Terms

A formal methodology, language, and integrated set of software tools developed at the University of Southern California's Information Sciences Institute for specifying, coding, and verifying software to produce correct and reliable programs. [Cheh]

A circumstance in which a collection of information items is required to be classified at a higher security level than any of the items is classified individually. (See: classification.)

The output of the ith iteration in the first pipeline of a double pipeline iteration mode.

To physically separate or isolate a system from other systems or networks (verb).

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole.

A notification that a specific attack has been detected or directed at an organization’s information systems.

A finite set of step by step instructions for a problem solving or computation procedure, especially one that can be implemented by a computer. (See: cryptographic algorithm.)

A name that an entity uses in place of its real name, usually for the purpose of either anonymity or masquerade.

The parties that are most often called upon to illustrate the operation of bipartite security protocols. These and other dramatis personae are listed by Schneier [Schn].

A list of entities that are considered trustworthy and are granted access or privileges.

In the NICE Framework, cybersecurity work where a person: Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications.

A private, not for profit association that administers U.S. private sector voluntary standards.

A scheme that encodes 128 specified characters the numbers 0 9, the letters a z and A Z, some basic punctuation symbols, some control codes that originated with Teletype machines, and a blank space into the 7 bit binary integers. Forms the basis of the character set representations used in most computers and many Internet standards. [FP001] (See: code.)

The modulo operation of integers a and b. “a mod b” returns the remainder after dividing a by b.

A NICE Framework category consisting of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.

A 1972 study of computer security that was written by James P. Anderson for the U.S. Air Force [Ande].

An intrusion detection method that searches for activity that is different from the normal behavior of system entities and system resources. (See: IDS. Compare: misuse detection.)

The condition of an identity being unknown or concealed. (See: alias, anonymizer, anonymous credential, anonymous login, identity, onion routing, persona certificate. Compare: privacy.)

An internetwork service, usually provided via a proxy server, that provides anonymity and privacy for clients. That is, the service enables a client to access servers (a) without allowing

an anonymous proxy is a tool that attempts to make activity on the Internet untraceable

A credential that (a) can be used to authenticate a person as having a specific attribute or being a member of a specific group (e.g., military veterans or U.S. citizens) but (b) does not reveal the individual identity of the person that presents the credential. [M0404] (See: anonymity.)

An access control feature (actually, an access control vulnerability) in many Internet hosts that enables users to gain access to general purpose or public services and resources of a host (such as allowing any user to transfer data using FTP) without having a pre established, identity specific account (i.e., user name and password). (See: anonymity.)

a set of techniques used to conceal or destroy evidence to frustrate or deceive digital forensic investigations

"Measures ensuring that transmitted information can be received despite deliberate jamming attempts." [C4009] (See: electronic security, frequency hopping, jam, spread spectrum.)

a technique for identifying and dropping packets that have a false source address.

A program that specializes in detecting and blocking or removing forms of spyware.

A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing the malicious code.

The trust anchor that is superior to all other trust anchors in a particular system or context. (See: trust anchor, top CA.)

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server.

A computer program that performs a specific function directly for a user (as opposed to a program that is part of a computer operating system and exists to perform functions in support of application programs).

An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android app breaking bad)

the process of finding, fixing, and preventing security vulnerabilities at the application level, as part of the software development processes

See: security architecture, system architecture.

A collection of data that is stored for a relatively long period of time for historical and other purposes, such as to support audit service, availability service, or system integrity service. (Compare: backup, repository.)

Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well known compression algorithms have also been used.(Citation: ESET Sednit Part 2)

Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may obtain access to generative artificial intelligence tools, such as large language models (LLMs), to aid various techniques during targeting. These tools may be used to inform, bolster, and enable a variety of malicious tasks, including conducting Reconnaissance, creating basic scripts, assisting social engineering, and even developing payloads.(Citation: MSFT AI)

A person, structure, facility, information, and records, information technology systems and resources, material, process, relationships, or reputation that has value.

A cooperative relationship between system entities, usually for the purpose of transferring information between them. (See: security association.)

A rank on a hierarchical scale that judges the confidence someone can have that a TOE adequately fulfills stated security requirements. (See: assurance, certificate policy, EAL, TCSEC.)

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.

A cryptographic key that is used in an asymmetric cryptographic algorithm. (See: asymmetric cryptography, private key, public key.)

An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.

An individual, group, organization, or government that executes an attack.

The manner or technique and means an adversary may use in an assault on information or an information system.

The steps that an adversary takes or may take to plan, prepare for, and execute an attack.

Similar cyber events or behaviors that may indicate an attack has occurred or is occurring, resulting in a security violation or a potential security violation.

The perceived likelihood of success should an attack be launched, expressed in terms of the attacker's ability (i.e., expertise and resources) and motivation. (Compare: threat, risk.)