Terms

Synonym for "contingency plan".

An access control service that (a) enforces a security policy based on the identity of system entities and the authorizations associated with the identities and (b) incorporates a concept of ownership in which access rights for a system resource may be granted and revoked by the entity that owns the resource. (See: access control list, DAC, identity based security policy, mandatory access control.)

An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature based detection.(Citation: Rastogi)

One who propagates disinformation

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

An event which causes unplanned interruption in operations or functions for an unacceptable length of time.

a category of malware designed to suspend operations within a target through the compromise of the availability, integrity, and confidentiality of the systems, networks, and data

A subset of the Basic Encoding Rules that always provides only one way to encode any data structure defined by ASN.1. [X690].

An identifier that uniquely represents an object in the X.500 Directory Information Tree (DIT) [X501]. (Compare: domain name, identity, naming authority.)

An attack that is implemented with distributed computing. (See: zombie.)

An experimental Internet protocol [R1507] that uses cryptographic mechanisms to provide strong, mutual authentication services in a distributed environment.

A technique that disperses a single, logically related set of tasks among a group of geographically separate yet cooperating computers. (See: distributed attack.)

A distributed denial of service (DDoS) attack uses many systems to overwhelm a target and degrade availability.

An X.500 Directory entry or other information source that is named in a v3 X.509 public key certificate extension as a location from which to obtain a CRL that may list the certificate.

A Linux distribution is an operating system made from a software collection that includes the Linux kernel and often a package management system.

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

generates a list of similarly looking domain names for a given domain name and performs DNS queries for them (A, AAAA, NS and MX) which can be used to intercept misdirected traffic.

An environment or context that (a) includes a set of system resources and a set of system entities that have the right to access the resources and (b) usually is defined by a security policy, security model, or security architecture. (See: CA domain, domain of interpretation, security perimeter. Compare: COI, enclave.)

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow on behavior such as targeting specific accounts which possess particular privileges.

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

A protocol, which is being specified by the IETF working group of the same name, to provide data integrity and domain level (see: DNS, domain name) data origin authentication for Internet mail messages. (Compare: PEM.)

The style of identifier that is defined for subtrees in the Internet DNS i.e., a sequence of case insensitive ASCII labels separated by dots (e.g., "bbn.com") and also is used in other types of Internet identifiers, such as host names (e.g., "rosslyn.bbn.com"), mailbox names (e.g., "rshirey@bbn.com") and URLs (e.g., "http://www.rosslyn.bbn.com/foo"). (See: domain. Compare: DN.)

The main Internet operations database, which is distributed over a collection of servers and used by client software for purposes such as (a) translating a domain name style host name into an IP address (e.g., "rosslyn.bbn.com" translates to "192.1.7.10") and (b) locating a host that accepts mail for a given mailbox address. (RFC 1034) (See: domain name.)

A DOI for ISAKMP or IKE defines payload formats, exchange types, and conventions for naming security relevant information such as security policies or cryptographic algorithms and modes. Example: See [R2407].

Security level A is said to "dominate" security level B if the (hierarchical) classification level of A is greater (higher) than or equal to that of B, and A's (nonhierarchical) categories include (as a subset) all of B's categories. (See: lattice, lattice model.)

A portable, physical, usually electronic device that is required to be attached to a computer to enable a particular software program to run. (See: token.)

Using search techniques to hack into vulnerable sites or search for information that is not available in public search results.

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code File.txt.exe</code may render in some views as just <code File.txt</code ). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)

Reduce the security level of data (especially the classification level) without changing the information content of the data. (Compare: downgrade.)

A type of man in the middle attack in which the attacker can cause two parties, at the time they negotiate a security association, to agree on a lower level of protection than the highest level that could have been supported by both of them. (Compare: downgrade.)

Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with Execution Guardrails techniques, detecting malicious code downloaded after installation could be difficult.

search for and publish private or identifying information about (a particular individual) on the internet, typically with malicious intent.

Doxxing can be illegal, but its legality depends on the specific circumstances, such as the intent behind it and the jurisdiction. While doxxing itself isn't always explicitly illegal everywhere, it often falls under existing laws like those against harassment, stalking, and incitement to violence, and new anti doxxing laws are being enacted in various places. The act is often considered a crime when it involves sharing personal information with the intent to cause harm, threats, or incite illegal actions.

A preliminary, temporary version of a document that is intended to become an RFC. (Compare: Internet Draft.)

See: secondary definition under "Internet Standard".

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non exploitation behavior such as acquiring an Application Access Token.

A procedure that uses two or more entities (usually persons) operating in concert to protect a system resource, such that no single entity acting alone can access that resource. (See: no lone zone, separation of duties, split knowledge.)

A single digital signature that protects two separate messages by including the hash results for both sets in a single encrypted value. [SET2]

A certificate that is intended for use with both digital signature and data encryption services. [SP32]

An attribute of a role that obligates an entity playing the role to perform one or more tasks, which usually are essential for the functioning of the system. [Sand] (Compare authorization, privilege. See: role, billet.)

The automated, on the fly changes of an information system's characteristics to thwart actions of an adversary.

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.