Glossary of Key AttackIQ Terms
Through the AttackIQ Security Optimization Platform and AttackIQ Vanguard, our co-managed security service, AttackIQ arms our customers with better insights for better decisions and real security outcomes. We do so through the combination of our best-in-class software platform, our deep partnerships across the cybersecurity community, and our investment in the practice of threat-informed defense and security optimization. This glossary provides some of the key terms that underpin our strategy.
Advanced Persistent Threat (APT) 29 (also known as Cozy Bear, CozyDuke, the Dukes, or PowerDukes) is a Russia-based hacker group perhaps best known for its compromise of the Democratic National Committee in 2015 and for the SolarWinds intrusion of 2020. The group has links to the Russian government is highly technically skilled and capable of adapting to the defenses of the targets it chooses. APT29 often uses techniques and tools that have been identified in previous attacks.
AttackIQ also works closely with the MITRE Corporation to promote the practice of threat-informed defense as part of the industry-first AttackIQ Academy. AttackIQ Academy offers free instructor-led courses in critical concepts such as purple team operations, MITRE ATT&CK, and attack simulation that are eligible for (ISC)² CPE Credits. To date, more than 2,100 students have registered for Academy courses since its launch in April. The company continuously updates its guest lecture speakers and advanced cybersecurity curriculum to help organizations bolster their defenses.
AttackIQ Informed Defense Architecture (AIDA)
AIDA is a scalable and open testing architecture for verifying the integrity and effectiveness of security controls. AIDA uses test points deployed at scale in the production network to safely emulate attacker behavior across the kill chain. It combines multiple behavioral techniques to offer the broadest and deepest control validation solution available, with the best alignment to the MITRE ATT&CK matrix. AIDA is API-first and fully integrateable into other systems. The AIDA content library is fully open as well; users can inspect the tests, modify them, and create their own tests.
Attack Graphs align adversary tactics, techniques, and behaviors in a chain to emulate the adversary with specificity and realism and test a range of security controls within an environment. They make it easier for organizations to visually measure their defense performance against a series of attacks. Attack Graphs emerged from the AttackIQ Anatomic Engine, a component within the Security Optimization Platform designed from the ground-up to test ML/AI-based cybersecurity technologies. It combines the industry’s leading atomic testing capabilities with the most comprehensive adversary emulation capabilities on the market, making it easy for operators to recreate and evoke complex, multi-stage adversary campaigns that reflect the adversary.
Automated Security Control Validation
Automated security control validation is the process of measuring and validating your security control performance in an automated fashion. The AttackIQ Security Optimization Platform tests and validates that your security controls are working as intended and does so in a continuous and automated manner across your security program, using scenarios and assessments aligned to threat intelligence and adversary behaviors in the MITRE ATT&CK® framework. With real-time data on the performance of your controls, you can make smarter decisions and adjustments to your technology, processes, and personnel. The benefits of continuous testing go far beyond security control validation into workforce management, compliance optimization, and investment decision support.
Blueprints are AttackIQ’s step-by-step guides for aligning people, process, and technology around the practice of threat-informed defense and automated security control validation. AttackIQ blueprints help organizations mature their overall security posture and maximize the value of the AttackIQ Security Optimization Platform. They help teams define specific goals, provide guidance on key stages, and enable users to develop a comprehensive security optimization practice. The goal is to help security teams shift from a project mindset to a programmatic mindset that is focused on continuously testing, assessing, and validating their total security program effectiveness.
A blue team is a traditional cybersecurity team that defends systems against attack, whether by malicious actors or by a red team in a testing exercise. While a red team acts offensively to identify possible exploits in systems, blue teams act defensively to minimize vulnerabilities and to detect and prevent threats.
Breach and attack simulation
Breach and attack simulation is the process of using software to emulate adversary tactics, techniques, and behaviors within an information technology (IT) environment. AttackIQ, the leading independent vendor of breach and attack simulation solutions, built the industry’s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to identify security improvements and verify that cyberdefenses work as expected, aligned with the MITRE ATT&CK framework.
A bug bounty is a reward offered to individuals who identify and report program bugs, especially potential vulnerabilities, to a website or software developer. This allows the website or developer to work to fix the bugs that they may have otherwise missed.
C.I.A. Model [confidentiality, integrity, availability]
Also called the “C.I.A. Triad,” the C.I.A. Model is a cybersecurity model based around ensuring the confidentiality, integrity, and availability of networks and data. In this model, confidentiality refers to keeping data private and secure from unauthorized users. Integrity refers to the trustworthiness and reliability of the networks and data. Availability refers to networks and data being reliably accessible to authorized users.
A chief information officer (CIO) is the most senior executive in charge of information technology at a company. They oversee not only cybersecurity, but all information technology operations.
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) designs, develops, deploys, and sustains a suite of programs called the National Cybersecurity Protection System (NCPS) to help secure federal civilian executive branch information and networks.
A chief information security officer (CISO) is the most senior executive in charge of information security at a company. CISOs are more specialized than CIOs.
Cloud Security Optimization
Cloud security optimization is the process of testing your cloud security capabilities continuously to validate that your assets and data centers are protected against the threats that matter most. The AttackIQ Security Optimization Platform validates native cloud security controls in AWS and Azure, leveraging innovative cloud security research from the Center for Threat-Informed Defense. It also validates cybersecurity solutions that operate in the cloud, to include endpoint detection and response capabilities, next generation firewalls, and micro-segmentation platforms.
Colonial Pipeline ransomware attack
The Colonial Pipeline ransomware attack was a 2021 ransomware attack targeting Colonial Pipeline, the largest fuel pipeline in the U.S. This attack caused gas shortages and price increases across the East Coast, transforming ransomware into a top-tier national security threat overnight.
Compliance is an organization’s adherence to regulatory standards. A lack of compliance can have harsh legal and financial penalties in addition to the reputational harm that could result from being breached due to that lack of compliance with security standards.
Compliance optimization is the process of applying a threat-informed defense strategy to measure your compliance effectiveness, improve your cybersecurity readiness, and decrease your regulatory burden. The AttackIQ Security Optimization Platform aligns your threat and risk management frameworks, validating your security effectiveness using real-world threat behaviors from the MITRE ATT&CK framework and measuring your compliance performance under the NIST 800-53 family of security controls and DoD’s Cybersecurity Maturity Model (CMMC).
Detection is the identification of malicious activity threatening the network and/or device. Successful detection allows threats to be contained and controlled. Some threats can go months or even years before they are detected.
Cyberspace is the virtual world in which computer networks connect and communicate with each other. It is a world of pure information and a construct to help us visualize and understand the interactions between computer data and artifacts that don’t exist and interact in a recognizable physical space. The term was coined by William Gibson in his science fiction short story “Burning Chrome” to describe a new, simulated reality created by computers. Cyberspace is considered by the U.S. military to be a defensible domain.
Cyberspace operations are operations performed to achieve objectives in or through cyberspace. The term is typically used to refer to military operations specifically.
Critical infrastructure is the infrastructure that is considered critical for the functioning of society. This includes both physical (i.e., roadways) and cyber (I.e., the internet) systems, the destruction of which would devastate the physical or economic wellbeing of the population.
Detection engineering is the proactive designing and implementation of processes to identify and defend against threats.
The DoD Cybersecurity Maturity Model Certification (CMMC) is a set of certifications for DoD contractors. Every DoD contractor that handles unclassified DoD-related information is required to achieve specific security certifications under CMMC.
Federal Bureau of Investigation Cyber Division
The FBI Cyber Division investigates and prosecutes crimes that fall within the FBI’s jurisdiction and are internet-based, such as cyberterrorism, espionage, identity theft, and the like.
General Data Protection Regulation
The General Data Protection Regulation (GDPR) is the European Union’s (EU) data privacy and security law. It is one of the most advanced laws of its kind, and applies not only to organizations within the EU, but to any organization around the world that collects, shares, and stores data about people in the EU. The penalties for violating the GDPR are severe.
GRC (Governance Risk and Compliance)
GRC is an integrated approach to governance, risk management, and regulatory compliance, treating each of those as three aspects aiming at a single goal rather than unrelated concepts.
Malware is “malicious software,” designed by cybercriminals to disrupt, damage, gain unauthorized access to, leak data from, or otherwise use the computer systems of others for nefarious purposes.
MITRE introduced ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) in 2013 as a way to describe and categorize adversarial behaviors based on real-world observations, and it underpins AttackIQ’s practice of threat-informed defense. ATT&CK is a structured list of known attacker behaviors that have been compiled into tactics and techniques and expressed in a handful of matrices as well as via STIX/TAXII. Since it is a fairly comprehensive representation of behaviors attackers employ, it becomes a foundation for automated security control validation. Defensive teams can use a good, automated security control validation platform to test their security controls against MITRE ATT&CK-aligned scenarios and attack graphs.
MITRE ATT&CK Matrix
MITRE has broken out ATT&CK broken into a few different matrices: Enterprise, Mobile, Cloud, ICS and PRE-ATT&CK. Each of these matrices contains various tactics and techniques associated with that matrix’s subject matter. The Enterprise matrix is made of techniques and tactics that apply to Windows, Linux, and/or MacOS systems. Mobile contains tactics and techniques that apply to mobile devices. PRE-ATT&CK contains tactics and techniques related to what attackers do before they try to exploit a particular target network or system.
MITRE Center for Threat-Informed Defense
AttackIQ has long been committed to a shared mission of giving back to the community. The company is a founding research sponsor of the MITRE Center for Threat-Informed Defense (CTID), which brings together leading security teams from around the world to identify and solve critical cyberdefense problems, then freely share results with the community. Underpinning the CTID, MITRE ATT&CK’s matrix of attacker tactics, techniques, and procedures is the most widely adopted framework for modeling adversary behavior.
New York Department of Financial Services (DFS) Cybersecurity Regulation
The NYDFS Cybersecurity Regulation is a regulation that applies to all entities that fall under the jurisdiction of the NYDFS, as well as those entities’ third-party service providers.
NIST is the National Institute of Standards and Technology, one of the oldest science labs in the U.S. and a part of the U.S. Department of Commerce. Its mission is “to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.” The NIST has developed a voluntary cybersecurity framework as well as other cybersecurity resources.
NIST Special Publication 800-53 is a family of security and privacy control compiled by the National Institute of Science and Technology. It provides baseline standards and guidelines for protecting and managing information security systems.
The OPM Hack was a major cyberbreach of Office of Personnel Management (OPM), exposing the data of 22.1 million people, including current and former federal employees and contractors and their friends and families. The intrusion began in late 2013 and wasn’t discovered until 2015. The Chinese government is believed to be responsible.
The Open Systems Interconnection (OSI) model is a conceptual model of how devices communicate over a network. The model is comprised of seven layers. The model provides developers with a standardized framework so that different systems can communicate with each other. The OSI model was the first standard framework for network communications.
Penetration testing is a method of testing cyberdefenses through simulated attacks with the purpose of identifying and mitigating vulnerabilities.
Preactive Security is the practice of being proactive about preventable failure. Preactive security puts a threat-informed defense strategy into practice; you test your cyberdefenses the same way the adversary does, before the adversary does, to determine your defense effectiveness. You are proactive about preventable security failures. You are proactive about tuning and testing cybersecurity tools that could fail, before they fail. You anticipate likely causes of cyberdefense failure and proactively prevent those failures.
Preactive Security Exchange (PSE)
The Preactive Security Exchange is an objective and trusted platform on which security vendors can demonstrate the value and efficacy of their products, as well as identify opportunities to improve solutions. BlackBerry, Cisco, Illumio, LogRhythm, Microsoft, RSA, and SentinelOne are among the dozens of vendor partners of the PSE, working together to improve the effectiveness of the security tools available on the market today. The rules of engagement for AttackIQ’s preactive security exchange can be found here.
Prevention is the stopping of malicious activities before they cause damage. The best way to do this is by minimizing vulnerabilities so that they can’t be exploited.
Purple teaming is a cybersecurity approach in which security teams constantly exercise their defenses against known adversaries’ tactics and techniques to ensure that the defenses work as they should. Because they’re focused on understanding prospective adversaries, they’re ready if and when an intrusion occurs. They’re called “purple” because they combine the best of blue and red teams’ knowledge, skills, and strategies. When they work in close alignment, they conduct continuous assessments to ensure that security programs work as they should to stop advanced threats from both an offensive and defensive position. Absent continuous, adversary-focused testing, there is no way to ensure that a security program will perform in the way that it must at the right time.
Pyramid of Pain
The Pyramid of Pain demonstrates that some indicators of a compromise are more troubling to adversaries than others. This is because when those indicators are denied to an attacker, the loss of some will be more painful to them than the loss of others.
Ransomware is a type of malware that blocks access to computer systems. It is often used to extort a monetary ransom from system owners in exchange for a return of system access.
A red team is a cybersecurity team that tests technologies, policies, systems, and assumptions by adopting an adversary’s approach. Red team exercises include simulating multi-stage cyberattacks against specific targets on networks to simulate how an adversary might achieve a strategic effect, like stealing financial data, manipulating voter registration data, or destroying data to disrupt critical operations. Red teams pursue these objectives by adopting the tactics, techniques, and procedures (TTPs) of real adversaries. Red team testing is often episodic, and the coverage delivered is therefore limited by personnel hours; the result is that coverage is unfortunately smaller than the scale of the security team’s defenses. Red teams are often used to supplement blue teams.
Risk management is the process of identifying, assessing, prioritizing, and minimizing risk.
Scenarios are multi-phase behaviors that represent attacker behavior, a phased representation of an action. Attack graphs are several scenarios put together. Our library includes thousands of scenarios, or you can create your own to capture a specific TTP.
Security control failure
When a cybersecurity system fails to stop an attack it should have been able to prevent. Security control failures can lead to a range of damaging consequences for organizations including unauthorized access and / or use of corporate systems, denial of service attacks, the transmission of malicious code such as ransomware, and data exfiltration.
Security control quantification
Security control quantification is the process of determining what controls you have, where they’re placed, building an inventory of your security controls, and then measuring your security program’s effectiveness against the cybersecurity requirements and regulations that your organization is required to follow.
Security control rationalization
Security control rationalization is the process of assessing your security controls’ effectiveness; identifying and resolving gaps and overlaps in your security control stack; conducting a risk assessment of your security vendors; and then prioritizing, consolidating, and eliminating unnecessary security controls.
Security optimization is the management practice of maximizing the efficiency and effectiveness of your total security program (people, process, and technology) by ensuring that existing control investments are measured, monitored, and modified continuously from a threat-informed perspective. Security optimization is not about cost cutting; it is about programmatically aligning security and risk services with the business.
The AttackIQ Security Optimization Platform
With the AttackIQ Security Optimization Platform, we give our customers the most consistent, trusted, and safest way to test and validate security controls at scale. While competitors test in sandboxes, AttackIQ tests in production across the entire kill chain, the same as real-world adversaries do. Our platform grounds organizations in a shared understanding of threats and threat behaviors using the MITRE ATT&CK framework, and it enables our solutions across the security organization to improve total cybersecurity effectiveness and efficiency. Armed with better insights, security leaders can make better informed decisions about people, technology, and processes — leading to an overall improvement in security and business outcomes.
Seven layers of OSI Model
The seven layers of the OSI model are used by computer systems to communicate over networks. Each layer defines the function of the flow of data. The layers are (1) Physical, (2) Data Link, (3) Network, (4) Transport, (5) Session, (6) Presentation, and (7) Application.
SolarWinds is a corporation that develops software. In 2020, SolarWinds’ software was used for a massive supply chain attack. The attack is believed to have been carried out by the Russia-based hacker group APT29, who gained access to some of the world’s most highly regarded companies while remaining undetected for months. Microsoft, the U.S. Justice Department, State Department, and NASA were all breached in this attack.
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of protocols that allows devices to communicate with each other over a network. TCP organizes the data for transmission, establishes the connection the data will be transmitted over, and breaks the data into transmittable packets. IP defines the addresses for the data packets and how the data packets will be exchanged. The two protocols work together to ensure that data gets to where it’s supposed to go.
MITRE defines threat-informed defense as the strategy of “applying a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyberattacks.” The AttackIQ Security Optimization Platform enables a threat-informed defense through continuous, automated adversary emulations that test your cyberdefenses against well-defined threats, using the MITRE ATT&CK framework, and then measures the effectiveness of those defenses and executes improvements continuously.
Tactic, Technique, Procedure (TTPs)
Tactic, Technique, Procedure (TTPs) are behaviors that adversaries exhibit in conducting cyberspace operations against a target.
U.S. Cyber Command
Formerly part of the NSA, U.S. Cyber Command is responsible for planning the majority of U.S. military missions in cyberspace. Its mission statement is “USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to direct the operations and defense of specified Department of Defense information networks; and prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.”
U.S. National Cyber Director
The role established in 2021, the U.S. National Cyber Director advises the president on cybersecurity policy and strategy.
A vulnerability is a weakness in a system that could be exploited by malicious actors.
Vulnerability scanning is the process of identifying potential vulnerabilities in networks, programs, and devices. Vulnerability scanners are automated tools that perform this function.