It all sounds like a load of malicious exfiltration to me!
The science of digital security testing is complex and full of baffling jargon. So here is a very simple guide to some of the terms we use on our website. Please note, this is a novice-level glossary; it greatly simplifies the concepts behind each term. If you want to talk shop at a rather higher level, feel free to call us.
The term Advanced Persistent Threat (APT) refers to a potential attacker that has the capability and the intent to carry out advanced attacks against specific high profile targets in order to compromise their systems and maintain permanent control over them in a stealthy manner. APT attacks often rely on new malware, which is not yet known to and recognized by traditional anti-virus products. APTs require significant resources and expertise and are often politically motivated (espionage). They are run, overseen or bankrolled by a controlling authority or client, rather than being the work of an individual malicious actor.
A secret method of bypassing security controls in a computer system. A backdoor may have been built into a system for legitimate reasons, such as to allow authorised access, but it nevertheless creates an exploitable vulnerability in a system.
Internal security teams who defend against real and simulated (i.e. red team) attacks. They have to be constantly vigilant against attacks in order to be effective.
Red and blue teams should work together: it’s the job of both teams to help to strengthen a network by attacking it (red team) or defending it (blue team) and sharing results.
The term botnet is derived from the words robot and network. A bot in this case is a device infected by malware, which then becomes part of a network of infected devices remotely controlled by a threat actor or attack group, and used for malicious operations. Botnets are commonly used to send spam mails, DDoS operations or steal personal data.
Crypto-ransomware is a piece of malicious software which will encrypt documents, photos and other key files on a victim computer, and demand a ransom to be paid. Once the victim pays the ransom, the malware authors provide a key to the victim which can be used to decrypt the encrypted files.
Very simply put, cryptocurrency is best understood as a form of digital money. The most famous example is Bitcoin, though thousands of cryptocurrencies now exist. Cryptocurrencies are decentralised – they lack a central back or administrator. For example, Bitcoin can be sent directly between users on the bitcoin network.
A cryptocurrency miner application which uses a computer’s resources (central processing unit, memory) without the consent of the owner. The mined profit is forwarded to the bad actors behind the malware.
Simply put, data theft. The unauthorised copying, transfer or retrieval of data from a computer. It can be achieved manually, but is more often performed by cybercriminals operating over a network or the internet, via malicious programmes. Data exfiltration usually occurs as a deliberate and targeted attack when a hacker targets a specific piece or set of data.
DoS stands for “Denial-of-Service”. DoS attacks aim to make a target resource unreachable or incapable of handling its standard tasks like serving clients or performing operations. Typically this is done by overloading the target with superfluous requests. A distributed denial-of-service (DDoS) attack is similar, but involves launching the attack from many different sources, thus making it harder to nullify the attack by blocking its one source of origin.
A type of Trojan that is usually smuggled into a PC via an email or attachments or download, and launches malware by “dropping” it. Droppers often go undetected because they are hidden, not being associated with files like much other malware. They impede the functioning of targeted computers, and can install themselves onto a disc or hard drive. They launch their payload whilst disguising themselves within computer systems. Generally the most effective protection against droppers is anti-spyware.
Historically, efficacy testing has been one of Effitas’ core services but it is by no means our only service. Efficacy testing is the science of assessing the effectiveness of so-called Anti-Virus software (and similar, related products) to do their job and protect a computer (or other endpoint) against malicious software attacks (or similar).
Any piece of hardware used to access the internet. If a piece of hardware is able to access the internet it is thus potentially exposed to attacks by malware. Typical endpoints are PCs, laptops, macs and smart phones.
Interestingly, thanks to the evolution of the Internet of Things, there increasingly exists the possibility of new kinds of malware attacking new kinds of hardware, such as autonomous vehicles.
Legal, legitimate, licenced hackers who are deliberately employed or hired by organisations to test their digital security defences. See Red Teams, Blue Teams and Purple Teams.
An attack on a computer system, particularly if it takes advantage of an existing vulnerability in the operating system, applications, plug-ins or software.
Software like operating systems, browsers, text and spreadsheet editors have vulnerabilities. Some of these vulnerabilities can be exploited, which will result in code execution, where the executed code is controlled by an attacker or ethical hacker. This executed code can result in further code execution, e.g. downloading and starting malware.
Although a typical malware attack on the Windows platform involves dropping an executable file on the disk, a fileless attack bypasses this stage thus trying to evade protection. The initial attack usually starts from an exploit, a script or Office macro.
Financial malware is malicious software that attempts to grab the user name and password from places that are used for online transactions. Financial malware can also steal login credentials from popular social networking websites such as Facebook, Twitter, LinkedIn, etc.
Simulators are used in a multitude of industries: most of us have seen footage of pilots learning to land a plane in the safe environment of a flight simulator. Simulators are also used within law enforcement, the military and finance. There are two major types of simulators: those used to teach students (e.g. pilots) and those used to simulate various types of attack (e.g. military). At Effitas, we create our own cybercrime financial simulators to help us anticipate and simulate attacks that may not be prevalent at present, but may become more so in the future. Simulators can point out potential weaknesses in products and construct new types of attacks in a safe environment. These can be useful for developers, allowing them to learn of the most likely future attacks from a testing lab, rather than when an attack of this type really occurs in the wild – by which point it’s too late.
A computer virus is considered to be “in the wild” if it is spreading via, or because of, normal, run of the mill operations on and between the computers of victims who are unaware of the virus – that is, the standard operating conditions of viruses and other malware.
The increasing degree to which hardware is becoming connected to the internet so that we can control it more remotely, more intelligently, and do more with it. For example, computer apps now allow us to control our central heating and home lighting remotely through an app. Entire city infrastructures are becoming more connected so that we can for example, control traffic lights using Artificial Intelligence that changes how traffic lights “behave” to reflect levels of traffic density, thus exerting a degree of intelligent control over traffic calming measures as and when needed. Meanwhile, “hardware” like cars is increasingly connected to the internet as cars become more computerised, especially with the rise of autonomous vehicles.
Any individual or group who sets out to create or spread a digital virus, hack, phishing attack or any other harmful form of computer or internet-based attack, regardless of their motivation. If it has a victim, then it is perpetrated by a malicious actor.
The process of reversing a malicious binary or code, or observing a malware’s behaviour during running. Since running malware is like playing with fire, malware analysis is usually done in sandbox environments. (You can see a definition of sandboxes in this glossary).
Malware analysis sandboxes are used to run malicious samples in a controlled environment. By inspecting the sample behaviour, the sandbox can decide whether the sample is malicious or not. Attackers commonly try to detect and avoid malware analysis sandboxes.
The practise of making existing malicious code look like a new piece of code (a new virus) in order to test a piece of anti-virus’s ability to protect against what it perceives as new code.
Word documents and Excel spreadsheet files can contain not just data, but executable code as well. This code is mostly used to automate tasks inside a document. This code can be malicious in nature as well. Attackers often use these macro documents to drop their malware on the target system.
A packer is a software tool that compresses code but in such a way that it can still be executed (i.e. run – known as runtime compression). It is used usually to reduce the size of software for storage and also to deter reverse engineering. Packers usually have their own unique way of operating and leave their unique signature on code they have compressed.
Some packers are almost exclusively used for creating malware, so security apps look for code that has the signature associated with these packers and gives them extra scrutiny. Packers obfuscate code so if one wanted to disguise code that has already been flagged as malicious by security apps, using a new packer to pack it could allow the code to go undetected by the apps – but if a standard off the shelf packer is used, it will receive extra scrutiny as detailed above.
For zero day attacks, malicious actors must either create new code or attacks that never existed before, or obfuscate existing code by using a new packer. (Effitas is able to create our own packing tools with signatures never seen before – we use these to replicate zero day attacks and for APT testing).
A quick “repair job” that resolves issues in IT protection software and/or improves security. A patch can also add new features to the software.
A team of IT security professionals try to evaluate a system from an attacker’s perspective. The overall security posture of the system is assessed using similar tools and methods an adversary would use when formulating attacks.
An activity whereby a cyber-criminal attempts to acquire private or sensitive information – often username/password combinations or credit card details – directly from an unsuspecting victim. Typically the main weapon in a phishing attack is a spoof website or email message that takes the victim to a fake login page that closely imitates an authentic one (such as a login page on a banking login website) in order to extract the relevant information from the victim.
Some organisations use purple teams who carry out the work of both red and blue teams, hunting, detecting and fixing vulnerabilities in organisational security systems by carrying out attack versus defence scenarios. Purple teams can be contracted or may be in-house.
The existence of purple teams is often simply a response to the sheer pervasiveness and volume of cyber-threats today. Many organisations require a wide variety of attack and defence scenarios and methodologies as they seek to gain any possible advantage against security threats. Not everyone uses purple teams and some argue that they are not necessary if red and blue teams communicate as they should.
External ethical hackers (legitimate, licenced, deliberately-hired) brought in to test the effectiveness of a security programme by emulating a real attack. Red teams are normally external because the less they know about a company’s cyber security defences, the more able they are to act like authentic hackers. They are (of course) contractually bound to share all their discoveries with their customer, and gain no advantage from their activities beyond their fee.
While detection and the prevention of infection is one aspect of testing, the other is remediation: how well a secure solution can remove an infection from an endpoint. Remediation, in its simplest terms, refers to protection software’s ability to “clean up” or kill an infection.
A security mechanism for separating running programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading. It is often used to execute untrusted programs or code without risking harm to the host machine or operating system. A sandbox provides a tightly controlled set of resources for guest programs to run in.
Also known as a skiddie or skid. An unskilled amateur hacker who uses existing exploit programs and files (scripts) to carry out their attacks on networks, systems or websites. Script kiddies lack the skill to understand how scripts work, or to write their own scripts. It is often assumed that they are “juveniles” whose motivation is to impress peers or friends rather than become skilled hackers. The term “kiddie” is derogatory but doesn’t relate to the age of the offender. Instead, it is a disparaging reference to the amateur, lazy nature of the attack and the attacker.
Irrelevant or unsolicited email messages, typically to a large number of users, for the purposes of advertising or, in the case of cybercriminals, phishing or spreading malware.
A common security measure used to protect web applications against exploits, vulnerabilities and attacks. WAFs are a type of firewall that monitors and blocks data as it travels to and from a web application. WAFs are especially important for businesses who use the internet for their day-to-day business with customers and can be network, host or cloud-based.
A special type of malware with only one intent: Destruction. Wiper malware sometimes act as ransomware by encrypting files on a system, but the difference is that files encrypted by ransomware can be decrypted, whereas the victim files of a decent wiper are gone and cannot be recovered.
A zero-day vulnerability is a vulnerability in software that is unknown to its vendors (or users). Until the vulnerability is fixed (usually via a patch) it can be exploited by hackers for malicious purposes. Zero-day attacks that exploit the vulnerability therefore have a very high chance of success. The day that the vendor discovers the vulnerability is known as “day zero”. Vendors then rush to create a patch that will protect their software, and provide that patch to all users of it. The longer this takes, the more likely affected systems are to be attacked by hackers aware of the vulnerability.