A specialized software to check files and programs for known patterns of viruses and malware. Running on endpoints (in integrated endpoint security solutions), on central file-shares and on dedicated appliances like HTTP proxies to check files.
Advanced Persistent Threat; a targeted attack by an adversary with enough resources in technology, time and money to go after high-value targets; uses custom specialized tools to circumvent the security measures of the target
An entry into a product or a system with different security mechanisms than the main usage and administration interface. Mostly invented for debugging during development but forgotten in the live systems and then miss-used by attackers. Also, malware aims at adding additional backdoors for easier entry.
If a device is infected with any kind of malware, the behavior in the network changes, new connections are established to servers never talked to before, the malware tries to spread within the network, reconnaissance to detect further systems and vulnerabilities is seen. To distinguish this behavior from the normal actions of a device and to detect threats hiding in legitimate traffic, the behavior of a device has to be deducted from all the network traffic of the device. By correlating the different flows of a device over time, the behavior can be seen, then deviations from the known good behavior can be detected to indicate infections or malicious actors.
A malicious software that neutralizes or circumvents local endpoint security solutions, connects to a Command and Control center for instructions from cyber criminals, and carries out the instructions. The local device is factually under the control of the attacker and used for further attacks on other systems either in the same network or targeting different networks.
A number of bots under the control of an adversary used to execute further attacks. As commercialization continues it is nowadays possible to rent the services of a botnet. Most uses of botnets are for distributed denial-of-service attacks (see DDoS).
Bring Your Own Device (also called device management) is the practice of allowing network users to access an organization’s (usually wireless) network with their own computers, smart phones, tablets and other devices. BYOD has a major impact on networks with large and diverse user bases, such as educational institutions, but also affects large and small business networks.
Command and Control
A server infrastructure to control a number of bots. It is a sure sign of an infection when network traffic to known command and control servers is seen.
Data Leakage Prevention; Matches the traffic payload to defined patterns of filenames and data to detect and prevent the unauthorized transmission of confidential information to unauthorized parties.
Demilitarized Zone; a special network segment between two other bigger segments to provide secure services and special filtering to network traffic. Network access is allowed from each side to the application proxies and services within the DMZ but not from one side directly to the other. Only the services within the DMZ can initiate (controlled) network access to both sides.
Dynamic Network Objects; dynamic lists of addresses (MAC, IPv4 or IPv6) to be used in source- or destination conditions of policies and rules. Device addresses are added by rule actions for example when a certain behavior is detected for a device. The set of policies in effect for a certain device can change dynamically depending on whether the device is listed in a DNO or not. It is one of the cornerstones of self-modifying policies and effect threat isolation and -prevention.
Domain Name System; a system that is used to translate structured, human readable names like www.cognitix.de into machine readable data like IPv4 addresses, IPv6 addresses, responsible mail server and more.
A technique to circumvent Next Generation Firewalls with application detection and SSL inspection by transporting the application data of an application within encryption of a different application. For example, YouTube video streaming can circumvent detection by fetching the stream not via an SSL connection to YouTube, but by establishing an SSL connection to google (the search engine part) and encapsulating the YouTube traffic within. This way the connection looks like a very large google search.
Denial-of-Service and Distributed Denial-of-Service; overloading a target system with lots of requests without any actual business traffic. Binds the targets resources for the faked requests and thus blocks the legitimate business. As single systems acquiring many resources are easy to detect, botnets are used to start these attacks from many systems simultaneously in a distributed denial-of-service attack.
Combined solutions to protect endpoints from infections, usually incorporating traditional anti-virus with additional protection and management functions. An endpoint protection is software running on the device itself, thus affected by the basic problem in that you cannot trust its reporting once the device is infected.
Event Tracking Tables; Policy-specific tables to track and correlate attributes of flows over time. Pairs of any kind of the enriched flow attributes can be tracked. Further rules can then check for the presence or count of attributes to influence the handling of a later flow based on attributes seen in earlier flows of communication. The cornerstone of behavior correlation to determine the behavior of users and devices and to police malicious behavior.
A script, code or just a description of actions to exploit a vulnerability of a system or a software.
A logical connection of packets belonging to the same communication. The request and response of an HTTP connection are a flow for example, the ICMP Ping and its corresponding ICMP Echo can also be seen as one flow.
The gateway within a layer 3 network segment is the device where traffic is sent to when the destination is not within the same segment. The gateway is the default router to connect a specific network segment with the rest of the networks.
Hypertext Transfer Protocol is used for unencrypted communication over computer networks, including the Internet, to transfer text- and similar documents from a server to the client. Most commonly used by web-browsers but also used by applications and malicious software.
Encrypted version of the Hypertext Transfer Protocol; Transport Layer Security (TLS, formerly known as SSL) is used to encrypt the connection and to to encapsulate the plain HTTP traffic. Authenticity of the server and optionally of the client is ensured through the use of certificates and certificate authorities.
Intrusion Detection System, Intrusion Prevention System, Intrusion Detection and Prevention; a software or appliance that inspects and analyzes packets and data for numerous patterns of malicious behavior and different types of risks. When deployed as a detection system, it raises an alarm. When deployed as a prevention system, immediate action is taken to block the malicious traffic and alarm the network administrators.
Indicator of attack; a marker to indicate an imminent or running attack. List of indicators for attacks contain for example IP addresses of known botnets. Network traffic from these addresses can usually be blocked right away to prevent attacks and infections
Indicator of compromise; a marker to indicate that the device might be infected with a malware. List of indicators of compromise include URLs, domains and IP addresses only seen in traffic from the malware to its command and control servers or when exfiltrating Also when domains used for distributing malware are accessed, this might be a sign for an imminent infection.
Internet of Things; connecting data and things, removing the explicit user interaction to form a world-wide web of electronical devices. As more and more devices are directly connected with the internet to help in automation and flexibility (machine-to-machine communication), the security of this kind of installations is often not up to par making business critical processes susceptible to new and drastic attacks.
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. Human readable names are translated into IP addresses via DNS. Nowadays IP addresses come in two flavors of IPv4 and IPv6.
IPv4 embedded IPv6 address
An IPv6 address where the rightmost 32 bits are a valid IPv4 address. Used to map the full IPv4 address space into valid IPv6 addresses.
Internet Protocol version 4 is the fourth version of the Internet Protocol (IP), the main protocol used for communication over the Internet. IPv4 addresses are 32-bit and can be represented in notation by 4 octets of decimal digits, separated by a period: for example, 172.16.254.1.
Internet Protocol version 6 is the sixth version of the Internet Protocol (IP), the main protocol used for communication over the Internet (IPv5 never became an official protocol). IPv6 was created in response to the depletion of available IPv4 addresses. IPv6 addresses are 128-bit and can be represented in notation by 8 octets of hexadecimal digits, separated by a colon: for example, 2001:db8:0000:0000:0000:0000:0000:0000. IPv6 addresses can be shortened by replacing an occurrence of octets that are 0000 by a double colon; for example, the previous address can also be written as 2001:db8:: See also IPv4 embedded IPv6 address on how to unify IPv4 addresses into IPv6.
An academic/military description of attacks into several phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control and finally Actions on Objectives. This model is mostly used to have a structured defense system against attacks, different security measures are deployed to fight attacks in the various stages.
A Media Access Control address is a unique identifier assigned to a network interface used for network communication. A MAC address is assigned to a device by the manufacturer and so this address, unlike an IP address, is not normally changed. MAC addresses are represented in notation by six groups of two hexadecimal digits, separated by hyphens or colons: for example, 01:23:45:67:89:ab. The first three groups are the vendor prefix while the rest is assigned to the likening of the vendor.
Malicious Software; a piece of software to infect system and perform unwanted and possible harmful functions. Subtypes include Trojans, worms, ransomware, bots and other variants but distinctions are getting blurrier every day.
Multicast is a method of group communication where information is addressed to a group of destinations simultaneously. Multicast groups are available on the MAC layer for local multicast groups as well as with IPv4 and IPv6 for global multicast groups.
Network Address Translation is a process used to modify, or translate, either the source or destination IP address or port in a packet header. The primary use for NAT is to allow multiple network devices on a private network to be represented by a single public IP address to access the internet.
Network Behavior Analysis; Collection of methods for describing the state of a network and detecting deviations from its normal condition by observing and analyzing network traffic.
Dividing a network into smaller segments can be done for various reasons. Mostly it is used to protect the different segments from the other segments. Each segment has its own layer 3 address range and routers are deployed to forward network traffic from one segment to the other. When these routers are combined with a firewall, the access from one segment to the other can be controlled with firewall rules allowing or denying traffic.
Next Generation Intrusion Prevention Systems; Combining next generation deep packet inspection with IDS/IPS breeds a new class of high speed, high performance intrusion prevention systems checking for known malicious patterns within communication payloads.
Next Generation Firewall; as addresses and port numbers are not enough anymore to identify applications and services, deep analysis of network traffic has to be done to really determine the applications and payloads used to communicate. While next generation firewalls are needed, they too do not provide the needed protection to today’s threats and attacks.
A packet is a unit of data that is transmitted between communicating devices. A packet contains both the message being sent and control information, such as the source address and the destination address, source and destination port, transport protocol and also sequence number.
Attackers send emails imitating legitimate services and try to scare users into visiting the linked websites to enter their credentials “for recovery of service” or similar reasons. Generally imitating email providers or bank accounts to steal the credentials. Stolen credentials are then used to access other systems the victim uses. Prevention Tactics: Do not re-use passwords at different services and do not click on links sent via email.
A set of rules, event tracking tables and dynamic network objects to describe wanted or malicious behavior and to act upon this behavior. While a single rule can only act upon a specific flow, a policy acts upon the behavior of a device and can affect the whole network traffic of a device for example by completely isolating an infected device.
Port numbers are communication endpoints used to allow network communication. Different ports are used for different application-specific or process-specific purposes; for example, HTTP protocol commonly uses port 80. Sadly, the association from port-number to application is not enforced, so real application detection has to look at the data transferred and can not rely on the usage of ports.
A set of conditions of traffic parameters that cause specified actions to be taken for a flow. When used in conjunction with cognitix’ event tracking tables (see ETT) and dynamic network objects (see DNO) more complex policies to describe device behavior can be created.
Social Network Analysis; Process of finding structures in data describing relations between entities, like STIX records or packet-exchanging devices. These structures may be cohesive groups or dominant actors, for example.
A special phishing attack targeted at one company or individual imitating a service known to be in use by the victim. Imitates special services like CRM platforms or supplier’s accounts to steal credentials.
By pretending to be something else, attackers can try to get access to, elevated permissions or just hide when entering and attacking networks. A local attacker might spoof their MAC address to pretend to be a network printer instead of their own device to prevent detection. An attacker might spoof the IP address of another user to pretend to be that user and get past IP-based firewall rules to access more sensitive areas of the network.
When TLS/SSL connections are intercepted, a proxy in the middle of the communication provides a faked server to the real client and a faked client to the real server. Within the proxy, the formerly encrypted communication is available in plain text. Can be used by attackers in man-in-the-middle attacks to undermine the security of a connection. It is also used by certain perimeter firewalls to check for viruses and other malware within the encrypted connections. Secure services prevent the inspection by enforcing the usage of a limited number of certificates to sign and encrypt the communication, preventing third parties from providing faked certificates for interception.
Structured Threat Information Expression, a common format to exchange threat information gathered by the cyber security community, like attack indicators, reported incidences, and their relations.
A subnetwork, or subnet, is a segment of the network that is separated physically by routing network devices and/or logically by the difference in addressing of the nodes of the subnet from other subnets. Dividing the network into subnets helps performance by isolating traffic from segments of the network where it doesn’t need to go, and it aids in security by isolating access. The addressing scope of a subnet is defined by its IP address and subnet mask and its connection to other networks is achieved by the use of gateways and routers. Network traffic within a subnet is not limited or secured, so the local subnet is seen as a bubble of trust (or hope) unless a solution like cognitix’ is deployed within the network.
A hardware device that connects network devices on layer 2 (the Ethernet layer). Devices are identified by their MAC address and the switch forwards traffic as needed to the specific target device or broadcasts to all devices. Switches can be cascaded to share one segment. When a connection ring is built between switches, an automated way of detecting the ring is needed to prevent a storm of packets circling in the ring and using up all the bandwidth.
The collection and connection of information about threats, attackers, malwares, resources, attack vectors, counter measures and prevention tactics to gain knowledge about the threats impacting the own network. Connecting threat intelligence with real-time correlation of the own network and security events gives the needed situational awareness to asses and act on current threats to protect the business.
TLS / SSL
Transport Layer Security, formerly named Secure Sockets Layer is a protocol for encrypting information that is transmitted over a network, including the Internet. SSL can be used for secure communications to a webserver (see HTTPS) and for allowing remote users to access a network via a virtual private network.
User and Entity Behavior Analysis; Process of detecting and recognizing users and devices participating in network communication by their traffic profile using machine learning approaches. Moreover, UEBA may detect unusual behavioral patterns that might be present due to a threat.
A Uniform Resource Locator is a human readable text string that refers to a network resource. A URL mostly consists of a fully qualified domain name (short “domain”) and the path within the server. For example, www.cognitix.de/products/ denotes the domain name www.cognitix.de and the path components /products/. The most common use for URLs is on the Internet, where they are also known as web addresses. URLs can also be used in web filtering to block specific sites from being accessed.
Virtual Local Area Networks are used to logically divide a single local area network (LAN) into different parts that function independently. By adding the VLAN-tag to the layer 2 encapsulation of network traffic, several layer 3 networks can share one physical connection without interfering with each other.
A weakness of a system or software that can be exploited, usually caused by a bug in the implementation but some vulnerabilities are also caused by problems in the design of a protocol or process. Known vulnerabilities are categorized in their severity depending on the ramifications when exploited. Some vulnerabilities let the target service crash while others can be used to access data that is otherwise inaccessible. Other vulnerabilities can be exploited to execute arbitrary code and get elevated permissions for further exploits.
A vulnerability not (yet) widely known and for which no prevention or fix is available. Exploits for zero days are sold for higher prices as they promise sure access to the victim’s system.
As networks become more complex, applications become more distributed and interactions with foreign systems become more common, the classical assumption of the trusted local network versus the untrusted outside world has to be abolished. Instead the local networks also have to be seen as untrusted.