Glossary
Terms and definitions curated by the Intel 471 team.
Account Takeover (ATO)
A form of identity theft in which the criminal obtains access to a victim's bank, credit card accounts or business systems — through a data breach, malware or phishing — and uses them to make unauthorized transactions.
Active Directory
A Microsoft technology used to manage computers and other devices on a network. Active Directory allows network administrators to create and manage domains, users, and objects within a network.
ATM Malware
Malicious software designed to steal financial information and/or cash from ATMs by exploiting vulnerabilities in the machine’s hardware or software.
Attack Surface Management
An attack surface is the sum of an organization’s internet-facing entry points that a threat actor can use to infiltrate a network.
Banking Trojan
Malicious software designed to steal account-related information related to card payments, online banking and e-payment gateways.
Blue Team
A group who performs analysis of information systems to identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.
Botnet
A collection of internet-connected devices, referred to as bots, that are commanded and controlled by malicious actors to carry out nefarious activities.
Brute Force
A credential attack method used to crack the username and password of accounts through repeated trial and error.
Bulletproof Hosting (BPH)
Hosting services that are lenient about the kinds of activity and material they allow their customers to upload and distribute. These services generally are immune to law enforcement or takedown efforts. Malware and illegal websites are commonly hosted on these types of providers.
Business Email Compromise (BEC)
A scam that relies heavily on social engineering tactics to trick unsuspecting employees and executives into executing fraudulent wire transfer payments, mainly through corporate email.
Carding
Credit or debit card information obtained, sold or used by unauthorized individuals. Also known as "payment card fraud."
Cashout
The process of transferring illicit proceeds to a threat actor or designated representative. Common methods include ATM withdrawals, purchasing digital currencies, transferring funds to online payment platforms or buying goods or gift cards. Typically at the final stage of a fraudulent scheme.
Clipper
Malware that targets a computer's clipboard, particularly for the purpose of hijacking a cryptocurrency transaction to swap a wallet address with one owned by the malware author.
Command and Control (C2)
A server in control of a hacker or any cybercriminal, which is maliciously used for commanding the various systems that have already been exploited or compromised by malware. These servers are also used for receiving the desired data by the hacker from the compromised machines covertly on the target network.
Crypting
The act of making malicious code fully undetectable through encryption, making it more difficult for antivirus signature detection.
Cryptomining
With regard to malware, cryptocurrency mining, cryptomining, or cryptojacking is malware designed to use a device’s CPU resources to mine cryptocurrency without authorization.
Cyber Insurance
Cyber insurance is an insurance policy that covers an organization business in the event of a cyber attack or data breach where customer information or business continuity is impacted.
Data Breach
The intentional or unintentional release of secure or private/confidential information to an untrusted environment.
Data Dump
The transfer of a large amount of data between two systems, often over a network connection.
Denial of Service
An attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.
Distributed Denial of Service (DDoS)
A denial of service technique that uses numerous hosts to perform the attack.
Document Fraud
Schemes to manufacture, counterfeit, alter, sell and/or use identity documents and other fraudulent documents. Also known as "identity fraud."
Drop Accounts
Bank accounts, typically online banking or e-commerce, used for receiving illicit funds for cashout or laundering purposes. Typically controlled or compromised by threat actors.
Endpoint
A computing device that communicates back and forth with a network to which it is connected.
Exfiltration
When malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation
Exploit Kit
Sets of malicious software, often automated, that utilize compromised websites to divert web traffic, scan for vulnerable browser-based applications and run malware.
Fast Flux
A DNS technique used by bulletproof hosting services that hides phishing and malware delivery sites behind an ever-changing network of hosts.
Forensics
The practice of collecting and analyzing data from computer systems, networks, wireless communications, and storage devices that supports an investigation.
Fullz
The full financial information tied to a payment card beyond standard account information. "Fullz" often include a Social Security Number, date of birth and associated publicly identifiable information.
Geolocation
The geographical location of a person based on the digital information given off by their internet-connected device.
Incident Response
The process by which security operations prepare for, identify, contain, and recover from a security event.
Indicator of Compromise (IoC)
Evidence found on a computer network or operating system that, with high confidence, indicates a computer intrusion.
Information Stealer
Malicious software designed to gather information from a system such as login credentials, keystrokes and screenshots of sensitive information.
Insider Threat
The potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.
IoT Malware
Malicious software used to compromise networked devices, such IoT devices, then used for nefarious purposes such as forming botnets to launch network attacks.
IP
Internet Protocol (IP) is the communication standard used to uniquely identify systems on a computer network or across the internet. Networked systems are each assigned an IP address, which is used to uniquely identify and locate that system for the purpose of data transmission.
Keylogging
The use of a computer program to record every keystroke made by a computer user, particularly to gain fraudulent access to passwords and other confidential information.
Lateral Movement
Techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gain access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain access. Adversaries might install their own remote access tools to accomplish lateral movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
Loader
Malicious software designed to download and/or drop malicious payload code onto an infected computer system. Also referred to as a "dropper."
Malspam
Malicious spam is a popular method for delivering emails in bulk that contain infected documents or links, redirecting users to websites that contain other malware.
Malvertising
The use of online advertising to spread malware typically involving injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages.
Malware as-a-Service
The lease of software or hardware for developing, testing and/or distributing malware.
Mobile Malware
Malicious software designed to compromise devices such as phones, smartwatches and tablets to steal sensitive financial and personal information and to gain remote access.
Money Mules
A person who transfers money acquired illegally (e.g., stolen) in person, through a courier service, or electronically, on behalf of others. Typically, the mule is paid for services with a small part of the money transferred.
Multi-factor Authentication
An authentication system that requires more than one distinct authentication factor for successful authentication. Multifactor authentication can be performed using a multifactor authenticator or by a combination of authenticators that provide different factors. The three authentication factors are something you know, something you have, and something you are.
Network Sniffing
Network sniffing, or packet sniffing, is the practice of gathering, collecting, and logging some or all packets that pass through a computer network, regardless of how the packet is addressed. In this way, every packet, or a defined subset of packets, may be gathered for further analysis.
Password Spraying
A type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving to attempt a second password, and so on.
Pay-Per-Install (PPI) Scam
A scam when botnets are used to generate money for their operators. A compromised computer is instructed to install a software package via the bot's command and control system. The bot operator then receives payment and, after a short period of time, uninstalls the software package and installs a new one.
Penetration Testing
An authorized, simulated cyberattack on a computer system, performed to evaluate the security of the system.
Persistence
Techniques adversaries use to keep access to systems across restarts, changed credentials and other interruptions that could cut off their access. Techniques used for persistence include any access, action or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
PHI
Protected health information (PHI) is the term given to health data created, received, stored, or transmitted by HIPAA-covered entities and their business associates in relation to the provision of healthcare, healthcare operations and payment for healthcare services.
Phishing
The fraudulent practice of masquerading as a legitimate or reputable entity to trick a victim into revealing personal information, such as passwords or payment card details. Mostly done through email.
PII
Stands for personally identifiable information. Information that when used (alone or with other relevant data) can identify an individual. PII may contain direct information (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
Point-of-Sale Malware
Malicious software designed to steal information related to financial transactions such as payment card data from compromised PoS (point of sale) devices.
Privilege Escalation
Techniques adversaries use to gain higher-level permissions on a system or network. Adversaries often can enter and explore a network with unprivileged access, but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations and vulnerabilities. These techniques often overlap with persistence techniques, as OS features that let an adversary persist can execute in an elevated context.
Proof-of-Concept (PoC)
A demonstration that in principle shows how a system may be protected or compromised, without the necessity of building a complete working vehicle for that purpose.
Proxy Malware
Malicious software, specifically a type of trojan, used to turn an infected computer system into a proxy server from which an attacker can stage nefarious activities anonymously.
Ransomware
Malicious software used to perpetually block access to a computer system or specific data until a ransom is paid or indefinitely. Attackers often use ransomware to lock systems and then threaten to publish the victim’s data.
Ransomware-as-a-Service (RaaS)
Services typically sold or leased as an affiliate program to other cybercriminals for launching ransomware attacks and sharing profits.
Reconnaissance
The process of identifying critical technical, personnel and organizational elements of intelligence in order to learn how to best attack an network (in the case of a bad actor) or set up defense for a network (in the case of a defensive security team).
Red Team
A group that performs the role of a threat actor in order to provide security feedback.
Remote Access Trojan (RAT)
Malicious software designed to allow attackers to monitor and control a computer system or network remotely.
Remote Desktop Protocol (RDP)
A network communications protocol developed by Microsoft, which allows users to remotely connect to another computer. Often a target for adversaries, used as a primary way to enter a network system.
Resilience
The ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources.
Risk Management
The detection, assessment, and prioritization of risks through the implementation of choices to track, control, and minimize the possibility or effect of unfortunate events.
Rogue Certificate
Stolen digital certificates actors use to sign malicious software or impersonate legitimate websites.
Security Operations
The practices and teams devoted to preventing, detecting, assessing, monitoring, and responding to cybersecurity threats and incidents inside enterprises.
Skimming
A form of payment card fraud whereby a payment page on a website is compromised using a malicious script.
Smishing
The fraudulent practice of tricking a user into revealing sensitive personal data or sending money via a text or SMS message.
Spear Phishing
The fraudulent practice of sending emails ostensibly from a known or trusted sender to induce targeted individuals to reveal confidential information.
SSH
Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network.
Stalkerware
A class of monitoring software or spyware that is used to stalk a victim.
Subscriber Identity Module (SIM) Swapping
A type of account takeover fraud that targets a weakness in short message service (SMS)-based two-factor authentication (2FA) and two-step verification by tricking a target’s mobile carrier into transferring someone’s wireless service to a device controlled by an illicit actor.
Telnet
A network protocol that allows a user on one computer to log into another computer that is part of the same network.
Third-Party Breaches
A third-party breach occurs when an attacker targets an organization through its connections with third-party suppliers, vendors, contractors, or partners.
Third-Party Compromised Credentials
Credentials in terms of cyber threat intelligence (CTI) refer to methods used to verify a users identity, commonly these are a username and password. These credentials are classified as compromised credentials when an unauthorized user gains possession of them.
Third-Party Risk
The risk that arises from organizations relying on outside parties to perform services or activities on their behalf, particularly associated with cybersecurity.
Third-Party Vulnerabilities
The leveraged vulnerability that enables a devastating data breach or launches an expensive ransomware attack may not even be within your own organization.
Threat Hunting
The process of proactively searching through networks to detect and isolate advanced threats that evade existing security solutions.
Traffic Redistribution System
Services that buy and sell web traffic to direct web users from one website to another, typically to distribute malware.
Vishing
The fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers.
VNC
Virtual network computing (VNC) is a graphical desktop-sharing application that uses a remote frame buffer protocol to remotely control another computer. This form of desktop sharing transmits keyboard and mouse events from one system to another over the network based on screen updates.
Vulnerability
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat actor.
Web Injects
Modules or packages used in financial malware that typically inject hypertext markup language (HTML) or JavaScript code into content before it’s rendered on a web browser, altering what the unsuspecting user sees on the browser, as opposed to what’s actually sent by the server.
Wiper
A class of malware which wipes the hard drive of the computer it infects.
Worm
A self-replicating, stand-alone software program designed to spread throughout a network without human assistance.
Glossary
Terms and definitions curated by the Intel 471 team.
Social Engineering
The fraudulent practice of tricking social media users into revealing sensitive personal data or sending money. Types include romance scams, sextortion, imposter scams and more.