790-the-basics-of-bittorrent
• Borodkin, M. (2001). computer-incident-response-team-641. Retrieved February 11th, 2015, from www.sans.gov: http://www.sans.org/reading-room/whitepapers/incident/computer-incident-response-team-641
• Brooks, C. (2014, March 12). What Is a Banking Trojan? Retrieved from tomsguide.com: http://www.tomsguide.com/us/banking-trojan-definition,news-18457.html
• Bunting, S. (2007). EnCase Computer Forensics: The Official EnCE – Encase Certified Examiner Study Guide. Wiley.
• Carvey, H. (2014). Windows Forensic Analysis Toolkit: Advanced Techniques for Windows 8. Elsevier Science.
• Casad, J. (2001). Sams Teach Yourself TCP/IP in 24 hours. Sams.
• Chappell, L. (2013). Wireshark 101 (First ed.). Protocol Institute.
• CISCO. (2014). Snort User’s Manual. Retrieved from The Snort Project: https://www.snort.org/
• Cowen, D. (2014). Kali Linux Documentation. Retrieved from Kali.org: http://docs.kali.org/introduction/what-is-kali-linux
• Curtis, N., & Taylor, P. J. (2005). Network+ Certification – A CompTIA Cerfification. ElementK.
• David Cowen, C. (2013). Infosec Pro Guide – Computer Forensics. McGraw Hill.
• Department of Homeland Security. (n.d.). Explore Terms: A Glossary of Common Cybersecurity Terminology. Retrieved November 14, 2014, from National Initiative for Cybersecurity Careers and Studies: http://niccs.us-cert.gov/glossary#exfiltration
• Duke University. (n.d.). Cyber Espionage and Social Media. Retrieved from duke edu: http://sites.duke.edu/bfs6/defining-terms-2/watering-hole-attacks/
• Dulaney, E. (2009). CompTIA Security+ Study Guide. Indianapolis: Wiley Publishing.
• FBI. (n.d.). Intelligence Collection Disciplines. Retrieved November 13, 2014, from fbi.gov: http://www.fbi.gov/about-us/intelligence/disciplines
• FDIC. (2001). Privacy Rule Handbook. Retrieved from Federal Deposit Insurance Corporation: https://www.fdic.gov/regulations/examinations/financialprivacy/handbook/
• Federal Reserve. (2015, Febuary 10). Automated Clearing House Services. Retrieved from Board of Governors of the Federal Reserve Bank: http://www.federalreserve.gov/paymentsystems/fedach_about.htm
• Firnsy. (2013). bardyard2. Retrieved from github: https://github.com/firnsy/barnyard2
• Foundstone. (2013, January 8). Windows DLL Injection Basics. Retrieved from Open Security Research: http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
• Grimes, R. (2011, October 25). Malware loves Windows Task Scheduler. Retrieved from Infoworld: http://www.infoworld.com/article/2621116/malware/malware-loves-windows-task-scheduler.html
• Hansche, S., Berti, J., & Hare, C. (2004). Official (ISC)2 Guide To The CISSP Exam. Auerbach.
• Harwood, M., & Bird, D. (2005). Network+ Exam Cram. Que Publishing.
• How-to Geek. (n.d.). Windows Memory Dumps: What Exactly Are They For? Retrieved from How-to Geek: http://www.howtogeek.com/196672/windows-memory-dumps-what-exactly-are-they-for/
• IMSI for FCC. (2001). FCC Computer Security Incident Response Guide. Retrieved from csrc.nist.gov: http://csrc.nist.gov/groups/SMA/fasp/documents/incident_response/Incident-Response-Guide.pdf
• Indiana university. (n.d.). Indiana Univerfsity Knowledge Base. Retrieved from https://iu.edu: https://kb.iu.edu/d/aehm
• Information Sciences Institute, University of Southern California. (1981, September). RFC793.pdf. Transmission Control Protocol. DARPA.
• InfoSec Institute. (n.d.). Debugging TLS Callbacks. Retrieved from Infosec Institute: http://resources.infosecinstitute.com/debugging-tls-callbacks/
• Intrusion. (2006). Compliance Commander Whitepaper. Retrieved from intrusion.com: http://www.intrusion.com/images/downloads/financial_services_compliance_whitepaper.pdf
• Koepi, D. (2013, September 14). Userassist Forensic. Retrieved from David Koepi: https://davidkoepi.wordpress.com/2013/09/14/userassist-forensic/
• Lemos, R. (2010, February 23). Rise of the Point-and-Click Botnet. Retrieved from MIT Technology Review: http://www.technologyreview.com/news/417657/rise-of-the-point-and-click-botnet/
• Li, H., & Fu, X. (2012). Cyber Forensics Laboratory. Retrieved from University of Mass. Lowell: http://ccf.cs.uml.edu/labs_fu/80211/802.11_lab.pdf
• Ligh, Case, Levy, & Walters. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• Mandiant. (2010, March 17). M A N D I A N T M – T R E N D S, The Advanced Persistent Threat. Retrieved February 10, 2015, from Mandiant.com: https://dl.mandiant.com/EE/assets/PDF_MTrends_2010.pdf
• Mandiant. (2013, February). Mandiant APT1. Retrieved February 10, 2015, from Mandiant.com: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
• McDonald, G., Murchu, L., Chien, E., & Doherty, S. (2013, February 16). Stuxnet 0.5: The Missing Link. Retrieved February 11, 2015, from Symantec: http://www.symantec.com/connect/blogs/stuxnet-05-missing-link
• Meyers, M. (2004). Network+ Certification All-In-One Exam Guide Third Edition. McGraw-Hill.
• Meyers, M. (2005). Mike Meyer’s Network+ Certification Passport. Emeryville: McGraw-Hill.
• Microsoft. (n.d.). creat a-restore-point. Retrieved from microsoft.com: http://windows.microsoft.com/en-us/windows7/create-a-restore-point
• Microsoft. (n.d.). Enable and Configure MAC Address Filtering. Retrieved from msdn.microsoft.com: https://msdn.microsoft.com/en-us/ff521761
• Microsoft. (n.d.). Introduction to Windows Service Applications. Retrieved February 12th, 2015, from microsoft.com: https://msdn.microsoft.com/en-us/library/d56de412%28v=vs.110%29.aspx
• Microsoft. (n.d.). Master File Table. Retrieved from msdn.microsoft.com: https://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx
• Microsoft. (n.d.). Overview of the Change Log. Retrieved from Microsoft.com: https://msdn.microsoft.com/en-us/library/office/bb417456%28v=office.14%29.aspx
• Microsoft. (n.d.). previous-versions-files-faq#1TC=windows-7. Retrieved February 12th, 2015, from http://windows.microsoft.com: http://windows.microsoft.com/en-us/windows/previous-versions-files-faq#1TC=windows-7
• Microsoft. (n.d.). SetupAPI Logging. Retrieved 2015, from Windows: https://msdn.microsoft.com/en-us/library/windows/hardware/ff550887%28v=vs.85%29.aspx
• Microsoft. (n.d.). System Time. Retrieved February 12th, 2015, from msdn.microsoft.com: https://msdn.microsoft.com/en-us/library/windows/desktop/ms724961%28v=vs.85%29.aspx
• Microsoft. (n.d.). Task Scheduler. Retrieved 2015, from Microsoft Developer Network: https://msdn.microsoft.com/en-us/library/aa383614.aspx
• Microsoft. (n.d.). User mode and kernel mode. Retrieved from Microsoft.com: https://msdn.microsoft.com/en-us/library/windows/hardware/ff554836%28v=vs.85%29.aspx
• Microsoft. (n.d.). using-jump-lists-to-open-programs-and-items. Retrieved from microsoft.com: http://windows.microsoft.com/en-us/windows7/using-jump-lists-to-open-programs-and-items
• Microsoft. (n.d.). What information appears in event logs? (Event Viewer). Retrieved from Windows: http://windows.microsoft.com/en-us/windows/what-information-event-logs-event-viewer#1TC=windows-7
• Microsoft. (n.d.). What is the registry. Retrieved February 12th, 2015, from microsoft.com: http://windows.microsoft.com/en-us/windows-vista/what-is-the-registry
• MS-ISAC. (n.d.). Local Government Cyber Security: Cyber Incident Response Guide. Retrieved from http://www.msisac.org
• National Institute of Justice. (2004). Forensic Examination of Digital Evidence: A Guide for Law Enforcement. Retrieved February 06, 2015, from ncjrs.gov: https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
• NIST. (2006, August). Guide to Inegrating Forensic Techniquest into Incident Response – Special Publication 800-86. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
• NIST. (2007, June 12). Guide to Security for Full Virtualization Technologies. Retrieved November 14, 2014, from NIST Publications 800-125: http://csrc.nist.gov/publications/nistpubs/800-125/SP800-125-final.pdf
• NIST. (2013, May). Glossary of Key Information Security Terms. (R. Kissel, Ed.) Retrieved from NISTIR 7298 – Revision 2: http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
• Northcutt, S. (2011, January 7). The Attack Surface Problem. Retrieved November 13, 2014, from Security Laboratory: http://www.sans.edu/research/security-laboratory/article/did-attack-surface
• NW3C. (2015, February).
• OpenIOC. (2015, February 9). OpenIOC, a Framework for Sharing Threat Intelligence. Retrieved from openioc.org: http://openioc.org/
• Oracle. (2014). https://docs.oracle.com/javase/tutorial/networking/sockets/definition.html. Retrieved February 9, 2015, from oracle.com: https://docs.oracle.com/javase/tutorial/networking/sockets/definition.html
• Paganini, P. (2013, March 21). NATO and definition Rules For Cyber Warfare. Retrieved from Cyber Defense Magazine: http://www.cyberdefensemagazine.com/nato-and-definition-rules-for-cyber-warfare/
• PCI Complicance Guide. (2014). Retrieved from pci compliance guide: https://www.pcicomplianceguide.org/pci-faqs-2/
• PCmag Encyclopedia. (n.d.). Retrieved from http://www.pcmag.com/encyclopedia/term/37204/802-11
• Pogue, D. (2012, May 1). What Wi-Fi Stands for – and Other Wireless Questions Answered. Retrieved from www.sceintificamerican.com: www.scientificamerica.com/article/pogue-what-wifi-stands-for-other-wireless-questions-answered
• Pomeranz, H. (2012, October 1). Memory Forensics for Incident Response. Retrieved from deer-run: http://www.deer-run.com/~hal/Detect_Malware_w_Memory_Forensics.pdf
• Rand Corporation. (2014, October 3). Cyber Warfare. Retrieved February 10, 2015, from www.rand.org: http://www.rand.org/topics/cyber-warfare.html
• Rouse, M. (n.d.). CISO-chief-information-security-officer. Retrieved February 11th, 2015, from Techtarget.com: http://searchsecurity.techtarget.com/definition/CISO-chief-information-security-officer
• Rouse, M. (n.d.). cloud storage. Retrieved from techtarget.com: http://searchcloudstorage.techtarget.com/definition/cloud-storage
• Rouse, M. (n.d.). gateway definition. Retrieved from techtarget.com: http://searchnetworking.techtarget.com/definition/gateway
• Rouse, M. (n.d.). guest-virtual-machine-guest-VM. Retrieved February 12th, 2015, from techtarget.com: http://searchservervirtualization.techtarget.com/definition/guest-virtual-machine-guest-VM
• Rouse, M. (n.d.). host-virtual-machine-host-VM. Retrieved February 12th, 2015, from techtarget.com: http://searchservervirtualization.techtarget.com/definition/host-virtual-machine-host-VM
• Rouse, M. (n.d.). incident response. Retrieved from TechTarget, Search Security: http://searchsecurity.techtarget.com/definition/incident-response
• Rouse, M. (n.d.). insider-threat. Retrieved February 11th, 2015, from techtarget.com: http://searchsecurity.techtarget.com/definition/insider-threat
• Rouse, M. (n.d.). cache poisoning (domain name system poisoning or DNS cache poisoning). Retrieved from TechTarget: http://searchsecurity.techtarget.com/definition/cache-poisoning
• Rouse, M. (n.d.). Telnet. Retrieved February 11th, 2015, from techtarget.com: http://searchnetworking.techtarget.com/definition/Telnet
• Rouse, M. (n.d.). NNTP. Retrieved February 12th, 2015, from techtarget.com: http://searchnetworking.techtarget.com/definition/NNTP
• Rouse, M. (n.d.). POP. Retrieved February 12th, 2015, from techtarget.com: http://searchexchange.techtarget.com/definition/POP3
• Rouse, M. (n.d.). RAT-remote-access-Trojan. Retrieved 2015, from techtarget.com: http://searchsecurity.techtarget.com/definition/RAT-remote-access-Trojan
• Russinovich, M. (2014, September 11). Process Explorer v16.04. Retrieved February 12, 2015, from Microsoft Technet: https://technet.microsoft.com/en-us/sysinternals/bb896653
• Russinovich, M., & Margosis, A. (2011). Windows Sysinternals Administrator’s Reference. Microsoft Press.
• Russinovich, M., & Solomon, D. (2012). Windows Internals, Part 1 (6th ed.). Microsoft.
• SANS Institute. (2007). An Incident Handling Process for Small and Medium. Retrieved 2015, from sans.org: http://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791
• Scarfone, K., & Mell, P. (2007). SP 800-94. NIST.
• Schwarz, B., & Clark, G. (2005). MIke Meyer’s Network+ Certification Passport (Second ed.). McGraw-Hill.
• Security, H. (2012). US-CERT Security Trends Report: 2012 in Retrospect. Retrieved from https://www.us-cert.gov/sites/default/files/US-CERT_2012_Trends-In_Retrospect.pdf
• Sikorski, M. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press.
• Social-Engineer.Inc. (n.d.). home page. Retrieved from www.social-engineer.org: www.social-engineer.org
• TechTarget. (2014). Script Kiddy. Retrieved November 14, 2014, from techtarget.com: http://searchmidmarketsecurity.techtarget.com/definition/script-kiddy
• TechTarget. (n.d.). active reconnaissance. Retrieved from TechTarget: http://whatis.techtarget.com/definition/active-reconnaissance
• TechTarget. (n.d.). command-and-control server (C&C server). Retrieved from techtarget.com: http://whatis.techtarget.com/definition/command-and-control-server-CC-server
• TechTarget SearchSecurity. (n.d.). Attack Vector. Retrieved November 14, 2014, from SearchSecurity: http://searchsecurity.techtarget.com/definition/attack-vector
• TechTarget. (n.d.). Security Information and Event Management. Retrieved November 14, 2014, from techtarget.com: http://searchsecurity.techtarget.com/definition/security-information-and-event-management-SIEM
• TechTarget. (n.d.). TORRENT File Format. Retrieved from TechTarget: http://whatis.techtarget.com/fileformat/TORRENT-BitTorrent-file
• TechTarget.com. (n.d.). Confidentiality-integrity-and-availability-CIA. Retrieved from Techtaget.com: http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
• The ASCII Group Inc. (n.d.). ASCII-CODE. Retrieved from ascii-code.com: http://www.ascii-code.com/
• Townsend University. (n.d.). What is a Nation-State? Retrieved February 12th, 2015, from www.townsend.edu: http://www.towson.edu/polsci/ppp/sp97/realism/whatisns.htm
• US DOJ, O. N. (2008, April). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. Retrieved from https://www.ncjrs.gov/pdffiles1/nij/219941.pdf
• US-CERT. (2015, February 11). A Glossary of Common Cybersecurity Terminology. Retrieved from niccs.us-cert.gov: http://niccs.us-cert.gov/glossary#cybersecurity
• VanBuskirk, P. (2014, November 17). Advanced Methods to Detect Advanced Cyber Attacks: Beacon. Retrieved February 10, 2015, from Novetta, From Complexity to Clarity: https://www.novetta.com/2014/11/advanced-methods-to-detect-advanced-cyber-attacks-beacon/
• Wheeler, D., & Gregory, L. (2007). Techniques for Cyber Attack Attribution. Alexandria: Institute for Defense Analyses.
• Wireless Ethernet Compatibility Alliance (WECA). (1999, September 15th). Wireless Ethernet Compatibility Alliance (WECA) Announces Independent Test Lab and Wi-Fi Technology Brand. Retrieved from www.wifi-org: www.wi-fi.org/news-events/newsroom/wireless-ethernet-compatibility-alliance-weca-announces-indepenent-test-lab
• Wireshark.com. (n.d.). Wireshark reviews. Retrieved November 14, 2014, from wireshark.com: http://wireshark.com/wireshark-reviews-downloads.html
• YARA. (n.d.). The pattern matching swiss knife for malware researchers (and everyone else). Retrieved from github: http://plusvic.github.io/yara/