Terms

"Use of sophisticated signal recovery equipment in a laboratory environment to recover information from data storage media." [C4009]

A denial of service attack that sends an IP packet that (a) has the same address in both the Source Address and Destination Address fields and (b) contains a TCP SYN packet that has the same port number in both the Source Port and Destination Port fields.

A language (ISO 8807 1990) for formal specification of computer network protocols; describes the order in which events occur.

Adversaries may transfer tools or other files from one system to another to stage adversary tools or other files over the course of an operation. (Citation: Enterprise ATT&CK) Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. (Citation: Enterprise ATT&CK)

A finite set together with a partial ordering on its elements such that for every pair of elements there is a least upper bound and a greatest lower bound.

A description of the semantic structure formed by a finite set of security levels, such as those used in military organizations. (See: dominate, lattice, security model.)

A data item that is automatically embedded in data encrypted by devices (e.g., CLIPPER chip) that implement the Escrowed Encryption Standard.

See: OSIRM.

An Internet protocol (originally developed by Cisco Corporation) that uses tunneling of PPP over IP to create a virtual extension of a dial up link across a network, initiated by the dial up server and transparent to the dial up user. (See: L2TP.)

An Internet client server protocol that combines aspects of PPTP and L2F and supports tunneling of PPP over an IP network or over frame relay or other switched network. (See: VPN.)

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC LOAD DYLIB header in a Mach O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies.(Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.

Operating a system as though it began operation in a secure state, even though it cannot be proven that such a state was established (i.e., even though a security compromise might have occurred at or before the time when operation began).

The principle that a security architecture should minimize reliance on mechanisms that are shared by many users.

Least privilege means granting only the minimum access necessary to perform an authorized task.

The principle that a security architecture should be designed in a way that minimizes (a) the number of components that require trust and (b) the extent to which each component is trusted. (Compare: least privilege, trust level.)

A system that is in operation but will not be improved or expanded while a new system is being developed to supersede it.

In the NICE Framework, cybersecurity work where a person: Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain; advocates legal and policy changes and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings.

See: secondary definition under "non repudiation".

A rating assigned to an information system that indicates the extent to which protective measures, techniques, and procedures must be applied. (See: critical, sensitive, level of robustness.)

A characterization of (a) the strength of a security function, mechanism, service, or solution and (b) the assurance (or confidence) that it is implemented and functioning. [Cons, IATF] (See: level of concern.)

An international consortium of more than 150 commercial, nonprofit, and governmental organizations that was created in 2001 to address technical, business, and policy problems of identity and identity based Web services and develop a standard for federated network identity that supports current and emerging network devices.

Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects stored within.

An Internet client server protocol (RFC 3377) that supports basic use of the X.500 Directory (or other directory servers) without incurring the resource requirements of the full Directory Access Protocol (DAP).

A communication facility or physical medium that can sustain data communications between multiple network nodes, in the protocol layer immediately below IP. (RFC 3753)

Adversaries may abuse the “linked devices” feature on messaging applications, such as Signal and WhatsApp, to register the user’s account to an adversary controlled device. By abusing the “linked devices” feature, adversaries may achieve and maintain persistence through the user’s account, may collect information, such as the user’s messages and contacts list, and may send future messages from the linked device.

Stepwise (link by link) protection of data that flows between two points in a network, provided by encrypting data separately on each network link, i.e., by encrypting data when it leaves a host or subnetwork relay and decrypting when it arrives at the next host or relay. Each link may use a different key or even a different algorithm. [R1455] (Compare: end to end encryption.)

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

A property of a communication association or a feature of a communication protocol that provides assurance to the recipient of data that the data is being freshly transmitted by its originator, i.e., that the data is not being replayed, by either the originator or a third party, from a previous transmission. (See: fresh, nonce, replay attack.)

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device.

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:

Malicious logic that activates when specified conditions are met. Usually intended to cause denial of service or otherwise damage system resources. (See: Trojan horse, virus, worm.)

An act by which a system entity establishes a session in which the entity can use system resources. (See: principal, session.)

"Descriptive title of [an item of COMSEC material]." [C4009] (Compare: short title.)

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS targeting attack or tangentially, due to an IT targeting attack against non segregated environments.

Adversaries may compromise protective system functions designed to prevent the effects of faults and abnormal conditions. This can result in equipment damage, prolonged process disruptions and hazards to personnel.

Adversaries may compromise safety system functions designed to maintain safe operation of a process when unacceptable or dangerous conditions occur. Safety systems are often composed of the same elements as control systems but have the sole purpose of ensuring the process fails in a predetermined safe manner.

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves. (Citation: Corero) (Citation: Michael J. Assante and Robert M. Lee) (Citation: Tyson Macaulay)

Result of TRANSEC measures used to hide or disguise a communication.

Result of TRANSEC measures used to prevent interception of a communication.

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code HKEY LOCAL MACHINE\SECURITY\Policy\Secrets</code . LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)