1.attacker: A person who performs cyberattacks. Also known
as a threat actor or a cyberattacker.
2.attribution: The process of determining who’s responsible
for causing an incident. In other words, attribution is the
discovery of the identity of a threat. management system: A system that provides a
secure, centralized home for storing, accessing, and analyzing
all information being tracked related to the management
of an organization’s incidents. Case management systems
also facilitate efficient and effective incident response
orchestration. Also known as an incident management
5.compromise: The result of a successful attack. A
compromise occurs when there’s a loss of confidentiality,
integrity, and/or availability of data, systems, networks, or
other computing resources.
correlation: Identifying relationships among security events
to bring related information together.
6.cyberattack: An attempt to negatively affect the security of
computing resources. Also known as an attack.
7.cyberattack lifecycle: The pattern that serious cyberattacks
tend to follow for breaching sensitive data. The six phases
of the cyberattack lifecycle are reconnaissance; initial
compromise; command and control; lateral movement; target
attainment; and exfiltration, corruption, and/or disruption.
Also known as the attack lifecycle.
8.cyberthreat: An entity (individual, group, nation state, etc.)
that plans and executes cyberattacks. Also known as a threat.
9.dashboard: A SIEM interface that brings together several
security analytics views on one screen. breach: A compromise that causes a loss of data
11.confidentialitydata normalization: The process of taking log data from its
original format and converting it to a descriptive, standardized
format to facilitate its use with security analytics.
12.exfiltration: The process of transferring sensitive
information from an authorized location (controlled and
protected by the organization) to an unauthorized location
outside the organization’s control.
13.false negative: An instance where security controls failed to
detect the presence of malicious activity.
14.false positive: An instance where security controls
incorrectly categorized benign activity as malicious.
15.forensic data: All of the security-related event data being
collected by an organization. Forensic data comes from
four categories of sources: enterprise security control logs,
endpoint software logs, network flow data, and asset data.
16.honeypot: A specialized device that exists solely to attract
attackers and monitor their actions. An organization can use
honeypots as a source of security intelligence.
17.incident: The occurrence of security events of particular
concern to an organization. An incident may be declared
when an organization detects a successful attack, an attack
in progress, or indications of a new, serious threat, such as
unusual reconnaissance actions or failed attacks.
18.incident response: The process of handling a particular
attack or chain of attacks. Incident response is a subset of
threat response.
19.incident response orchestration: The process of
coordinating people and tasks involved in incident response
and providing the people with the necessary information.
20.indicators of compromise: The signs of a compromise.
An organization with knowledge of indicators of compromise
can look for the presence of those indicators in security logs,
file systems, and other locations to identify additional systems
that have likely been compromised.

21.investigation: The process of security analysts reviewing
security intelligence to determine how a potential threat
should be handled. Investigation may also look for broader
patterns that could indicate a wider compromise in progress.
Investigation is a major part of the response component of
threat management.
22.lateral movement: The act of repeatedly leveraging a
compromise of one internal device to compromise another
internal device, so as to move through an organization and
reach a target.
23.log minimization: The process of removing unneeded
information from a copy of log data to shrink the total size
of the data. Techniques for log minimization include event
aggregation, reduction, and compression.
24.machine analytics: Security analytics performed
automatically by a system or systems.
25.mean time to detect (MTTD): A measure of the average
elapsed time from the start of an attack or chain of attacks to
the detection of the activity.
26.mean time to respond (MTTR): A measure of the average
elapsed time from the detection of an attack to the completion
of all response activities.
27.qualification: The process of assessing security intelligence
to confirm its legitimacy and priority. The purpose of
qualification is to verify that the detected activity necessitates
a response.
28.reconnaissance: Research conducted by an attacker to
learn more about its target’s environment. analytics: Security analytics performed by a person. analytics: Techniques used on aggregated forensic
data to find the events and sequences of events that are of
greatest concern from a security perspective. information and event management (SIEM):
A security control designed to centrally store, normalize, and
analyze security log data gathered throughout an enterprise.

Some SIEMs also offer incident and threat management
capabilities. intelligence: High-quality, actionable information
about the most serious threats currently acting against an
organization. Security intelligence is collected within an
organization on the threats against it. intelligence and analytics platform: The
infrastructure, including hardware, software, and services,
directly supporting an organization’s automation of threat
management. A system of particular interest to an attacker in
achieving a goal, such as breaching certain data.
35.threat intelligence: Information collected by a third party
on threats in general.
36.threat management: The processes for managing the
threats that use the cyberattack lifecycle. Threat management
37.comprises three ongoing processes: detecting threats targeting
the organization, responding to detected threats, and
recovering from damage caused by threats.
38.threat mitigation: The process of thwarting a threat by
stopping its in-progress attacks. Threat mitigation is a major
part of the response component of threat management.
39.threat response: The process of performing incident
response and handling the threat behind the incident.

———————————————Collected from Definitive Guide™ to Security Intelligence and Analytics————————————————————————–————————————

Shajib Mahmud

Leave a Reply

Your email address will not be published. Required fields are marked *