Threat Hunting Glossary

A glossary is a list of terms with their definitions. Its like a mini dictionary for a specific feild.

Adversary: An entity attempting unauthorized access to exploit an organization’s assets.
Advanced Persistent Threat (APT): A well-resourced, long-term cyber attack, often by nation-states.
Tactics, Techniques, and Procedures (TTPs): Patterns of behavior used by adversaries to conduct attacks.
- Tactics: High-level goals of an attack.
- Techniques: General methods used to achieve tactics.
- Procedures: Specific step-by-step execution of techniques.
Indicator: Data points used to detect potential malicious activity.

Threat: A combination of intent, capability, and opportunity to cause harm.
Campaign: A series of related cyber attacks sharing similar TTPs.
Indicators of Compromise (IOCs): Digital evidence of a cyber attack (e.g., file hashes, IP addresses).
Pyramid of Pain: A model showing the difficulty of detecting and countering adversary actions.

Hash Values: Unique digital fingerprints of files used for identification.
IP Addresses: Numerical labels identifying devices on a network, sometimes used in attacks.
Domain Names: Website addresses that can be used for malicious purposes.
Network Artifacts: Traces of attacker activity found in network logs and traffic.
Host Artifacts: Evidence of attacker activity on individual systems (e.g., logs, registry changes).
Tools: Software used by attackers, including malware and exploits.
TTPs (Tactics, Techniques, and Procedures): The core methods used by attackers, hardest to change.
Diamond Model: A framework linking adversary, capability, infrastructure, and victim in an attack.

Quiz

Who is an adversary in cybersecurity?
What is an Advanced Persistent Threat (APT)?
Define Tactics, Techniques, and Procedures (TTPs) in cyber attacks.
What is the difference between tactics, techniques, and procedures?
What is an indicator in cybersecurity?
Define a threat in the context of cybersecurity.
What is a campaign in cybersecurity?
What are Indicators of Compromise (IOCs)? Give an example.
Explain the Pyramid of Pain and its significance.
What is a hash value, and how is it used in cybersecurity?
How can IP addresses be used in cyber attacks?
What role do domain names play in cyber threats?
What are network artifacts, and how are they useful in investigations?
Define host artifacts and provide an example.
What are tools in the context of cyber threats?
Why are TTPs considered the hardest to change for attackers?
What is the Diamond Model, and what four elements does it connect?

Answers

Adversary – An entity attempting unauthorized access to exploit an organization’s assets.
Advanced Persistent Threat (APT) – A long-term, well-resourced cyber attack, often by nation-states.
TTPs (Tactics, Techniques, and Procedures) – Patterns of behavior used by adversaries to conduct attacks.
Tactics – High-level attack goals; Techniques – General methods to achieve tactics; Procedures – Step-by-step execution of techniques.
Indicator – A data point used to detect potential malicious activity.
Threat – A combination of intent, capability, and opportunity to cause harm.
Campaign – A series of related cyber attacks sharing similar TTPs.
Indicators of Compromise (IOCs) – Digital evidence of cyber attacks, e.g., file hashes, IP addresses.
Pyramid of Pain – A model showing how difficult it is to detect and counter different adversary actions.
Hash Value – A unique digital fingerprint of a file used for identification.
IP Addresses – Identify devices on a network and can be used for malicious activities like DDoS attacks.
Domain Names – Website addresses that attackers can use for phishing, malware delivery, or command and control.
Network Artifacts – Traces of attacker activity in network logs and traffic analysis.
Host Artifacts – Evidence of attacker activity on individual systems, such as logs or registry changes.
Tools – Software used by attackers, including malware and exploits.
TTPs are the hardest to change because they define an attacker’s behavior and strategies, which require significant adaptation.
Diamond Model – A framework that links four elements in an attack: adversary, capability, infrastructure, and victim.

PreviousThe Threat Hunting Process NextThreat Intelligence

Last updated 1 month ago

Quiz

Who is an adversary in cybersecurity?

What is an Advanced Persistent Threat (APT)?

Define Tactics, Techniques, and Procedures (TTPs) in cyber attacks.

What is the difference between tactics, techniques, and procedures?

What is an indicator in cybersecurity?

Define a threat in the context of cybersecurity.

What is a campaign in cybersecurity?

What are Indicators of Compromise (IOCs)? Give an example.

Explain the Pyramid of Pain and its significance.

What is a hash value, and how is it used in cybersecurity?

How can IP addresses be used in cyber attacks?

What role do domain names play in cyber threats?

What are network artifacts, and how are they useful in investigations?

Define host artifacts and provide an example.

What are tools in the context of cyber threats?

Why are TTPs considered the hardest to change for attackers?

What is the Diamond Model, and what four elements does it connect?

Answers

Adversary – An entity attempting unauthorized access to exploit an organization’s assets.

Advanced Persistent Threat (APT) – A long-term, well-resourced cyber attack, often by nation-states.

TTPs (Tactics, Techniques, and Procedures) – Patterns of behavior used by adversaries to conduct attacks.

Tactics – High-level attack goals; Techniques – General methods to achieve tactics; Procedures – Step-by-step execution of techniques.

Indicator – A data point used to detect potential malicious activity.

Threat – A combination of intent, capability, and opportunity to cause harm.

Campaign – A series of related cyber attacks sharing similar TTPs.

Indicators of Compromise (IOCs) – Digital evidence of cyber attacks, e.g., file hashes, IP addresses.

Pyramid of Pain – A model showing how difficult it is to detect and counter different adversary actions.

Hash Value – A unique digital fingerprint of a file used for identification.

IP Addresses – Identify devices on a network and can be used for malicious activities like DDoS attacks.

Domain Names – Website addresses that attackers can use for phishing, malware delivery, or command and control.

Network Artifacts – Traces of attacker activity in network logs and traffic analysis.

Host Artifacts – Evidence of attacker activity on individual systems, such as logs or registry changes.

Tools – Software used by attackers, including malware and exploits.

TTPs are the hardest to change because they define an attacker’s behavior and strategies, which require significant adaptation.

Diamond Model – A framework that links four elements in an attack: adversary, capability, infrastructure, and victim.