Threat Hunting Resources and Glossary

Below we have compiled an extensive list of useful resources - articles, frameworks, guides and more - for further reading about Threat Hunting. And also a Glossary of Terms.

We hope you find these helpful.

Threat Hunting Resources on Endace.com

Threat Hunting ResourcesView

The following is a consolidated list of all useful links referenced on the various pages on this site that cover threat hunting.

Glossary of TermsView

APT

Advanced Persistent Threat. i.e. a Threat Actor capable of gaining unauthorized access to a network and remain undetected for an extended period.

Attack Surface

A term used to characterize how vulnerable an IT environment is to potential attack. If it is said that an IT environment has a large attack surface, this means there are a large number of potential ways in which a hacker may attack. A small attack surface indicates limited opportunities for attack.

Attack Vector

An attack vector is a path or means by which a hacker can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors come from Threat Actors exploiting system and/or human vulnerabilities.

Blacklist

A list of entities that are blocked or denied privileges or access. Often refers to a list of IP addresses

Blocklist

Another name for Blacklist

C&C

Command and Control. Generally used when referring to a C&C Server: i.e. the server configured by Threat Actors to communicate with machines that have been hacked/compromised. C&C servers are generally the source of malicious payloads and the destination for exfiltrated data.

CZ

Another name for C&C

CVE

Common Vulnerabilities and Exposures. Refers to publicly known vulnerabilities. The Mitre organization maintains a database of CVEs

CWE

Common Weakness Enumeration. A categorization system for CVEs maintained by Mitre. CVEs refer to individual vulnerabilities specific to certain software/hardware, whereas CWEs refer to generic types of vulnerabilities

DHS

Department of Homeland Security [USA]

DLP Software

Data Loss Prevention Software. Detects and prevents data loss exfiltration by monitoring endpoints, storage, and network traffic

East-West

Refers to network traffic within an IT environment (distinct from north-south traffic)

EDR

Endpoint Detection and Response. Tools that detect actual and/or traces of suspicious activity on end points such as servers and PCs.

Exfiltration

The unauthorized transfer of information from a system.

Exploit Kit

(Verb) To attack a weakness in an IT system to accomplish some malicious action. (Noun) Generally refers to a specific method/procedure/software used to exploit a known vulnerability.

Honey Pot

A deliberate vulnerability and/or fake data intended to attract malicious actors. Generally monitored, a honeypot is often used as an early warning sign of malicious activity. Sometimes used as a decoy. Sometimes used by security firms and researchers to gather intelligence.

HRU

High Risk Users

HVA

High Value Asset

IDS

Intrusion Detection System. Monitors networks and systems for malicious activities or policy violations

IPS

Intrusion Prevention System. An IPS is an IDS with the ability to execute real-time responses to active attacks and violations. Also see Next Gen Firewall.

IoA

Indicator of Attack. A clue that an attack may have occurred and/or is occurring. Or a precursor to an attack. A successful attack results in compromise.

IoC

Indicator of Compromise. A clue that data exfiltration and/or harm may have occurred and/or is occurring

Lateral Movement

Refers to Threat Actors obtaining access to other machines after their initial infiltration of one machine

MSSP

Managed Security Service Provider. A provider of outsourced SOC services.

Next-Gen Firewall

"A firewall that goes beyond port/protocol inspection and blocking to add application-level inspection and intrusion prevention. Industry convergence has resulted in a next generation firewall being functionally equivalent to an IPS."

North-South

Refers to network traffic between an IT environment and the public internet. Diagrams tend to show the internet above the IT environment.

OS INT

Open Source intelligence in this context refers to publicly available threat intelligence (as opposed to threat intelligence that you pay for).

Phishing

A fraudulent attempt to get someone to take an action by pretending to be trustworthy via electronic message, most commonly email or SMS. See also Spear Phishing.

Powershell

A scripting language built into Microsoft Windows that allows for the automation of system administration tasks.

PUA

Potentially Unwanted Application.

SecOPS

Security Operations.

SOC

Security Operations Center.

SIEM

Security information and event manager / management.

Spear-Phishing

Phishing that is targeted at, and tailored to, a specific individual. Distinct from regular phishing which is broadcast and not tailored.

Timestamping

The act of modifying file timestamps. Usually in the context of malicious activity, to hide that a file is newly or recently modified.

Threat Actor

An individual, group, organization, government, or government sponsored entity that conducts or has the intent to conduct malicious activities.

TTP

Tactics, Techniques and Procedures

Vulnerability

A flaw or misconfiguration in hardware or software. Threat Actors exploit vulnerabilities to perform attacks and/or gain unauthorized access.

VM

Virtual Machine

Further Glossary Reading: