$HOME_NET Snort variable defined in the snort.conf file used to define those networks you are trying to protect. $EXTERNAL_NET Snort variable defined in the snort.conf file used to define networks that fall into categories such as those you are defending against or those networks that do not fall under your control. Access Control List (ACL) Defines access rights to networks, systems, or system objects. addr address adversary In the context of this course, an adversary is an individual, group, or nation state that perpetrates malicious cyber events in the interest of cybercrime, espionage, or vandalism. See also "hacker," "malicious actor," and "threat actor." alert (Snort rule action) Tells Snort to generate an alert and log the packet alert data Data from some alert driven source that has triggered on a specific set of circumstances. Typically from an IDS. anomaly-based IDS method Detection method that looks for traffic activity that falls outside of normal traffic patterns (other methods include signature-based and protocol-based) Application Programming Interface (API) An interface that allows software programs to interact with each other. ARP Address Resolution Protocol ASCII American Standard Code for Information Interchange AS&W Attack Sensing & Warning. Sensing of changes in DoD global information system and computer networks to include the detection, correlation, identification, and characterization of a large spectrum of intentional unauthorized activity, including computer intrusion or attack. attack signature A characteristic byte pattern used in malicious code or an indicator, or set of indicators that allows the identification of malicious network activities. attack vectors Method or methods used by a threat actor to facilitate a security incident. availability Ensuring timely and reliable access to and use of information

Backdoor Program A backdoor program is a means to access or maintain access to an application or system that bypasses security controls. BHO A BHO is a plug-in that runs automatically every time you start your Internet browser. A BHO can do almost anything, but generally, it will have something to do with "helping" you browse the Internet. Toolbars are a common kind of BHO. Boolean Operators Boolean operators are used widely in programming and also in forming database queries. They are logical connectives, like a symbol or word, used to connect two or more entries for search purposes. bot Refers to malicious code that is installed on a computer to take command and control of the computer for the attacker’s own purposes. The controlled computer becomes a zombie, or member of a botnet, which can be used to steal data, host malicious content, and launch other attacks, including worms and viruses, to send spam. Also see botnet. botherder Someone who covertly and illegally controls a network (or botnet) of zombie computers or devices by sending commands to a server. botnet Collection of bots controlled by a bot herder. Also see bot. BPF Berkeley Packet Filter (BPF) expressions specify the types of packets you want to captures on layer two through four header fields. See primititve.

C2 command and control CIDR Classless Inter-Domain Routing. An IP (Internet Protocol) addressing scheme that organizes IP addresses into subnetworks independent of the value of the addresses themselves. CIDR specifies an IP address range using a combination of an IP address and its associated network mask. classtype (Snort rule option) A keyword to categorize a rule as a specific attack type. CLI command-line interface Codec Codec is coder-decoder software that compresses (encodes) and decompresses (decode) data, most commonly digital media. Code Injection Code injection in the insertion of custom code, typically malicious, directly into a program, script, or application to be rendered or processed by that application as a method to exploit the victim machine. Computer Browser (NetBIOS) Computer Browser service is the mechanism that collects and distributes the list of workgroups and domains and the servers within them. It provides backward compatibility with computers running earlier versions of Windows that must use NetBIOS over TCP/IP and are not Active Directory–capable. Command Line Options Packet header field that determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Also called flags. Computer Network Defense Infrastructure Support (CND-IS) CND-IS personnel test, implement, deploy, maintain, and administer the infrastructure systems which are required to effectively manage the CND-SP network and resources. This may include, but is not limited to routers, firewalls, intrusion detection/prevention systems, and other CND tools as deployed within the NE or enclave confidentiality Preserving authorized restrictions on information access and disclosure, including any means for protecting personal privacy and proprietary information content (Snort rule option) The specific packet payload that Snort rules alert on when a pattern match occurs. Coreflood From 2001 to 2011, the Coreflood Trojan infected computers running the Windows operating system. It attempted to steal personal data such as banking passwords in an effort to steal money. CND analyst Personnel that use data collected from a variety of CND tools (including intrusion detection system alerts, firewall and network traffic logs, and host system logs) to analyze events that occur within their environment. CNDSP Computer Nework Defense Service Provider C/S/A Command/Service/Agency CYBERCOM United States Cyber Command

Data Exfiltration The unauthorized removal or transfer of data from a computer system. depth (Snort content modifier) Specifies how deep into packets Snort should search for content patterns. Destination Address Provides the IP address of the intended receiver. Dirty Word List A dirty word list is a forensic term describing a list of content a forensic investigator believes is related to a case. distance (Snort content modifier) Tells Snort how many bytes to skip after the previous content match before searching for current content. DLL Dynamic Link Library DMZ Demilitarized Zone is a perimeter network segment that is logically between internal and external networks. Its purpose is to enforce the internal network’s Information Assurance policy for external information exchange and to provide external, untrusted sources with restricted access to releasable information while shielding the internal networks from outside attacks. DNS Domain Name System DoD Department of Defense DOS Disk Operating System DSL Digital subscriber line dst destination

Ephemeral ports Ports that are reserved for temporary use by the client end of client-server communications. Also see Well Known ports. eq The equivalent to the double equal sign established Used with flow; tells the rule to fire on established TCP connections only Exchange Server/Client: The port list includes a conglomeration of ports and services utilized by Microsoft Exchange for the sending and receiving of email messages. EXE "exe" is a filename extension denoting an executable file. It is most commonly identified with Microsoft based systems. exfiltration The unauthorized removal or transfer of data from a computer system including, but not limited to, system data, confidential or classified data, passwords, and PII.

Flags Packet header field that determines whether routers are allowed to fragment a packet into segments. If fragmentation is allowed, then this field also identifies parts of the packet for the receiver. Also called command line options. Flow Data Data about the flow of traffic through a network, typically in the form of conversations and includes IP addresses, ports, and the amount of bytes transferred. flow (Snort rule option) Indicates which side of the network session is to be analyzed for content. FTP File Transfer Protocol File Format Attack File format attacks exploit the integrity of a file, and occur when the structure of a file is modified with the intent of adding malicious code. Fusion Analyst A fusion analyst compiles and evaluates data from multiple sources to include intelligence, technical, qualitative, and formulaic to identify, assess, and mitigate perceived threats.

hacker Unauthorized user who attempts to or gains access to an information system. In the context of this course, hacker refers to an individual, group, or nation state that perpetrates malicious cyber events in the interest of cybercrime, espionage, or vandalism. See also "adversary," "malicious actor," and "threat actor." Hanlon's Razor Maxim that reads, “Never attribute to malice that which can be adequately explained by stupidity.” header Portion of a data packet or datagram that contains identifying information such as the IP version number and the source and destination addresses. HIDS Host-based Intrusion Detection System. See Host-based IDS. HIPAA Health Insurance Portability and Accountability Act which sets standards for the security of protected healthcare information. host The word "host" followed by an IP address is a primitive that instructs a sniffer to look for packets with that source or destination IP address Host-based IDS IDS that operates on information collected from within an individual computer system. This vantage point allows host-based IDSes to determine exactly which processes and user accounts are involved in a particular attack on the Operating System. Furthermore, unlike network-based IDSes, host-based IDSes can more readily "see" the intended outcome of an attempted attack, because they can directly access and monitor the data files and system processes usually targeted by attacks. HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure

I&W Indications and Warning. Sensing of changes in adversary activities to include intelligence activities intended to detect and report time-sensitive intelligence information on foreign developments that could involve a threat to the United States or allied military, political, or economic interests or to U.S. citizens abroad. IAT Information Assurance Technical. Technical training requirement to perform a given technical IA function IATA Information Assurance Technical Advisory. Provides a mechanism to inform all entities of the latest system vulnerabilities and appropriate countermeasures. IATAs are simply notifications and require no specific action. IAVA Information Assurance Vulnerability Alert. Provides a mechanism to inform all entities of the latest system vulnerabilities and appropriate countermeasures. IAVAs require both acknowledgement and compliance. IAVB Information Assurance Vulnerability Bulletin. Provides a mechanism to inform all entities of the latest system vulnerabilities and appropriate countermeasures. IAVBs require only acknowledgement. IAVM Information Assurance Vulnerability Management ID identification ICMP Internet Control Message Protocol IDS Intrusion Detection System. See Intrusion Detection System. INFOCON Information Operations Condition. A cyber-specific threat level system similar to FPCON and DEFCON. integrity Guarding against improper information modification or destruction, and ensuring information nonrepudiation and authenticity Internet The Internet is the single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the IAB and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN). Internet Information Service Microsoft-developed web server. intrusion Unauthorized act of bypassing the security mechanisms of a system Intrusion Detection System Hardware or software products that gather and analyze information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organizations) and misuse (attacks from with the organizations) IP Internet Protocol is a standard protocol for transmission of data from source to destinations in packet-switched communications networks and interconnected systems of such networks IPFIX Provides information about the flow of traffic through a network, showing connections and a record of converations including IP addresses, ports, and the volume of data transferred. IPFIX is a universal protocol developed by the IETF. See also "NetFlow" and "sFlow." IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 IPX Internetwork Packet Exchange IRC Internet Relay Chat is a multi-user multi-channel chat system that is neither client nor network specific. ISP Internet service provider

LAN local area network Leverage Social Networking Where attackers leverage these trust relationships built on social networks and the relatively open nature of social networking sites to target victims. The targeting can take many forms, but is often accomplished by exploiting an individual trusted by the victim or trying to establish a trust relationship with the victim directly. libpcap Libpcap is a portable C/C++ packet capture (pcap) library that provides the framework for reading and writing data in a standard format for tcpdump. It is used with UNIX-like platforms. Linux A family of operating systems similar to UNIX but composed of open source tools, resources, and software. LNK A file type primarily associated with Microsoft Windows as a shortcut file that points to a .EXE file. Load Library The LoadLibrary API is useful for executing malicious code, injecting malicious code into DLLs, and providing access to DLLs. log (Snort rule action) Tells Snort to log the packet Log Data Independent, machine-generated records of activities on networks, appliances, hosts, and applications. Including, but not limited to, operating system logs, network logs, web server logs, firewall logs, DNS logs, web application logs, and database logs. Logical Operators Primitives can be combined with the logical operators "and," "not," and "or" to add another layer of filtering.

MAC address Media Access Control address. The unique identifier for each network assigned to network interface cards by the manufacturer. Magic Number The ASCII or hexadecimal string at the beginning of a file that can identify certain file types and protocols. Malicious Actor In the context of this course, a malicious actor is an individual, group, or nation state that perpetrates malicious cyber events in the interest of cybercrime, espionage, or vandalism. See also "adversary," "hacker," and "threat actor." Mariposa The Mariposa botnet was created using the Butterfly bot. The botnet infiltrated about 13 million personal, government, and corporate systems in 190 countries before it was dismantled in December 2009. Metasploit An open-source exploitation framework often used by threat actors. Mission Assurance Category (MAC) The mission assurance category reflects the importance of information relative to the achievement of DoD goals and objectives, particularly the warfighters' combat mission. Mission assurance categories are primarily used to determine the requirements for availability and integrity. The Department of Defense has three defined mission assurance categories. msg (Snort rule option) The message to print when an alert is triggered MZ The message to print when an alert is triggered

NetFlow Provides information about the flow of traffic through a network, showing connections and a record of converations including IP addresses, ports, and the volume of data transferred. NetFlow is a Cisco specific protocol. See also "IPFIX" and "sFlow." network Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices. Network-based Intrusion Detection System IDS that detects attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor the network traffic affecting multiple hosts that are connected to the network segment. NIDS Network intrusion detection system nonvolatile data Data in the system’s hard drives and removable storage media that will not be changed when the system is shut down. Also known as persistent data. nocase (Snort content modifier) Tells Snort to ignore case in searching packet payload for content.

offset (Snort content modifier) Specifies where in a packet, defined by number of bytes, Snort should start searching a packet for content patterns. Open Source Readily available and free Open Systems Interconnection (OSI) model Worldwide network communications standard developed by the International Organization for Standardization, or ISO, which conceptualizes a 7-layer approach for connecting dissimilar systems with a set of standards, or protocols, allowing the systems to work together Operation Buckshot Yankee A U.S. intelligence and military effort to neutralize the malware Agent.btz within the government computer networks and to clean the networks. operational impact (OI) Operational impact refers to any detrimental effects on an organization’s ability to perform its mission. OS Operating system OSI See Open Systems Interconnection model Outside-in security model Security model that uses defenses like firewalls and server hardening in the belief that attacks begin from external actors. The focus is to prevent malicious activity from penetrating the security perimeter and getting inside the network. Not good at defending against malicious client-side activities that result from internal outbound traffic.

packet Smallest building blocks of information on networks, which consist of header fields and data, or payload. Packet Data The raw network traffic traversing the "wire". pass (Snort rule action) Tells Snort to ignore the packet password hash The digital fingerprint of a piece of data, to include passwords. To authenticate a hash of the user supplied password is compared to the stored password hash. patch A patch is a an update to programs and plug-ins to close vulnerabilities before they can be exploited. It's difficult to achieve 100% patch coverage, but missing even one patch could compromise the client machine and assests on the network. PC personal computer pcap Packet capture. A raw packet is a packet that is left in its original, unmodified form as it traveled across the network from client to server. PDF Portable Document Format; most commonly associated with Adobe Acrobat persistent data Data in the system’s hard drives and removable storage media that will not be changed when the system is shut down. Also known as nonvolatile data. PHI protected health information. Any individually identifiable health information referring not only to data that is explicitly linked to a particular individual but also includes health information with data items which reasonably could be expected to allow individual identification. Pivot Pivoting is a technique attackers use to further compromise the network after gaining an initial foothold via one compromised system on that network. port traffic Traffic going to or coming from a specific port. primitive A primitive is a shortcut used in Berekely Packet Filter (BPF) expression to specifying the desired contents of headers you want a sniffer to search for. privilege escalation Exploitation of a vulnerability in the system to gain a higher level of authorization on a system. promiscuous sniffing Method to sniff network traffic where the network interface cards is set to promiscuous mode and intercepts all packets on the network, not just those destined for that host. promiscuous mode Capturing packets using promiscuous mode will capture all traffic arriving at the network interface and requires administrator or root level privileges. protocol Set of rules and formats, semantic and syntactic, permitting information systems to exchange information protocol-based IDS method Detection method that analyzes the protocol activity against standard protocol behaviors (other methods include anomaly-based and signature-based)

RAM Random Access Memory Red Team Assess the security posture of systems, networks, and detection capabilities and recommend improvements to information assurance and CND capabilities. rev (Snort rule option) Revision, used in conjunction with the sid to identify revisions to a rule for updates and changes. root cause The precise sets of conditions that allowed a security incident to occur. rootkit A set of tools used by an attacker after gaining root-level access to a host to conceal the attacker’s activities on the host and permit the attacker to maintain root-level access to the host through covert means. RPC remote procedure call rule header describes the action, IP addresses, ports and direction rule options describe content, message, sid, rev, classtype and other information

SEO Search Engine Optimization is a collection of techniques used to achieve higher search rankings for a given website. Session Data See Flow Data sFlow Provides information about the flow of traffic through a network, showing connections and a record of converations including IP addresses, ports, and the volume of data transferred. sFlow is a standard originally developed by Inmon. See also "IPFIX" and "NetFlow." Shell/Shell Access Command line access to a system. sid (Snort rule option) Snort® ID, a unique rule identifier SIEM Security Information Event Management. Devices used to gather, analyze, and present event, threat, risk, vulnerability, threat and log data. Security Event Management (SEM) and Security Information Management (SIM) are terms used interchangeably with SIEM. signature Recognizable, distinguishing pattern. See also attack signature. signature-based IDS method Detection method that looks for specific patterns of an attack in the network traffic (other methods include signature-based and anomaly-based) SMS Short Message Service SMTP Simple Mail Transfer Protocol Sniffers A sniffer is a tool that listens to or "sniffs" the traffic traveling between networked devices. It is also called a packet analyzer or protocol analyzer. Snort A free, open source network intrusion detection and prevention system. Snort Content Modifiers Changes how the packet payload will be analyzed for content by Snort. Snort Rule Action Defines what to do in the event of a qualifying packet. Snort Rule Header contains the rule’s action, protocol, source and destination IP addresses and netmasks, and the source and destination ports information. Snort Rule Options contains alert messages and information on which parts of the packet should be inspected to determine if the rule action should be taken. Social Engineering Social engineering is an attempt to trick someone into revealing information (e.g., a password) that can be used to attack an enterprise. Source Address Provides the IP address of the original sender. src source SSH Secure Shell Stage 2 Executable The Stage 2 or second stage download occurs after the initial compromise. The initial compromise typically yields code execution capability and then downloads the second stage, which provides more robust and malicious capabilities. Statisctical Data All simple counters and statistics provided by devices or information systems that could prove useful to CND analysts. STIG Security Technical Implementation Guide Storm Worm A worm that infected 1-10 million computers creating the Storm botnet. It was unique in that it used a combination of vectors (exploits, OS kernel attacks, email links about current disasters) to attack computers. Strings Strings is a tool you can use during a first pass analysis of packet data. This tool searches binary pcap files looking for ASCII printable characters. Example: strings -n 8 file1.pcap

tag (Snort rule option) Allow rules to log more than just the single packet that triggered the rule. Once a rule is triggered, additional traffic involving the source and/or destination host is tagged. Tagged traffic is logged TCP Transmission Control Protocol tcpdump Tcpdump is an open source command-line packet analyzer for Linux and UNIX systems. TCP/IP Transmission Control Protocol/Internet Protocol is the underlying protocol of the Internet, developed by a DoD agency called Defense Advanced Research Projects Agency (DARPA). Also refers to a model of interoperability that conceptualizes a 4-layer framework for connecting dissimilar systems with a set of standards, or protocols, allowing the systems to work together. Also see Open Systems Interconnection model. TCP/UDP Transmission Control Protocol/User Datagram Protocol TDL-4 TDL-4 is a fourth generation variant of the TDSS rootkit (discovered in 2008). It can infect both 32-bit and 64-bit operating systems. TDL-4 encrypts communications between the botnet command and control centers and the infected computers. technical impact (TI) Technical impact refers to any detrimental effects on the technical capabilities of the organization. TI typically refers to the impacts on the network or systems that are directly or indirectly affected by the incident. TFTP Trivial File Transport Protocol threat actor In the context of this course, a threat actor is an individual, group, or nation state that perpetrates malicious cyber events in the interest of cybercrime, espionage, or vandalism. See also "adversary," "hacker," and "malicious actor." Titan Rain FBI designation for a 2003 coordinated cyber-attack targeting a variety of US based military and government systems traced back to what is believed to be cyber-espionage ring in the Guangdong province of China. TShark TShark is the command-line version of Wireshark. It uses the packet capture filtering mechanism of tcpdump and has some of the analysis capabilities of Wireshark. TTP Tactics, Techniques, and Procedures

VAA Vulnerability Analysis and Assessment. Primary method of measuring the CND posture of DoD systems and networks based on open vulnerabilities. VBA Visual Basic for Applications VBScript Visual Basic Scripting Edition Vector Method or paths used to deliver malicious code. Such as email, attachments, downloaded files, etc. Vuertual Network Connection (VNC) Remote desktop software that provides graphical desktop sharing via the RFB protocol VoIP Voice over IP volatile data Any data stored in system memory that may be permanently lost when the system loses power, is rebooted, or is shut down.

WinDump WinDump is an open source command-line packet analyzer for Windows environments. WinPcap WinPcap provides the framework for reading and writing data in a standard format for WinDump. It is based on the libpcap model and Berkeley Packet Filters (BPFs) for UNIX and runs on Win32 and Win64 platforms. Wireshark Wireshark is a free complex protocol analyzer that uses a graphical user interface (GUI) to display analysis results. It can identify header fields for intrusion detection and analyze data payload. It was formerly known as Ethereal. within (Snort content modifier) Tells Snort how many bytes deep in the packet to search after the previous content match. Whitelisting Whitelisting is a technique that allows domains from trusted to untrusted networks or applications and file-types permitted to run on a system. worms Self propogating malicious code. Also known as "malware." WWW World Wide Web