Attack articles: attack tools, attack methods, attackers
Defense: software and hardware, technology and services
1. Attack
1. Attack tools
1. Broiler
The so-called "broiler" is a very vivid metaphor. It is a metaphor for computers, mobile phones, servers, or other smart devices such as cameras and routers that can be controlled by attackers to launch network attacks.
For example, in the 2016 US East Coast network outage incident, hacker groups controlled a large number of networked cameras to launch cyber attacks, and these cameras can be called "broilers."
2. Botnets
Botnet refers to the use of one or more means of transmission to infect a large number of hosts with viruses, thus forming a one-to-many controllable network botnet between the controller and the infected hosts. It is a very vivid metaphor. Numerous computers are unknowingly driven and commanded like zombie groups in ancient Chinese legends, and become a kind of infrastructure used by attackers to carry out various malicious activities (DDOS, spam, etc.).
3. Trojan horse
These are programs that pretend to be normal on the surface, but when these programs run, they gain full control of the system. There are many hackers who are keen to use Trojan horse programs to control other people's computers, such as Gray Pigeon, Gh0st, PcShare and so on.
4. Web page Trojan
On the surface, it pretends to be an ordinary webpage or inserts malicious code directly into a normal webpage file. When someone visits it, the webpage Trojan horse will take advantage of the vulnerability of the other party's system or browser to automatically implant the configured Trojan horse server into the accessed website. The computer of the victim is automatically executed to turn the affected client computer into a bot or a botnet.
5. Rootkit
Rootkit is a tool used by attackers to hide their whereabouts and retain root (root authority, which can be understood as system or administrator authority under WINDOWS) access authority. Usually, the attacker obtains root access authority through remote attack, or
first obtains ordinary access authority to the system by guessing (cracking) the password, and then obtains the root access authority of the system through the security loopholes in the other party's system after entering the system. or system permissions. Then, the attacker will install Rootkit in the other party's system to achieve the purpose of controlling the other party for a long time. Rootkit is similar to Trojan horse and backdoor in function, but it is far more hidden than them.
6. Worms
It is a relatively independent type of malicious code that takes advantage of the openness of networked systems and spreads autonomously through vulnerabilities that can be exploited remotely. The controlled terminal will become the initiator of the attack and try to infect more systems. The main characteristics of worms are: self-replication ability, strong dissemination, latency, specific triggering, and great destructiveness.
7. Stuxnet
Also known as the Stuxnet virus, it is the first "worm" virus that specifically targets basic (energy) facilities in the real world, such as nuclear power plants, dams, and national power grids. The world's first cyber "super-destructive weapon," Stuxnet's computer virus has infected more than 45,000 networks around the world, with Iran's uranium enrichment facility targeted most severely.
8. Ransomware
It is mainly spread in the form of mail, program Trojan horse, and web page hanging horse. This virus is bad in nature and extremely harmful. Once infected, it will bring immeasurable losses to users. This virus uses various encryption algorithms to encrypt files, and the infected person generally cannot decrypt them. Only the private key for decryption can be cracked.
9. Mining Trojans
A Trojan horse that turns PCs, mobile devices, and even servers into mining machines, usually implanted by mining gangs to mine bitcoins to earn profits.
10. Attack Payload
Attack payload (Payload) is the multi-stage malicious code executed after the system is compromised. Usually the attack load is attached to the vulnerability attack module, distributed together with the vulnerability attack, and may obtain more components through the network.
11. Sniffer
It is a device or program that can capture network packets. A legitimate use of a sniffer is to analyze the traffic of a network in order to find potential problems in the network of interest.
12. Malware
Programs designed to achieve various malicious acts such as unauthorized control of computers or stealing computer data.
13. Spyware
A software that can install backdoors on computers and mobile phones without the user's knowledge, and has functions such as collecting user information, monitoring, and secretly taking pictures.
14. Back door
This is a vivid metaphor. After the intruder successfully controls the target host using certain methods, he can implant a specific program in the other party's system, or modify some settings to access, view or control the host computer. host. These changes are difficult to detect on the surface, as if the intruder secretly assigned a key to the master's room, or built a secret passage in an inconspicuous place, so that he can enter and exit at will. Usually most Trojan programs can be used by intruders to create backdoors (BackDoor).
15. Weak passwords
Refers to those passwords (passwords) that are not strong enough and easy to be guessed, such as 123 and abc.
16. Vulnerabilities
Vulnerabilities are defects in the specific implementation of hardware, software, protocols or system security policies, which allow attackers to access or destroy the system without authorization. Qi Xiangdong, chairman of Qi Anxin Group, pointed out in the book "Vulnerabilities" that software defects are a major source of vulnerabilities, defects are born, and vulnerabilities are inevitable.
17. Remote Command Execution Vulnerability
Due to loopholes in system design and implementation, an attacker may execute arbitrary commands specified by the attacker on the affected system by sending specific requests or data. 0day Vulnerabilities The earliest cracking of 0day vulnerabilities was specifically for software, called WAREZ, and later developed into games, music, film and television and other content. The 0 in 0day means Zero, and the early 0day means that the cracked version appeared within 24 hours after the software was released. In the context of network attack and defense, 0day vulnerabilities refer to those vulnerabilities that have been discovered and exploited by attackers, but have not been known to the public, including the affected software manufacturers. The information advantage, because there is no corresponding patch or temporary solution for the vulnerability, the defender does not know how to defend, and the attacker can achieve the greatest possible threat.
18. 1day vulnerability
Refers to vulnerabilities for which vulnerability information has been made public but patches have not yet been released. The harm of such vulnerabilities is still relatively high, but officials often announce some mitigation measures, such as closing some ports or services.
19. Nday vulnerability
Refers to a vulnerability for which an official patch has been released. Under normal circumstances, the protection of such vulnerabilities only needs to be updated with patches. However, due to various reasons, there are often a large number of equipment vulnerability patches that are not updated in time, and the methods of exploiting the vulnerabilities have been made public on the Internet. Often such vulnerabilities are the most commonly used by hackers exploits used. For example, in the Eternal Blue incident, Microsoft had released patches in advance, but a large number of users were still affected.
2. Attack method
1. Hanging horse
It is to put a web page Trojan horse in other people's website files or sneak the code into the other party's normal web page files, so that the viewer will be hit by a horse.
2. Digging
Refers to vulnerability mining.
3. Packing
It is to use a special algorithm to change the encoding of the EXE executable program or DLL dynamic link library file (for example, realize compression and encryption), so as to reduce the file size or encrypt the program code, and even avoid the purpose of antivirus software. At present, the more commonly used shells are UPX, ASPack, PePack, PECompact, UPack, Immune 007, Trojan Caiyi and so on. The simple explanation is that the program does not perform effective boundary detection on the input data and causes errors. The consequence may be to cause the program to crash or execute the attacker's command.
4. Buffer overflow
The attacker enters a large number of characters that cannot be stored in an address area. In some cases, these extra characters can be run as "execute code" and thus be sufficient for an attacker to gain control of the computer beyond security measures.
5. Injection
The number one enemy of web security. The attacker sends some attack codes as commands or query statements to the interpreter. These malicious data can deceive the interpreter to execute unplanned commands or access data without authorization. Injection attack vulnerabilities are often caused by the lack of security checks on input in applications. Injection vulnerabilities can usually appear in SQL queries, LDAP queries, OS commands, program parameters, etc.
6. SQL injection
The most common form of injection attack mainly refers to that the web application does not judge the legality of user input data or filter it laxly. The attacker can add additional SQL statements at the end of the pre-defined query statement in the web application. Illegal operations are realized without the administrator's knowledge, so as to deceive the database server into performing unauthorized arbitrary queries or other operations, resulting in database information disclosure or unauthorized operation of data tables.
7. Injection point
That is, where injection can be performed, usually an application link that involves accessing a database. Depending on the permissions of the running account of the injection point database, the permissions you get are also different.
8. Software unpacking
As the name suggests, it is to use corresponding tools to remove the "shell" program that plays a protective role "outside" the software, and restore the original appearance of the file, so that it is much easier to modify the content of the file or perform analysis and detection.
9. Avoid killing
It is to modify the program through techniques such as packing, encrypting, modifying signatures, adding fancy instructions, etc., so that it can escape the detection and killing of anti-virus software.
10. Brute force
Referred to as "blasting". Hackers conduct a highly intensive automated search of every possible password for an account on the system in order to breach security and gain access to the computer.
11. Flood attack
It is an attack technique commonly used by hackers. It is characterized by simple implementation and great power, and most of them ignore defense. By definition, a flood attack occurs when an attacker sends excessive data to a network resource, such as a router, switch, host, application, etc.
The flood attack compares the attack traffic to a flood. As long as the attack traffic is large enough, the defense means can be penetrated. A DDoS attack is a type of flood attack.
12. SYN attack
A denial-of-service attack that exploits the problem in the TCP coordination design of the operating system, involving the design of the three-way handshake when TCP establishes a connection.
13. DoS attack
Denial of service attack. By exploiting vulnerabilities or sending a large number of requests, attackers make the target unable to access the network or the website cannot be accessed.
14.DDoS
Distributed DOS attacks, common UDP, SYN, reflection amplification attacks, etc., are to send some network request information to you through many bots, causing your network to be blocked and unable to access the Internet normally.
15. Chicken Catch
That is to try to control the computer and reduce it to a chicken.
16. Port scanning
Port scanning refers to sending a group of port scanning messages, through which you can learn where you can find attack weaknesses, and understand the type of computer network services it provides, in an attempt to intrude into a computer.
17. Flower instruction
By adding redundant assembly instructions that do not affect the function of the program, the antivirus software cannot normally judge the structure of the virus file. In layman's terms, "antivirus software identifies viruses in order from head to toe. If we reverse the positions of the virus's head and feet, the antivirus software will not be able to find the virus."
18. Bounce port
Some people find that the firewall often performs very strict filtering on incoming connections, but neglects to guard against outgoing connections. Therefore, using this feature, the server (controlled end) of the rebound port software will actively connect to the client (control end), giving people the illusion that the controlled end actively connects to the control end, which makes people paralyzed.
19. Phishing
Attackers use spoofed e-mails or fake Web sites to carry out network fraud activities. Scammers usually disguise themselves as trusted brands such as online banks, online retailers, and credit card companies to trick users into private information or email account passwords.
The deceived will often disclose their mailboxes and private information, such as credit card numbers, bank card accounts, ID numbers, etc.
20. Harpoon attack
Spear attack is the introduction of spear fishing image into network attack, mainly refers to the phishing attack that can make deceptive email look more credible, with a higher probability of success. Different from phishing that casts nets, spear phishing attacks are often more targeted, and attackers often "see the fish and use the spear." To achieve this goal, the attacker will try to gather as much information as possible on the target. Often, specific individuals within an organization have certain security gaps.
21. Whale fishing attack
Whaling is another evolved form of spear phishing. It refers to phishing attacks targeting senior executives and other senior personnel within an organization. Attacks that are tailored by personalizing email content and targeting it specifically to the relevant target.
22. Watering hole attack
As the name suggests, a "watering hole (trap)" is set on the way the victim must pass. The most common method is that the hacker analyzes the online activities of the target, finds the weakness of the website frequently visited by the target, first "breaks" the website and implants the attack code, once
When the target of the attack visits the website, he will be "hit".
23. Sniffing
Sniffing refers to the interception and analysis of data packets in the LAN to obtain effective information.
24. APT attack
Advanced Persistent Threat, that is, advanced persistent threat attack, refers to an organization's continuous and effective attack activities on specific objects on the network. This type of attack is highly concealed and targeted, and usually uses various means of infected media, supply chain, and social engineering to carry out advanced, persistent, and effective threats and attacks.
25.C2
The full name of C2 is Command and Control, which is commonly used in APT attack scenarios. When interpreted as a verb, it is understood that the malware interacts with the attacker, and when interpreted as a noun, it is understood as the "infrastructure" of the attacker. A supply chain attack is a hacker attacking a partner of a target organization and using the partner as a springboard to infiltrate the target user. A common form of expression is that users trust the manufacturer's products, and malicious software is implanted to attack when the manufacturer's products are downloaded, installed or updated. Therefore, when downloading from certain software download platforms, if you encounter bundled software, you have to be careful!
26. Social Engineering
A hacking method that does not rely on any hacking software and pays more attention to the study of human weaknesses is emerging, which is social engineering hacking technology. In layman's terms, it refers to a set of methodologies that utilize human sociological weaknesses to implement cyber attacks, and the attack methods are often unexpected. The world's number one hacker, Kevin Mitnick, mentioned in "The Art of Anti-Deception" that the human factor is the weakness of security. Many enterprises and companies invest a lot of money in information security, and the cause of data leakage in the end often happens to people themselves.
27. Take the stand
Refers to obtaining the highest authority of a website, that is, obtaining the name and password of the background and administrator.
28. Escalation of rights
Refers to obtaining permissions that you did not have. For example, non-system administrators in the computer cannot access some things on the C drive, but system administrators can use certain means to promote ordinary users to administrators and let them have administrators. This is called privilege escalation.
29. Penetration
It is to detect whether there are security holes in your network equipment and system through scanning. If there are any, it may be invaded, just like a drop of water passing through a wooden board with holes. If the penetration is successful, the system is invaded.
30. Traversing
It means that after the attacker invades, he expands from the foothold in the internal network to search and control more systems.
31. Springboard
A machine with an auxiliary function, using this host as an indirect tool to invade other hosts, generally used in conjunction with bots.
32. Net horse
It is to implant a Trojan horse in the webpage, and the Trojan horse program is run when the webpage is opened.
33. Black pages
After a successful hacker attack, the successful hacker page left on the website is used to show off the attack results.
34. Dark chain
Invisible website links, "dark links" are very hidden links in the website, and are not easy to be detected by search engines in a short period of time. It has similarities with friendship links, which can effectively increase the weight of the website.
35. Drag library
Drag library is originally a term in the database field, which refers to exporting data from the database. In the world of cyber-attacks, it is used to refer to the hackers stealing database files after a website has been compromised.
36. Credential Stuffing
Crash stuffing means that hackers collect leaked user and password information on the Internet, generate corresponding dictionary tables, and try to log in to other websites in batches to obtain a series of users who can log in. Many users use the same account and password on different websites, so hackers can try to log in to website B by obtaining the user's account on website A, which can be understood as a credential stuffing attack.
37. Storm library
A method of invading a website, which uses malicious code to make the website explode some of its sensitive data.
38. CC attack
That is, Challenge Collapsar, whose name comes from the anti-denial-of-service product black hole of the domestic security vendor NSFOCUS. Attackers use proxy servers to generate legitimate requests that involve a large amount of system resources to the victim host, exhausting the processing resources of the target, and achieving denial of service. purpose of the service.
39.Webshell
Webshell is a command execution environment in the form of web pages such as asp, php, jsp or cgi. It can also be called a web backdoor, which can upload and download files, view databases, and execute arbitrary program commands.
40. Cross-site attack
Usually abbreviated as XSS, it means that attackers use website programs to filter user input insufficiently, and input HTML code that can be displayed on the page and affect other users, thereby stealing user information, using user identity to perform certain actions, or An attack method for virus attack.
41. Man-in-the-middle attack
The man-in-the-middle attack is an "indirect" intrusion attack. This attack mode is to place a computer controlled by the intruder virtually between two communicating computers in the network connection through various technical means, and intercept the normal network Communication data, data tampering and sniffing, and this computer is called a "middleman".
42. Wool
Refers to online earners who use various online financial products or red envelope activities to promote offline commissions to make money, and generally refers to collecting preferential information from various banks and other financial institutions and various merchants in order to achieve the purpose of profit. This kind of behavior is called wool pulling.
43. Business Email Attack (BEC)
Also known as "face-changing fraud" attack, this is an attack against high-level managers. Attackers usually impersonate (steal) the emails of decision makers to issue instructions related to funds and interests; or attackers rely on social engineering to make emails Mail, to persuade/induce executives to make economic deals for a short period of time.
44. Telecom fraud
Refers to the crime of fabricating false information, setting up scams, implementing remote and non-contact fraud on the victim, and inducing the victim to make money or transfer money through telephone, Internet and text messages. Legal cloaks and forms of deceit.
45. Butcher plate
Internet buzzwords, a kind of telecom fraud, is a kind of fraudulent way of making friends online to induce stock investment, gambling, etc. "Fraud, the longer you keep it, the harder it will be.
46. ARP attack
The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the communication. Based on this working characteristic of the ARP protocol, the hacker continuously sends fraudulent ARP data packets to the computer of the other party, which contains the same Mac address as the current device, so that when the other party responds to the message, due to a simple address repetition error As a result, normal network communication cannot be performed.
47. Spoofing attack
The technologies of network deception mainly include: HONEYPOT and distributed HONEYPOT, deception space technology, etc. The main methods are: IP spoofing, ARP spoofing, DNS spoofing, Web spoofing, email spoofing, and source routing spoofing (by specifying a route, using a false identity to communicate legally with other hosts or sending false messages, so that the attacked host will take wrong actions ), address spoofing (including forging source addresses and forging intermediate sites), etc.
48.Shellcode
A section of instructions that can be processed by the operating system without special positioning. It is usually malicious code executed after exploiting a software vulnerability. Shellcode is binary machine code. It is named because it often allows attackers to obtain a shell.
49. Physical attack
Popular understanding means that physical contact rather than technical means is used to achieve the purpose of network intrusion. The most common form of expression is to insert a USB flash drive.
The famous Stuxnet virus incident infected Iran's nuclear facilities by inserting a USB flash drive.
3. Attacker
1. Black production
Cyber black production refers to illegal activities that use the Internet as the medium and network technology as the main means to bring potential threats (major security risks) to the security of computer information systems, the order of cyberspace management, and even national security and social and political stability. For example, the illegal data trading industry.
2. Dark web
The dark web is a type of technical means that uses encrypted transmission, P2P peer-to-peer network, multi-point relay confusion, etc. to provide users with anonymous access to Internet information. Its most prominent feature is anonymity.
3. Black hat hackers
Someone who hacks for illegal purposes, usually for financial gain. They gain access to secure networks to destroy, redeem, modify, or steal data, or to render the network unusable for authorized users. The name comes from the history of old-fashioned black-and-white westerns where villains were easily identified by moviegoers because they wore black hats, while the "good guys" wore white hats.
4. White hat hackers
Hackers who use their own hacking skills to conduct legitimate security testing and analysis, testing the performance of networks and systems to determine how strong they can withstand intrusions.
5. Red Hat Hacker
In fact, the most accepted term is called Hongke. Red Hat hackers take justice, morality, progress, and strength as their tenets, and take love for the motherland, upholding justice, and pioneering spirit as their spiritual pillars. Red Hat hackers usually use their own technology to maintain domestic network security and fight back against external attacks. .
6. Red Team
Usually refers to the attacking team in offensive and defensive exercises.
7. Blue Team
Usually refers to the defensive team in offensive and defensive exercises.
8. Purple team
The newly born party in offensive and defensive exercises usually refers to the supervisor or referee.
2. Defense
1. Software and hardware
1. Encryptor
The host encryption device uses TCP/IP protocol for communication between the encryption machine and the host, so the encryption machine does not have any special requirements on the type of host and the host operating system.
2. CA certificate
Electronic authentication is provided for secure communication between the two parties. On the Internet, company intranet or extranet, digital certificates are used to realize identity identification and electronic information encryption. The digital certificate contains the identification information of the owner of the key pair (public key and private key), and the identity of the certificate holder is authenticated by verifying the authenticity of the identification information.
3. SSL certificate
An SSL certificate is a type of digital certificate, similar to electronic copies of driver's licenses, passports, and business licenses. Because it is configured on the server, it is also called an SSL server certificate.
4. Firewall
It is mainly deployed at the egress between different networks or network security domains. By monitoring, restricting, and changing the data flow across the firewall, it shields the information, structure, and operating status of the network from the outside as much as possible, and selectively accepts external access.
5. IDS
An intrusion detection system is used to detect and block attacks before or before hackers launch an attack. IDS is different from firewall. Firewalls can only shield intrusions, but IDS can detect impending attacks or intrusions and respond by using some information before intrusions occur.
6. NESTS
It is the abbreviation of Network Intrusion Detection System, that is, the network intrusion detection system, which is mainly used to detect Hacker or Cracker. Intrusions through the network. There are two ways to run NIDS. One is to run on the target host to monitor its own communication information, and the other is to run on a separate machine to monitor the communication information of all network devices, such as Hub and router.
7. IPS
The full name is Intrusion-Prevention System, which is an intrusion prevention system. The purpose is to identify attack programs or harmful codes and their clones and variants in a timely manner, and take preventive measures to prevent intrusions in advance and prevent problems before they happen. Or at least make it sufficiently less harmful. Intrusion prevention systems are generally used in addition to firewall and antivirus software.
8. Antivirus software
Also known as antivirus software or antivirus software, it is a class of software used to eliminate computer threats such as computer viruses, Trojan horses, and malware. The popular understanding of the anti-virus engine is a set of technical mechanisms to judge whether the behavior of a specific program is a virus program (including suspicious ones). For example, the QOWL anti-virus engine independently developed by Qi Anxin.
9. Antivirus Wall
Different from the anti-virus software deployed on the host, the deployment method of the anti-virus wall is similar to that of the firewall. It is mainly deployed at the network egress to scan and block viruses, so the anti-virus wall is also called an anti-virus gateway.
10. The third child
Usually refers to IDS, firewall and anti-virus three security products with the longest history.
11. Alarm
Refers to the alarm generated by the network security device for the attack behavior.
12. False positives
Also known as an invalid alarm, it usually refers to an alarm error, that is, a legal behavior is judged as an illegal behavior and an alarm is generated. At present, due to the rapid advancement of attack technology and the limitation of detection technology, the number of false alarms is very large, so that security personnel have to spend a lot of time to deal with such alarms, which has become the main reason for trouble and slow down the efficiency of daily security handling.
13. False negatives
Usually, it means that the network security device does not detect any illegal behavior and does not generate an alarm. Once a false negative occurs, the risk of system intrusion will be greatly increased.
14.NAC
The full name is Network Access Control, that is, network access control. Its purpose is to prevent emerging hacking technologies such as viruses and worms from harming enterprise security. With NAC, customers can only allow legal and trustworthy terminal devices (such as PCs, servers, PDAs) to access the network, and not allow other devices to access.
15. Missing scan
That is, vulnerability scanning refers to a security detection (penetration attack) behavior that detects the security vulnerabilities of a specified remote or local computer system through scanning and other means based on the vulnerability database and finds exploitable vulnerabilities.
16. UTM
That is, Unified Threat Management, which is called Unified Threat Management in Chinese, was first proposed by IDC in 2014, which means that the security capabilities of different devices (including intrusion detection, firewall and anti-virus technology at the earliest) are concentrated on the same gateway to achieve unified management and operation. dimension.
17. Gatekeeper
A gatekeeper is an information security device that uses a solid-state switch with multiple control functions to read and write media, and connects two independent host systems. Since the two independent host systems are separated by a gatekeeper, there is only no-protocol ferrying in the form of data files.
18. Bastion machine
Use various technical means to monitor and record the operation and maintenance personnel's operation behavior on servers, network equipment, security equipment, database and other equipment in the network, so as to centralize alarm, timely processing and audit to determine responsibility. Database auditing can record database activities on the network in real time, perform fine-grained audit compliance management on database operations, alert databases of risky behaviors, and block attacks. Through the recording, analysis and reporting of user access to the database, it is used to help users generate compliance reports afterwards and trace the root cause of accidents. At the same time, it strengthens the records of internal and external database network behaviors and improves the security of data assets.
19. DLP
Data leakage prevention, through the precise identification of digital assets and policy formulation, is mainly used to prevent the specified data or information assets of the enterprise from flowing out of the enterprise in the form of violating security policies.
20.VPN
Virtual private network, establishes a private network on the public network, conducts encrypted communication, and realizes remote access by encrypting data packets and converting the destination address of the data packets.
21.SD-WAN
That is, software-defined wide area network, this service is used to connect enterprise networks, data centers, Internet applications and cloud services in a wide geographical range. A typical feature of this service is to cloudify the network control capability through software. Typically, SD-WAN has integrated firewall, intrusion detection, or antivirus capabilities. And judging from the current trend, SD-WAN designed with security as the core is emerging. Many security vendors, including Qi Anxin and Fortinet, have begun to set foot in this field and provide a relatively complete endogenous security design.
22. Router
It is the hub used to connect different subnets, and they work on the transport layer and network layer of the OSI7 layer model. The basic function of a router is to transport network packets to their destinations. Some routers also have access control lists (ACLs) that allow unwanted packets to be filtered out. Many routers can inject their log information into the IDS system, and have basic packet filtering (ie firewall) function.
23. Gateway
Usually refers to border network devices such as routers, firewalls, IDS, and VPNs.
24.WAF
That is, Web Application Firewall, that is, Web Application Firewall, is a product that provides protection for Web applications by implementing a series of security policies for HTTP/HTTPS.
25. SOC
That is, Security Operations Center, which translates as a security operation center or a security management platform, is a centralized security management system that assists administrators in event analysis, risk analysis, early warning management, and emergency response processing by establishing a set of real-time asset risk models.
26. LAS
The main function of the log audit system is to provide log collection, retrieval and analysis capabilities, which can provide rich context for threat detection.
27. NOC
That is, Network Operations Center, network operation center or network operation center, is the management, monitoring and maintenance center of remote network communication, and is the focus of network problem solving, software distribution and modification, routing, domain name management, and performance monitoring.
28. SIEM
That is, Security Information and Event Management, security information and event management, is responsible for collecting security log data from a large number of enterprise security controls, host operating systems, enterprise applications and other software used by enterprises, and analyzing and reporting.
29. Internet behavior management
Refers to devices that help Internet users control and manage their use of the Internet. It includes web page access filtering, online privacy protection, network application control, bandwidth flow management, information sending and receiving audit, user behavior analysis, etc.
30. Honeypot
It is a system containing vulnerabilities, which simulates one or more vulnerable hosts and provides hackers with an easy target to attack. Since the honeypot has no other tasks to perform, all attempts to connect should be considered suspicious. Another use of a honeypot is to delay an attacker's attack on their real target, allowing the attacker to waste time on the honeypot. Honeypot products include honeynet, honey system, honey account and so on.
31.
sandbox
A sandbox is a mechanism for running programs safely. It is often used to execute those untrusted programs. The impact of malicious code in untrusted programs on the system will be limited within the sandbox and will not affect other parts of the system.
32.
sandbox escape
A phenomenon that identifies a sandbox environment and uses techniques such as silence and deception to bypass sandbox detection
33.
cyber range
It mainly refers to the combination of virtual environment and real equipment to simulate the real cyberspace offensive and defensive combat environment, which can support offensive and defensive drills, security education, cyberspace combat capability research and network weapon equipment verification test platform.
2. Technology and service
1. Encryption technology
Encryption technology consists of two elements: algorithm and key. Algorithm is the step of combining ordinary text with a string of numbers (key) to produce incomprehensible ciphertext. Key is an algorithm used to encode and decode data. The cryptographic system of key encryption technology is divided into two types: symmetric key system and asymmetric key system. Correspondingly, the data encryption technology is divided into two categories, namely, symmetric encryption (private key encryption) and asymmetric encryption (public key encryption). The encryption key and decryption key of symmetric encryption are the same, but the encryption key and decryption key of asymmetric encryption are different. The encryption key can be made public while the decryption key needs to be kept secret. As the name implies, the blacklist is a bad list. All software and IP addresses on the blacklist are considered illegal. The white list corresponds to the black list. The white list is a list of "good people". All software, IP, etc. on the white list are considered legal and can be run on the computer.
2. Intranet
In layman's terms, it is a local area network, such as Internet cafes, campus networks, and company intranets. Check the IP address, if it is within the following three ranges, it means that we are in the intranet: 10.0.0.0—10.255.255.255, 172.16.0.0—172.31.255.255, 192.168.0.0—192.168.255.255
3. Extranet
Directly connected to INTERNET (Internet), it can communicate with any computer on the Internet.
4. Border defense
The defense model centered on the network boundary is based on static rule matching, emphasizing that all security threats are blocked from the external network.
5. North-South traffic
Usually refers to the traffic generated by internal and external communication in the data center.
6. East-West Traffic
Usually refers to the traffic generated by the communication between different hosts in the data center.
7. Rule base
The core database of network security, similar to a black and white list, is used to store a large number of security rules. Once the access behavior matches the rule base, it is considered illegal. So some people also liken the rule base to the law of cyberspace. It is often used in the field of next-generation network security to indicate a relatively large innovation in products or technologies, and a significant improvement in capabilities compared with traditional methods. It is usually abbreviated as NG (Next Gen). For example, NGFW (Next Generation Firewall), NGSOC (Next Generation Security Management Platform), etc.
8. Big data security analysis
Different from the traditional defense mode of passive rule matching, it actively collects and analyzes big data to find possible security threats, so it is also called data-driven security. This theory was first proposed by Qi Anxin in 2015.
9. EPP
The full name is Endpoint Protection Platform, translated as an endpoint protection platform, a security protection solution deployed on terminal devices, used to prevent security threats such as malware and malicious scripts targeting terminals, and is usually linked with EDR.
10.EDR
The full name is Endpoint Detection & Response, that is, endpoint detection and response. Through continuous detection of endpoints and analysis of abnormal behaviors such as operating system calls by applications, unknown threats are detected and protected, and finally antivirus software cannot solve unknown threats.
11.NDR
The full name is Network Detection & Response, that is, network detection and response. Through continuous detection and analysis of network-side traffic, it helps enterprises enhance threat response capabilities and improve network security visibility and threat immunity.
12. Security Visualization
Refers to the presentation technology in the field of network security, which converts data and results in the process of network security reinforcement, detection, defense, and response into a graphical interface, and performs operations such as searching, processing, and summarizing through human-computer interaction. methods and techniques.
13. NTA
The concept of network traffic analysis (NTA) was first proposed by Gartner in 2013, and it is listed as one of the five means of detecting advanced threats. It combines traditional rule-based detection techniques with machine learning and other advanced analysis techniques to detect suspicious behavior in corporate networks, especially traces of compromise.
14. MDR
The full name is Managed Detection & Response, which is managed detection and response, which relies on network and host-based detection tools to identify malicious patterns. In addition, these tools often collect data from endpoints inside the firewall for more complete monitoring of network activity.
15. Emergency response
It usually refers to an organization's preparations for the occurrence of various unexpected events and the measures it takes after the event occurs. XDR usually refers to the collective name of network security strategies with detection and response technology as the core, including EDR, NDR, MDR, etc. Security operation runs through a series of links such as product research and development, business operation, vulnerability repair, protection and detection, and emergency response. Systematic management methods and processes are implemented to organically combine the security prevention and control functions of each link to ensure the security of the entire business.
16. Threat Intelligence
According to Gartner's definition, threat intelligence is evidence-based knowledge, including context, mechanism, indication, meaning and actionable recommendations, which is related to existing or brewing threats or harms faced by assets and can be used to Relevant subjects provide information support for the response or handling decisions of threats or hazards. According to different users, threat intelligence is mainly divided into human-readable intelligence and machine-readable intelligence.
17. TTP
It mainly includes three elements, Tactics, Techniques and Procedures, which are important indicators to describe advanced threat organizations and their attacks. As an important part of threat intelligence, TTP can provide decision support for security analysts.
18. IOC
The Chinese name is Fall Flag: It is used to discover the fall hosts controlled by APT gangs, Trojan horse backdoors, and botnets. The types are often domain names and URLs. IOC is by far the most widely used threat intelligence because it is the most immediate. Once matched, it means that there is a compromised host.
19. Context
Extended from the context of the article, it mainly refers to the associated information of a certain threat indicator, which is used to achieve more accurate security matching and detection. STIX STIX is a structured language for describing cyber threat information. It can obtain a wider range of cyber threat information in a standardized and structured way. It is often used for sharing and exchanging threat intelligence and is currently the most widely used in the world. On the basis of version 1.0, which defines 8 components, STIX has launched version 2.0, which defines 12 components. Kill Chain Kill Chain originated from the military field and is used to describe the state of each stage of the attacking party. In the field of network security, this concept was first proposed by Lockheed Martin. The English name is Kill Chain, also known as the network attack life cycle, including detection and tracking, weapon construction, load delivery, vulnerability exploitation, installation implantation, command Seven stages of control and goal achievement are used to identify and prevent intrusions.
20. ATT&CK
It can be simply understood as a knowledge base describing the attacker's techniques and tactics. MITER introduced the model in 2013 to describe and classify adversarial behavior based on real observational data. ATT&CK converts known attacker behaviors into a structured list, aggregates these known behaviors into tactics and techniques, and passes through several matrices as well as Structured Threat Information Expressions (STIX), Trusted Automated Exchange of Indicator Information (TAXII )To represent.
21. Diamond model
The diamond model is widely used in various fields. In the field of network security, the diamond model first established a formal method of applying scientific principles to intrusion analysis: measurable, testable and repeatable-providing a comprehensive analysis of attack activities. A simple, formal, and comprehensive approach to recording, (information) synthesis, and association. This scientific approach and simplicity improves the efficiency, effectiveness and accuracy of your analyses.
22. Association Analysis
Also known as association mining, it is to find frequent patterns, associations, correlations, or causal structures that exist between item sets or object sets in transaction data, relational data, or other information carriers. In the field of network security, it mainly refers to the association mining of different dimensions and types of security data to find out potential intrusion behaviors. Situational awareness is an environment-based, dynamic, and holistic ability to understand security risks. It is based on security big data and is a way to improve the ability to discover, identify, understand, analyze, and respond to security threats from a global perspective. Ultimately, It is for decision-making and action, and for the implementation of security capabilities.
23. Probe
Also known as a network security probe or a security probe, it can be simply understood as a camera in the cyber world, deployed on key nodes of the network topology, to collect and analyze traffic and logs, discover abnormal behavior, and detect possible attacks Issue an early warning.
24. Cyberspace Mapping
Use search engine technology to provide interaction, so that people can easily search for devices on the network space. Compared with the maps used in reality, various surveying and mapping methods are used to describe and mark the geographical location, and active or passive detection methods are used to draw the network nodes and network connection diagrams of devices in cyberspace, as well as the portraits of each device.
25.SOAR
The full name is Security Orchestration, Automation and Response, which means security orchestration automation and response. It mainly uses scripted and process-based instructions to take a series of automatic or semi-automatic response actions to intrusion behaviors. The full name of UEBA is User and Entity Behavior Analytics, that is, user entity behavior analysis. Generally, the behavior of users and IT entities is analyzed through the method of big data analysis, so as to determine whether there is illegal behavior.
26. Memory Protection
Memory protection is a mechanism for the operating system to manage access rights to the memory on the computer. The main purpose of memory protection is to prevent a process from accessing an address space that is not allocated to it by the operating system.
27. RASP
The full name is Runtime application self-protection, which translates into application runtime self-protection. It was proposed by Gartner in 2014. It is a new application security protection technology. It injects the protection program into the application program like a vaccine. The application program is integrated to detect and block security attacks in real time, so that the application program has Self-protection capability, when the application suffers actual attack damage, it can automatically defend against it without manual intervention.
28. Packet inspection
The behavior of unpacking and detecting traffic packets and data packets.
29. Deep Packet Inspection
Deep Packet Inspection, abbreviated as DPI, also known as complete packet inspection (complete packet inspection) or information extraction (Information eXtraction, IX), is a computer network packet filtering technology used to check the data packets passing through the inspection point section (and possibly its headers) to search for protocols that do not match the specification, viruses, spam, signs of intrusion. Full flow detection Full flow is mainly reflected in three "full" aspects, namely, full flow collection and storage, full behavior analysis, and full flow backtracking. Through the full-flow analysis equipment, the network full-flow collection and storage, full-behavior analysis and full-flow backtracking are realized, and network metadata is extracted and uploaded to the big data analysis platform to realize more abundant functions.
30. Metadata
Metadata, also known as intermediary data and relay data, is the data describing data (data about data), mainly describing the information of data attributes (property), used to support such as indicating storage location, historical data, resource search , file recording and other functions.
31. Spoof detection
To deceive and trap attackers by constructing false targets, so as to achieve the purpose of delaying the attack rhythm, detecting and analyzing attack behavior.
32. Micro isolation
As the name implies, it is a fine-grained and smaller network isolation technology, which can meet the demand for east-west traffic isolation in traditional environments, virtualized environments, hybrid cloud environments, and container environments, and is mainly used to prevent attackers from entering the enterprise data center network. panning.
33. Reverse
It is common in reverse engineering or reverse analysis. Simply put, all behaviors that extract principles and design information from products and apply them to reengineering and improvement are reverse engineering. In network security, it is more about investigation and forensics, malware analysis, etc.
34. Proxyless Security
In terminal security or virtualization security protection, it is often necessary to install an agent (agent program) on each host or virtual machine, which often consumes a lot of resources. Agentless security does not need to install an agent, which can reduce a lot of deployment and maintenance work and improve management efficiency.
35. CWPP
The full name is Cloud Workload Protection Platform, meaning cloud workload protection platform, which mainly refers to the technology for protecting applications and workloads on the cloud (including workloads on virtual hosts and container hosts), and achieves more fine-grained protection than in the past , is the last line of defense for cloud security at this stage.
36. CSPM
Cloud security configuration management can analyze and manage infrastructure security configuration. These security configurations include account privileges, network and storage configurations, and security configurations such as encryption settings. If configuration non-compliance is found, CSPM takes action to correct it.
37. CASB
The full name is Cloud Access Security Broker, that is, cloud access security broker. As a security policy control point deployed between customers and cloud service providers, it is a security policy implemented by enterprises when accessing cloud-based resources.
38. Anti-climbing
It means anti-crawler, which mainly refers to preventing web crawlers from crawling information from their own websites. A web crawler is a program or script that automatically grabs network information according to certain rules.
39. Security resource pool
The security resource pool is a virtualized collection of various security products, covering various security capabilities such as server terminals, networks, services, and data.
40. IAM
The full name is Identity and Access Management, that is, identity and access management, and is often called identity authentication.
41. 4A
That is, Authentication, Authorization, Account, and Audit, that is, a solution that integrates four elements of unified user account management, unified authentication management, unified authorization management, and unified security audit, covering security functions such as single sign-on (SSO). Access Control list (ACL) access control list.
42. Multi-Factor Authentication
It is mainly different from the single-password authentication method, and can only be authorized to use computer resources after passing through two or more authentication mechanisms. For example, the user needs to enter a PIN code, insert a bank card, and finally compare fingerprints to obtain authorization through these three authentication methods. This authentication method can reduce the risk of single password theft and improve security. Privileged Account Management is abbreviated as PAM. Since privileged accounts often have very high permissions, once stolen or misused, it will bring a very large network security risk to the organization. Therefore, privileged account management is often very important. Its main principles are: eliminate the sharing of privileged credentials, assign individual responsibility for the use of privileges, implement a least privilege access model for daily management, and implement auditing functions for the activities performed by these credentials.
43. Zero trust
Zero trust is not distrust, but a new concept of identity authentication and access authorization. It no longer uses network boundaries to delineate trusted or untrusted, but does not trust anyone, network, or device by default, and adopts dynamic authentication. and authorized methods to minimize the network security risks brought by visitors.
44. The full name of SDP is Software Defined Perimeter, which is a software-defined boundary. It is proposed by the Cloud Security Alliance based on a zero-trust network. It is a logical access boundary based on identity and context created around an application or a certain group of applications.
45. Security as a Service
Security as a service can usually be understood as delivering security capabilities to customers in the form of SaaS.
46. Homomorphic encryption
Homomorphic encryption is a kind of encryption method with special natural properties. This concept was first proposed by Rivest et al. in the 1970s. Compared with general encryption algorithms, homomorphic encryption can not only realize basic encryption operations, but also A variety of calculation functions between ciphertexts can be realized.
47. Quantum computing
It is a new type of calculation mode that follows the laws of quantum mechanics to control quantum information units for calculation. It has been gradually applied to encryption and communication transmission.
48. Trusted Computing
It is a technology promoted and developed by the Trusted Computing Group (Trusted Computing Cluster, formerly known as TCPA). Trusted computing is a trusted computing platform supported by hardware security modules that is widely used in computing and communication systems to improve the overall security of the system.
49. Mimic Defense
The core implementation is a dynamic heterogeneous redundancy structure (Dynamic Heterogeneous Redundancy, DHR) based on the endogenous security mechanism of cyberspace, which provides universal innovation in response to unknown threats based on unknown vulnerabilities, backdoors or virus Trojan horses in cyberspace. Meaningful defense theories and methods. The English name of blockchain is blockchain. It is a shared database. The data or information stored in it has the characteristics of "unforgeable", "retaining traces throughout the process", "traceable", "open and transparent", and "collective maintenance". .
50. Remote Browser
In view of the fact that browsers often become the entrance of hackers, browsers are deployed in a remote "browser server pool". In this way, the servers where these browsers are located are isolated from the terminals and networks in the user's environment, thus greatly reducing the exposure of the customer's network. This service is also similar to products such as virtual desktops and cloud phones.
51. Cloud phone
The cloud phone adopts the brand-new VMI (Virtual Mobile Infrastructure, similar to PC cloud desktop) technology to provide employees with an independent mobile device security virtual phone, business applications and data are only run and stored on the server side, and only on the personal terminal Perform encrypted streaming media presentation and touch control, thus effectively ensuring the security of enterprise data.
52. Risk control
Also known as big data risk control, it refers to the use of big data analysis methods to judge possible security risks in the business. At present, this technology is mainly used in the field of financial credit to prevent bad debts.
53. Penetration testing
In order to prove that the network defense is operating normally according to the expected plan, the attack team of a professional company is usually invited to attack the established target according to certain rules, so as to find out the loopholes or other security risks in it, and issue a test report and Suggestions for rectification. Its purpose is to continuously improve the security of the system.
54.
Safety public test
With the help of many white hats, the bug bounty test is carried out on the target system within the specified time. After you receive a valid vulnerability, the white hat will be rewarded according to the risk level of the vulnerability. Usually, the payment is based on the vulnerability, which is more cost-effective. At the same time, the skill research direction of different white hats may be different, and the test is more comprehensive.
55. Endogenous security
It was first proposed by Qi Xiangdong, chairman of Qi Anxin Group, at the 2019 Beijing Cyber Security Conference, referring to the security capabilities that continue to grow from the information system, which can continue to improve with business growth and continue to ensure business security. Endogenous security has three characteristics, that is, relying on the aggregation of information systems and security systems, the aggregation of business data and security data, and the aggregation of IT talents and security talents, from the inside of the information system, self-adaptive, autonomous and self-growth security capabilities.
56. Endogenous Security Framework
In order to promote the implementation of endogenous security, Qi Anxin launched the endogenous security framework. Starting from the top-level perspective, the framework supports the construction model of various industries from "partial rectification and external installation" to "deep integration and systemization"; from the perspective of engineering realization, the security requirements are implemented step by step, and a future-oriented security system is gradually built; The endogenous security framework can output practical, systematic, and normalized security capabilities, and build a network security defense system of dynamic defense, active defense, in-depth defense, precise protection, overall prevention and control, and joint defense and joint control. The endogenous security framework includes 29 security zone scenarios and 79 security components.
57. PPDR
The English full name is Policy Protection Detection Response, translated as strategy, protection, detection and response. Focusing on security policies, it detects security vulnerabilities through consistency checks, traffic statistics, anomaly analysis, pattern matching, and intrusion checks based on applications, targets, hosts, and networks.
58. CARTA
The full name is Continuous Adaptive Risk and Trust Assessment, that is, continuous adaptive risk and trust assessment aims to evaluate user behavior through dynamic intelligent analysis, give up the pursuit of perfect security, cannot require zero risk, does not require 100% trust, and seeks a zero-sum 1 The balance between risk and trust. The CARTA strategy is a huge system, including big data, AI, machine learning, automation, behavior analysis, threat detection, security protection, security assessment, etc.
59. SIX
The full name is Secure Access Service Edge, which is Secure Access Service Edge, which Gartner defines as a service based on entity-based identity, real-time context, enterprise security/compliance policies, and continuous assessment of risk/trust throughout the session. An entity's identity can be associated with a person, group of people (branch office), device, application, service, IoT system, or edge computing venue.
60. SDL
The full name is Security Development Lifecycle, which translates to security development lifecycle. It is a software development process that helps developers build more secure software and solve security compliance requirements while reducing development costs. It was first proposed by Microsoft.
61. DevSecOps
The full name is Development Security Operations, which can be translated as security development and operation and maintenance. It emphasizes that the security team should be invited to ensure the security of information at the beginning of the DevOps plan, develop an automatic security protection plan, and implement continuous IT protection throughout.
62. Code Audit
As the name implies, it is to check the security defects in the source code, check whether there are security risks in the source code of the program, or whether there are irregularities in the coding, and check and analyze the source code of the program one by one through automated tools or manual review, and find these source codes Security vulnerabilities caused by defects, and provide code revision measures and suggestions.
63. NTLM authentication
NTLM (NT LAN Manager) is an authentication mechanism developed by Microsoft, which has been used since NT4 and is mainly used for local account management.
64. MTTD
Average detection time.
65. MTTR
average response time.
66. CVE
The full name is Common Vulnerabilities and Exposures. Since the security agency Miter maintains an internationally common vulnerability unique numbering scheme, it has been widely accepted by the security industry as a standard.
67. Software packing
"Shell" is a program specially responsible for protecting software from being illegally modified or decompiled. They generally run ahead of the program, gain control, and complete their task of protecting the software. Packed software can no longer see its real hexadecimal code when tracking, so it can protect the software.
68.CNVD
The National Information Security Vulnerability Sharing Platform, maintained by the National Computer Emergency Response Center CNCERT, is mainly responsible for the unified collection and management of domestic vulnerability information, and the prefix of the vulnerability number released by it is also CNVD.
69. Data Desensitization
Data desensitization refers to the transformation of certain sensitive information through desensitization rules to achieve reliable protection of sensitive private data. It is mainly used in scenarios involving large-scale data flows such as data sharing and transactions.
70.GDPR
The General Data Protection Regulation (GDPR) is a regulation of the European Union, formerly known as the Computer Data Protection Act enacted by the European Union in 1995.
71. CCPA
California Consumer Privacy Protection Act.
72.SRC
That is, the Security Response Center, which is called the Security Emergency Response Center in Chinese, is mainly responsible for excavating and publicly collecting the vulnerabilities and other security risks existing in the organization.
73.CISO
Sometimes called a CSO, or Chief Information Security Officer, is the primary security officer for an organization.
74. IPC pipeline
In order to better control and handle the communication and data exchange between different processes, the system will schedule the entire process through a special connection pipeline.
75. SYN packet
The first packet of a TCP connection, a very small data packet. SYN attacks include a large number of these packets, which cannot be effectively processed because they appear to come from sites that do not actually exist.
76.IPC$
It is a shared "named pipe" resource. It is a named pipe opened for inter-process communication. It can be used to remotely manage computers and view shared resources of computers by verifying user names and passwords to obtain corresponding permissions.
77.shell
It refers to a command-line environment, which is the interface between the system and the user. Simply put, it is the environment in which the system "communicates" with the user. The DOS we usually use is a shell. (Windows2000 is cmd.exe)
78.ARP
Address Resolution Protocol (Address Resolution Protocol) This protocol maps network addresses to hardware addresses.