ACLs are a list of permissions or rules that define who or what has permission to access a specific resource, such as computer systems and network resources.
An account takeover, or ATO, is an attack that occurs when a threat actor gains unauthorized access to a user’s account credentials and takes over the account to commit malicious activity, such as fraud or data theft.
A Microsoft Windows directory service that helps administrators configure permissions and network access to ensure security.
A directory service offered by Microsoft Windows, Active Directory (AD) helps administrators configure permissions and network access. AD controls who can access what resources, like files and printers, and makes it easier for IT teams to manage the entire network.
A cyberattack where a hacker intercepts data by tricking a device into sending messages to the hacker instead of the intended recipient. Also referred to as ARP poisoning.
An APT is a sophisticated and long-term cyberattack where threat actors secretly gain access to a network to steal sensitive data. These attacks are often highly targeted and difficult to detect, as attackers aim to remain hidden for extended periods.
Adversarial AI or adversarial machine learning (ML) looks to ruin the performance of AI/ML systems by manipulating or misleading them. These attacks on machine learning systems can occur at multiple stages across the model development life cycle.
An attack where the attacker intercepts data from a sender to the recipient and then from the recipient back to the send. AITM enables attackers to not just harvest credentials, but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering. It was formerly known as a Main-in-the-Middle (MitM) attack.
Adware is software that displays unwanted advertisements on your computer or mobile device. These ads can appear as pop-ups or banners, or even take over your entire screen. While usually not as harmful as other types of malware like viruses or ransomware, adware can be annoying and intrusive, slowing down your device's performance and potentially tracking your online activity for targeted advertising purposes.
A background program that performs tasks on a computer without direct user interaction.
An air gap is a security measure that physically isolates a network or device from external networks, including the internet, to prevent unauthorized access.
A set of rules or steps a computer follows to solve problems or perform tasks, often used in encryption and data processing.
Allowlisting is a security measure that permits only pre-approved applications to run on a device or network.
Best practices and recommendations for scaling and enhancing security in AWS cloud environments.
Antivirus is a type of software that is designed to prevent, search for, detect and remove viruses and other malware from a computer. AV software is typically installed on the endpoint to block malicious software from infecting the machine, mobile device or network. It works by scanning a file, program or application and comparing a specific set of code with information stored in its database. If the software finds code that is identical or similar to a piece of known malware in the database, that code is deemed malicious and is quarantined or removed.
Security that entails implementing strategies to protect data confidentiality, integrity, and availability. This includes establishing authentication and authorization protocols to ensure that only authorized users and applications can access the API.
When an application is running in an environment, it has access to everything in that environment, including sensitive files and networked devices.
The set of files and custom rules that make up a particular application.
These occur when cyber threat actors take advantage of vulnerabilities within an application, usually to gain unauthorized access.
ASOC tools are a category of application security (AppSec) solutions designed to streamline and automate key workflows and security processes. These tools assist development teams in automating vulnerability management, risk assessment, and remediation and orchestrating data from various security solutions, thereby enhancing vulnerability testing and remediation through workflow automation.
ASPM is a vital practice focused on ensuring applications meet stringent security standards and identifying vulnerabilities.
The process of finding, fixing and preventing security vulnerabilities at the application level, as part of the software development process.
An attack vector is the method or combination of methods that cybercriminals use to breach or infiltrate a victim’s network illegally. Attack vectors are often complex and involve gathering intelligence and identifying weak points for exploitation to gain network access.
Any security-relevant occurrence within a system that is logged for review.
A file containing a collection of audit events, providing a record of system activity.
Authentication is the process of verifying a user's or device's identity. Methods include passwords, biometrics (fingerprints, facial recognition), and security tokens.
Similar to a secret entrance into a house, backdoor attacks are hidden ways of bypassing normal authentication to get unauthorized access to a system. Backdoors can be intentionally created by attackers or unintentionally left by developers during the software development process.
Typically involving online or offsite storage, a backup or backing up saves data to a separate location to ensure its recovery in case of loss or damage.
User behaviors are analyzed within networks and applications to find unusual activity that may mean “security threat”. This can involve monitoring user activities like logins, file access, and email interactions, to find deviations from typical patterns and examining the system itself for anomalies like unexpected resource consumption, unusual network traffic, or unexpected software changes.
A black hat describes a threat actor who uses advanced hacking skills for malicious purposes. They exploit vulnerabilities to steal data, disrupt services, or cause harm.
As the name implies, a blocklist is a security mechanism that blocks or prohibits the execution of programs on a known malicious list. It’s also a firewall list created to block IPs with malicious reputations.
A type of malware that subverts the booting mechanism and operating system of a computer in order to avoid detection.
A collection of computers compromised by malicious code used to run a remote control agent granting an attacker the ability to take advantage of system resources. Typically used for DDOS attacks, hosting false web services or transmitting spam.
A policy allowing employees to use personal devices for work, which can introduce security risks if not properly managed.
A brute force attack is a type of cyber attack that use trial-and-error to guess login credentials and encryption keys systematically until successful.
Tools included in the basic functionality of a platform without requiring additional modifications.
A scam that uses social engineering and manipulation to trick victims into making fraudulent transactions or divulging sensitive information.
Named after the songbirds, Ransomware Canaries describe the physical or virtual devices that mimic other devices to lure attackers, helping study their behaviors.
Developed by the Center for Internet Security, CIS benchmarks are comprehensive security configuration guidelines for specific technologies to help organizations fight cyber threats.
A security checkpoint between cloud users and applications, CASB manages and enforces data security policies including authentication and encryption.
Cloud application security is the process of securing cloud-based software applications throughout the development lifecycle.
Protecting cloud-based software applications throughout their development lifecycle.
In-depth evaluations of cloud infrastructures to identify and mitigate security risks, ensuring a strong security posture.
Providing online access to shared pools of configurable computing resources like servers, storage, applications, and services.
Technologies and policies that protect data in the cloud from loss, leakage, misuse, breaches, and unauthorized access.
Policies and rules for managing cloud computing deployment, ensuring data security, system integration, and proper management.
Procedures to follow when a cybersecurity incident occurs in a cloud environment.
Principles and practices for building secure applications in the cloud, essential for modern software development.
The comprehensive framework of hardware, software, and infrastructure protecting cloud environments and their components.
Recommended practices for organizations to implement during cloud adoption to protect against cyberattacks.
Sets of guidelines and controls for securing data, applications, and infrastructure in cloud computing environments.
Continuous monitoring and removal of threats from cloud workloads and containers.
Systems, applications, and operations hosted or conducted over the internet.
The practice of writing and maintaining secure code, addressing vulnerabilities early in the development process to prevent them from reaching live environments.
Data stored on a database that is typically not quickly accessible and stored for a long period of time.
A computer used by attackers to communicate with and control compromised devices.
A lightweight package of application code with dependencies such as a specific version of programming language runtime and libraries required to run a software service. Common container software are
A small file generated by a webserver, that contains information about a user’s settings, and is stored by the user’s browser.
A brute force attack using real, stolen credentials from a data breach.
The act of stealing personal information such as usernames, passwords, and financial information to gain unauthorized access.
Digital or virtual currency, often demanded in ransomware attacks due to its decentralized and untraceable nature.
Capture The Flag (CTF), a cybersecurity exercise where participants find hidden text strings, called "flags", in vulnerable programs or websites. The Huntress CTF, is our our yearly month-long competition of daily challenges designed for experts and enthusiasts alike.
Cyber insurance is financial protection for businesses if a cyberattack happens. It can cover costs associated with data breaches like legal fees, reputation damage, and business interruption.
Any potential harm originating from an online source, aiming to damage or disrupt operations.
An attempt to infiltrate or damage an individual’s or organization’s data or information systems, often for malicious purposes.
Individuals or groups who initiate cyberattacks, also known as threat actors.
Defensive measures taken to protect data and information systems from online threats like malware and ransomware.
Registering and using an internet domain name identical or similar to trademarks, service marks, personal names, or company names with the intent of hijacking traffic for financial profit or delivering malware payloads.
Dark web monitoring is the process of searching for and tracking your organization's information on the dark web. This includes leaked passwords, stolen credit card information, or even intellectual property. By detecting these breaches early on, people and organizations can take steps to mitigate the damage and prevent further harm.
A data breach describes a security incident where data is illegally accessed, stolen, or released by an unauthorized individual or group. This can include personal data like Social Security numbers and financial information, as well as corporate data like customer records and intellectual property.
Converting plain text into an encoded format to protect against unauthorized access.
Data exfiltration refers to the unauthorized transfer of data from a device or network. Cybercriminals use malware, insider threats, or exploiting vulnerabilities to steal data and transmit it to locations under their control. Threat actors can then use stolen data for malicious purposes like identity theft, espionage, or financial gain.
A set of policies, practices, and tools used to make sure sensitive data isn’t lost, misused, or accessed by unauthorized users. DLP solutions perform both content inspection and contextual analysis of data sent from or across corporate networks to give visibility into who is accessing data and systems (and from where) and filter data streams to restrict suspicious or unidentified activity.
You can use DLP solutions to reduce the risk of sensitive data leaking outside your organization, and some solutions go beyond simple monitoring and detection to give alerts, enforce encryption, and isolate data as needed.
Disguising confidential or sensitive data to protect it from unauthorized access through tactics like masking, encryption, and tokenization.
Compromising a training dataset used by an AI/ML model to manipulate its operation.
The ability to transfer personal data easily from one service provider to another.
Ensuring proper storage, access, retention, and security of sensitive data to meet regulatory requirements and protect confidentiality.
Data protection focuses on safeguarding personal data from corruption, compromise, or loss, while data security encompasses all measures to guard against unauthorized access to digital data.
Database monitoring involves continuously tracking database activities to optimize performance and ensure security. This combines performance monitoring like CPU usage and memory consumption, security monitoring for suspicious activities, and accessibility monitoring.
Denial of Service and Distributed Denial of Service
A strict security policy that blocks all actions unless explicitly permitted.
Files required for software to run, such as DLLs in Windows.
Procedures to recover data and operations following a cyberattack.
Data Loss Prevention is a solution that detects and blocks the extraction of sensitive data by internal or external sources.
Groups with administrative rights across all domains within an organization.
A type of ransomware that threatens to release sensitive data if the ransom is not paid.
Advanced ACLs requiring user authentication before accessing resources.
Learn the differences between endpoint detection and response (EDR), managed detection and response (MDR) and extended detection and response (XDR).
Users typically have limited access to a system. To do certain tasks (like installing software or modifying system settings), they might need more privileges (like administrator rights). Elevation control lets users run specific applications as administrators without having admin privileges.
Email spoofing is a type of cyberattack that targets businesses by using emails with forged sender addresses. Because the recipient trusts the alleged sender, they’re more likely to open the email and click on things like malicious links or attachments.
Converting data into a coded format to prevent unauthorized access.
Devices like computers, mobile phones, and servers that connect to and communicate with a network.
An integrated endpoint security solution designed to detect, investigate and respond to cyber threats. EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. If the EDR technology detects any of these malicious signs, it will provide security analysts with the necessary information to conduct both reactive and proactive threat investigations and minimize the impact of an attack.
Endpoint monitoring involves the continuous monitoring and management of devices that connect to a network, such as computers, mobile devices, and servers.
Security technologies such as antivirus, data encryption, and data loss prevention that work together to detect and prevent security threats.
Software designed to integrate multiple systems within an organization to streamline processes.
Code files or programs that instruct a computer to perform specific actions when opened.
Taking advantage of vulnerabilities in systems or software to perform malicious acts.
XDRs collect and correlate data from various sources, including endpoints, cloud workloads, networks, and emails, to help mitigate cyber threats, unauthorized access, and other forms of misuse.
FISMA is a U.S. federal law enacted in 2002 that requires federal agencies to implement information security programs to protect their data and information systems. It sets standards for how agencies should assess, manage, and mitigate cybersecurity risks.
File Integrity Monitoring is a security process that monitors and analyzes the integrity of assets including file systems, directories, databases, and the Operating System.
Fileless malware operates entirely within a computer's memory without ever touching the hard drive. This malicious software may either use legitimate tools or embed code in legitimate files, making detection difficult.
A firewall is a security system that monitors and filters incoming and outgoing network traffic to prevent unauthorized access to an organization's network. It acts as an outer barrier that either allows or blocks network traffic based on a predefined set of rules. It scans specific data packets—units of communication sent over networks—for malicious code or known threats. If a data packet is flagged, the firewall prevents it from entering the network.
Methods used by threat actors to reinstall malware on a device after it has been cleaned. Also known as “Persistence Mechanisms.”
A macOS TCC permission that allows software to access sensitive user information.
The GDPR is a European Union regulation on information privacy that governs how the personal data of people in the EU can be processed and transferred.
This type of attack refers to exploiting weaknesses in Kerberos to gain unauthorized access to Windows Active Directory controls, requiring initial system access.
Google Cloud Platform is one of the 3 major cloud providers. GCP lets businesses use Google's infrastructure and technology to build and run applications, analyze data, and power their operations.
A US federal law established in 1996, HIPAA mandates the protection and confidential handling of people’s medical information.
Honeypots are cybersecurity mechanisms that gather intelligence on cybercriminals' identities, methods, and motivations. They use decoy targets to lure cybercriminals away from legitimate targets.
Incident response in cybersecurity refers to the strategies and procedures for responding to cyber threats and attacks in a network.
InfoSec is the policies and procedures put in place by the organization to protect sensitive data from unauthorized access.
IaaS is a type of cloud computing where the provider offers the customer the ability to create virtual networks within a cloud-based computing environment.
The point of entry into a network or system; Process by which an adversary gains entry (the initial foothold) to a victim’s network or system.
In cybersecurity, integrations describe the capability of different computers and software systems to work together and exchange data.
IDS is a security tool that detects the presence of cyber threats and notifies administrators. HIDS (Host-based Intrusion Detection) and NIDS (Network-based Intrusion Detection) can also be used, which are IDS tools used specifically for either the endpoints (host) or the network.
A unique identifier for a device connected to the internet, represented as a string of numbers and characters.
Intrusion Prevention System is a form of network security that can identify malicious activity, collect information about said activity, report it and attempt to block or stop it. An IPS works by actively scanning and analyzing network traffic for malicious activities and known attack patterns. Similar to an IDS, intrusion prevention systems are designed to warn of suspicious activity, but the key difference is that they can also take automated action and respond to active threats based on a predetermined set of rules.
Identity Threat Detection and Response (ITDR) is a cybersecurity framework that helps protect user identities and systems from cyberattacks.
A cybersecurity discipline that focuses on helping organizations and individuals protect their identity infrastructure and assist with remediation related to identity-centric attacks.
JIT refers to enabling specific privileges only when needed and disabling it when no longer required. This significantly reduces the window of vulnerability and minimizes the risk of unauthorized access or misuse of elevated privileges.
Using cryptography, Kerberos is an authentication protocol that verifies the identity of users and hosts.
A keylogger is a software that an attacker uses to record keystrokes remotely on a physical keyboard and capture passwords or other critical information.
A LAN is a grouping of electronic devices in the same physical location.
Giving users the minimum access necessary to perform their job functions, least privilege is a security measurement that limits access to sensitive data to only the people who truly need it for their work.
Machine learning lets computers learn from data and make decisions or predictions without being programmed to do so.
Malspam is a spam email that delivers malware, often through malicious attachments (like infected documents or executables) or links that, when clicked, download malware onto the recipient's device.
Malicious software designed to harm a computer, network, or server. Malware includes things like viruses, worms, Trojans, ransomware, spyware, or adware.
Malware analysis is the process of understanding the behavior and purpose of suspicious files or URLs to help detect and mitigate potential threats.
This type of cyber attack involves a threat actor putting themselves in the middle of two parties, normally a user and an application, to intercept their communications or data exchanges to use for malicious purposes.
A cybersecurity service combining technology and human expertise to perform threat hunting, monitoring, and response. MDR technology collects and analyzes information from logs, events, networks, endpoints and user behavior—which is then paired with a team of experts who can take over to validate incidents, escalate critical events and provide recommended response actions so threats can be quickly remediated. MDR services are managed or co-managed by an outside partner to provide value to organizations that either have limited resources or lack the expertise to keep eyes on all of their potential attack surfaces.
Managed IT services are services managed outside an organization by external vendors, where these service providers give businesses the expertise and resources to manage their IT infrastructure and operations. This can include tasks like network management, cybersecurity, data backup and recovery, and software updates, freeing up internal IT staff to focus on strategic initiatives.
Third-party organizations providing outsourced security services.
Enrolling business devices in a SaaS that allows for easily deploying software to a large number of devices at once. Primarily used on macOS.
An authentication method that requires users to provide two or more verification factors before granting access or signing in. These factors can include something only the user would know (e.g., password/PIN), something only the user would have (e.g., token) or something only the user is (e.g., biometric). MFA then uses these factors to confirm the identity of someone who is requesting access to an application, website or another resource. MFA is a key factor in account takeover defense.
NIST is a US agency advancing measurement science, standards, and technology to enhance economic security.
Endpoint firewalls that enable total control over network traffic using dynamic ACLs.
An integrated network security solution designed to detect threats and suspicious behavior on an organization's networks using non-signature-based techniques (such as machine learning and other analytical techniques). NDR solutions track north/south network traffic that crosses the perimeter, as well as east/west lateral traffic to establish a baseline of normal behavior and raise alerts when anomalous behavior is detected. NDR solutions give security teams real-time visibility and awareness over network traffic and the ability to respond to perceived threats.
An expanded version of antivirus that goes beyond performing signature-based detection—typically by incorporating some type of advanced technology—to prevent a wider range of attacks. Unlike traditional AV, next-generation AV focuses on events (files, processes, applications, network connections, etc.) to help identify malicious intent or activity. NGAV has emerged in recent years to address the proliferation of new types of malware and viruses that can easily bypass traditional AV.
Understanding a system's internal state by observing its external outputs.
On-premises is a physical infrastructural setup deployed, running, and maintained within the confines of an organization typically in a datacenter or COLO (Colocation Facility).
OSINT refers to the gathering and analysis of publicly available data for intelligence purposes.
OWASP is an internet community focused on understanding web technologies and exploitations, also known as the OWASP Top 10.
PCAP is a network practice of intercepting data packets traveling over a network which a security team stores and analyzes.
A password management tool is software that stores and protects confidential information like usernames and passwords for local applications and online services. A password manager will house a user’s passwords, as well as other information, in one convenient location with one master password. The information is encrypted and often requires multi-factor authentication to access.
PCI-DSS is a set of rules and guidelines for companies that handle credit card transactions to keep this information safe.
A pen test is a security exercise where a security expert tries to find and exploit vulnerabilities on a computer system. Pen tests are different from vulnerability scans in that they involve an actual attempt to exploit vulnerabilities, while vulnerability scans simply report on possible vulnerable code, applications, configurations, or operating systems.
Persistence enables malware by letting the malware keep running—all while the attacker stays undetected.
A persistent foothold is an attacker mechanism to automatically re-trigger some malware (maybe a stub or even fully loaded malware) across potential interruptions like restarts or user logoffs.
Malicious attempts to trick users into revealing sensitive information through deceptive emails or links. Learn more about phishing through our guide, What is Phishing (and How Does It Affect Your Business)?
PaaS is a complete cloud environment that includes everything developers need to build, run and manage applications.
A system or router that acts as a middleman between a user and the internet.
Very different from classical computing, quantum computing refers to advanced computing using quantum-mechanical phenomena.
Ransomware is malicious software that encrypts data and demands payment, usually in the form of cryptocurrency, for its release.
A red team is a group of internal or external IT experts who simulate the actions of adversarial malicious attacks on a network as an exercise.
As the name implies, remote access refers to accessing network resources from a geographical distance through a network connection.
Rogue Apps is a new Managed ITDR capability that enables Huntress to identify unsafe applications installed in a protected tenant. Rogue Apps represents Managed ITDR’s next step in wrecking hacker identity tradecraft. With this new capability, Huntress detects “Traitorware,” which are legitimate apps used badly that we detect by name, and “Stealthware,” which refers specifically to unknown apps that our algorithm marks as suspicious.
A centralized unit that deals with security issues on an organizational and technical level. SOCs are typically staffed with a team of domain experts (either in-house or outsourced) who focus on preventing, detecting, analyzing and responding to cybersecurity incidents. A SOC acts as a central command post that continuously monitors an organization’s environments and toolsets and improves its security posture. Learn more about what the Huntress SOC brings to your tech stack.
A collection of software solutions and tools that aggregate security intelligence and context from disparate systems, and applies machine intelligence to streamline (or even completely automate) the threat detection and response process. SOAR combines three software capabilities: the management of threats and vulnerabilities (orchestration), automating security operations (automation) and responding to security incidents (response). Due to its aggregation and automation capabilities, SOAR solutions are often used by security operation centers (SOCs) to collect threat-related data from a range of sources and automate the responses to certain threats.
A session is a time-limited conversation between two or more devices over the internet.
Session hijacking is an attack where a threat actor manipulates a session token to gain unauthorized access to information.
SIEM stands for security, information, and event management. SIEM is a software solution that aggregates and analyzes activity from many different sources across an entire IT infrastructure. A SIEM gathers immense amounts of data from an entire networked environment, then consolidates and makes that data human accessible. With the data categorized and laid out, SIEM solutions are often used by security operation centers (SOCs) to streamline visibility across an environment, centralize data for security monitoring and investigate logs and events for incident response.
SaaS is a software licensing model which allows access to software on a subscription basis using external servers.
A switched port analyzer is a dedicated port on a switch that sends a mirrored copy of network traffic from within the core switch or firewall to a destination. People use it to review network traffic using software like Wireshark.
Spear phishing is a targeted phishing attack using researched information to deceive specific individuals.
A cyberattack that injects malicious SQL code into an application to view or modify a database.
Unknown and rare applications with broad permissions that provide attackers with a backdoor into the tenant environment. These globally unique, single, or multi-tenanted malicious applications often fly under the radar of traditional security tools and can be leveraged for persistent access, phishing campaigns, and data theft.
An open source detection engine that acts as an IDS (Intrusion Detection System).
A protocol that computer systems use to send event data logs to a central location for storage.
Transmission Control Protocol/Internet Protocol is a set of standardized rules that allow computers to communicate on a network such as the internet
Threat actor refers to people or groups conducting cyberattacks with malicious intent.
Proactively searching across various telemetry for threats is referred to as threat hunting. This involves analyzing system logs, network traffic, and other data sources to uncover malicious activity that may have evaded existing security controls.
Legitimate applications often abused by attackers, such as eM Client, PerfectData Software, and Newsletter Software Supermailer. These applications may appear harmless but can be exploited for malicious activities like phishing, data exfiltration, and financial fraud.
A database stored locally on macOS computers designed to restrict software from accessing sensitive user information. Commonly used for applying Full Disk Access for software.
In cybersecurity, a tunnel is a secure, encrypted connection that lets data be transmitted privately over an untrusted network.
Unauthorized or unwanted access occurs when a person or entity gains access without permission to connect to or use a system and perform malicious actions.
Unified audits combine multiple logs into a single location for centralized viewing and analysis. They comprehensively view security events across the entire IT infrastructure, including endpoints, servers, networks, and cloud environments.
UEBA is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of users as well as routers, servers and endpoints in a network.
A virtual computer image that behaves like an actual computer, a virtual machine can run its own separate computing environment, typically inside of a server.
Remote work environments often use VPNs as an encrypted tunnel for secure network resource access.
Typically short for voice phishing, vishing involves fraudulent phone calls that trick a victim into giving sensitive data like login credentials, credit card numbers, or bank details.
Vulnerabilities are weaknesses in software or hardware that can be exploited by malicious actors. Examples include a flaw in software, a misconfiguration, or a human error.
In cybersecurity, weaponization uses non-harmful tools or documents maliciously to inflict harm.
WAF is a tool that helps protect web-based applications, mobile apps, and APIs from cyber attacks by filtering and monitoring HTTP traffic between them and the Internet.
XSS (cross-site scripting) is a code injection attack where malicious code is inserted into a legitimate website.
Yara rules define patterns using a specialized rule-writing language. When a file or process is analyzed, Yara compares it against these rules. If the file or process matches the criteria defined in a rule, it's flagged as potentially malicious.
A Zero Trust Architecture refers to the way network devices and services are structured to enable a Zero Trust security model.
ZTNA is an IT technology solution that requires all users to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.
Zero Trust is a security concept requiring all users to be authenticated and authorized before granting access to applications and data.
Zero-day vulnerabilities are security vulnerabilities unknown to developers, which become exploited by attackers before developers can release a fix.