I just need to organize a course on introducing cybersecurity terminology, referencing Common Terms in Cybersecurity, with content generated based on GPT.
Penetration Testing#
POC (Proof of Concept)#
POC refers to code or operational methods that validate the feasibility of a security vulnerability, attack method, or technique. POCs are typically used to demonstrate that an attack can be successful, but they may not include code for actual exploitation. In security research, researchers often write POCs to prove that discovered vulnerabilities are real and exploitable, but they usually do not cause actual damage.
EXP (Exploit)#
EXP is code specifically designed to attack a particular vulnerability. Compared to POCs, EXPs are more mature and complete, and can be directly used to attack target systems to gain unauthorized access or perform other malicious actions. EXPs typically contain a complete set of attack logic that can achieve specific attack objectives on the target system.
PAYLOAD#
PAYLOAD refers to specific code or data that an attacker attempts to execute during an attack. It is part of the EXP, used to achieve the attacker's ultimate goals, such as popping a reverse shell, installing a backdoor, or stealing data. PAYLOADs can be customized according to the attacker's needs to fit different attack scenarios and targets.
Shellcode#
Shellcode is a special type of PAYLOAD that contains a piece of code used to control the victim's computer. Typically, the purpose of shellcode is to open a command-line interface, allowing the attacker to remotely control the attacked machine. Shellcode usually needs to be very compact and efficient, as it often needs to execute within very limited memory space.
Vulnerability#
A vulnerability refers to a weakness in software, hardware, or network systems that an attacker can exploit to perform unauthorized operations. These operations may include stealing data, gaining illegal access, or causing system crashes. Vulnerabilities can arise from various reasons, such as design flaws, programming errors, or configuration mistakes.
Zero-day Vulnerability#
A zero-day vulnerability refers to a security flaw that has been discovered and exploited by attackers before developers or the public are aware of it. The term "zero-day" comes from the "zero day" when developers become aware of the vulnerability, at which point there are no available patches or mitigations. Zero-day vulnerabilities are extremely dangerous for security defenses because, at the time of the attack, system administrators and users have no ready solutions.
One-day Vulnerability#
A one-day vulnerability refers to a flaw that has been publicly disclosed by developers (possibly including a patch), but many systems and applications have not yet applied this patch when exploited by attackers. In this case, a solution already exists, but for various reasons (such as update delays or users not applying patches in time), the vulnerability is still exploited.
N-day Vulnerability#
N-day vulnerability is a more general term used to describe vulnerabilities that are exploited at any time after public disclosure. "N" can be any number, indicating how many days have passed since the vulnerability was made public. This term is often used to emphasize that the vulnerability has been public for some time, but attackers can still exploit it, especially against systems that have not been patched in a timely manner.
Attack Terminology#
Bot#
This is hacker jargon referring to a computer that has been compromised by a hacker. These computers are usually infected with malware, allowing hackers to control them remotely while the true owner remains unaware. Bots can be used for various malicious activities, such as sending spam emails or participating in distributed denial-of-service (DDoS) attacks.
Botnet#
A botnet is a network of compromised bots controlled by hackers. Hackers use these infected computers (i.e., "zombies") to execute commands and distribute malware. These networks are typically used to carry out automated large-scale attacks, such as DDoS attacks or sending spam.
Trojan#
A Trojan is a type of malware that hides within seemingly legitimate software, tricking users into downloading and installing it. Once installed, a Trojan can perform various malicious operations, such as stealing sensitive information, downloading more malware, or providing hackers with remote access to the victim's computer.
Web Trojan#
A web Trojan is malware that spreads through web pages. When users visit a page containing malicious code, that code may execute automatically, installing a Trojan or other malware on the user's device, often without their knowledge.
Rootkit#
A rootkit is malware designed to hide the existence of software, processes, or files within a computer system, making malicious activities difficult for users and antivirus software to detect. Rootkits are typically used to maintain control over infected systems while hiding malicious activities.
Worm Virus#
A worm is a standalone piece of malware that can self-replicate and automatically spread across networks to other computers without needing to attach to other files or programs. Unlike traditional viruses, worms exploit network vulnerabilities and can cause widespread damage, such as network congestion or system performance degradation.
Cryptojacking Malware#
Cryptojacking malware is a type of malicious software designed to mine cryptocurrency using the victim's computing resources without their consent. This software typically runs in the background, consuming CPU and GPU resources, leading to decreased device performance.
Backdoor#
A backdoor refers to a hidden entry deliberately set in software, operating systems, or hardware, allowing remote access to the system without going through normal authentication processes. Attackers can control infected computers through backdoors, executing commands, stealing data, etc.
Weak Password#
A weak password refers to a password that is easy to guess or crack, typically consisting of common words, simple numeric combinations (like 123456), or default passwords. Weak passwords make accounts vulnerable to brute-force or dictionary attacks.
Malware#
Malware refers to any software designed to cause damage to computers, servers, clients, or computer networks. It includes viruses, worms, Trojans, ransomware, spyware, etc.
Spyware#
Spyware is software designed to secretly monitor user activities without their consent. It can record keystrokes, browsing history, passwords, and other personal information.
Sniffer#
A sniffer is a tool used to monitor and analyze network traffic. Attackers use sniffers to capture packets to steal information, monitor user activities, or search for security vulnerabilities in the network.
SQL Injection#
SQL injection is an attack technique where attackers input malicious SQL commands into an application's input fields, exploiting security vulnerabilities in the application's backend database to perform unauthorized database operations. This attack can be used to read or modify data in the database, or even execute administrative operations, such as deleting database tables or gaining server permissions.
Command Injection#
Command injection attacks allow attackers to execute arbitrary commands on the target system. This is typically achieved by exploiting improper handling of input data by the application, allowing malicious commands to be injected at the system level. Successful command injection attacks can lead to data breaches, server control, and other serious consequences.
Code Injection#
Code injection is an attack in which an attacker injects malicious code into an application, causing unexpected operations to be executed on the application or backend server. This type of attack can be implemented through scripting languages (like JavaScript), SQL commands, or other programming language codes.
Cross-Site Scripting (XSS)#
Cross-site scripting is a technique that executes malicious scripts in a user's browser. Attackers inject malicious scripts into web pages, and when other users browse those pages, the embedded scripts execute in their browsers. This can lead to user data being stolen, sessions being hijacked, or malware being distributed.
Webshell#
A webshell is a script file that executes server commands through a web interface, typically implanted by attackers on compromised web servers. Through webshells, attackers can remotely manage servers and execute various commands, such as data theft or further network penetration. Webshells can be written in various languages, such as PHP, ASP, JSP, etc.
Web Shell Planting / Drive-by Download#
Web shell planting is a type of web attack where attackers implant malicious code or software on a website. When users visit these pages with implanted malicious code, the malware automatically downloads and executes, usually without any user interaction. This method is commonly used to spread malware, such as Trojans or spyware.
AV Evasion#
AV Evasion refers to techniques used to prevent malware, viruses, or tools from being detected by antivirus software. These techniques may include code obfuscation, encryption, or exploiting vulnerabilities in antivirus software. The goal of AV Evasion techniques is to allow the attacker's malicious actions to bypass security detection and successfully execute their attacks.
Port Scanning#
Port scanning is a technique used to probe target computers or network devices for open services and listening ports. By scanning ports, attackers can discover exploitable service vulnerabilities and proceed with further attacks. Port scanning is typically a preliminary step in network penetration testing to gather information about the target system.
Website Takeover#
Website takeover refers to when attackers successfully gain control of a target website's administrative privileges, allowing them to modify, delete, or implant malicious code into the website's content. Website takeovers are typically achieved by exploiting vulnerabilities in web applications, database injections, server vulnerabilities, etc. After a successful takeover, attackers can engage in data theft, spread malware, conduct phishing attacks, and other malicious activities.
DDoS#
Flood Attack#
A flood attack is a method of making network services unavailable by sending a large number of useless requests to the target, exhausting the target's resources (such as bandwidth and processing power). This prevents legitimate users from accessing the service. Flood attacks are typically used in DoS (Denial of Service) or DDoS (Distributed Denial of Service) attacks.
SYN Flood Attack#
A SYN flood attack is a specific type of DoS attack that exploits the TCP protocol's three-way handshake process. Attackers send a large number of TCP/SYN (connection request) packets but deliberately do not complete the handshake process. This can exhaust the target server's resources, preventing it from processing legitimate requests.
Denial of Service Attack#
A DoS attack aims to make network services or resources unavailable to intended users. Attackers use various means, such as flood attacks, SYN attacks, etc., to exhaust the target's resources, leading to service interruptions.
Distributed Denial of Service Attack#
A DDoS attack is a form of DoS attack, differing in that the attack comes from distributed systems—typically composed of many infected machines (botnets). This makes the attack harder to defend against, as the traffic sources are numerous and dispersed.
ARP Spoofing Attack#
ARP spoofing, or ARP deception, is an attack that exploits vulnerabilities in the ARP protocol within a network. Attackers send forged ARP messages into the local area network to associate the attacker's MAC address with the IP address of a legitimate host. This can be used for man-in-the-middle attacks, intercepting, modifying, or redirecting network traffic.
Phishing#
Watering Hole Attack#
A watering hole attack is a method targeting specific groups, where attackers infect a website frequently visited by members of that group to spread malware among users visiting that site. This attack method is similar to a predator waiting at a watering hole for prey.
Advanced Persistent Threat#
An APT attack is a complex cyber attack characterized by prolonged stealth and strong targeting. Attackers are usually organized teams aiming to persistently access target networks undetected to steal data or monitor activities.
Supply Chain Attack#
A supply chain attack refers to an attack conducted by attackers through the target organization's suppliers or service providers. Since the security of the supply chain may not be as robust as that of the target organization itself, attackers exploit this as a foothold to enter the target network.
Spam#
Spam refers to unsolicited, bulk-sent emails, typically used for advertising, phishing attacks, or spreading malware. Although spam itself does not directly exploit system vulnerabilities, it is a common means of spreading malicious content and conducting social engineering attacks.
Spoofing Attack#
A spoofing attack refers to an attacker impersonating another user or device to deceive users, steal information, or bypass access controls. Spoofing attacks can take various forms, including IP spoofing, email address spoofing, and ARP spoofing.
Man-in-the-Middle Attack (MITM)#
A man-in-the-middle attack refers to an attacker inserting themselves between two communicating parties, secretly listening, intercepting, or altering the exchanged information. This attack is common in unencrypted network communications, where attackers can use ARP spoofing, DNS spoofing, and other techniques to achieve this.
Challenge Collapsar Attack#
A CC attack is a type of distributed denial-of-service attack (DDoS) that overloads a target website's resources with a large number of requests, causing the server to become overloaded and preventing normal users from accessing it. CC attacks specifically refer to a large number of HTTP requests initiated through proxy servers or botnets to simulate normal user behavior, making defense more difficult.
Database Cracking#
Database cracking refers to obtaining access to a database through various means and then stealing the information stored within it. This is typically achieved by exploiting vulnerabilities in database management systems, SQL injection, and other techniques.
Data Breach#
A data breach refers to an incident where attackers successfully steal sensitive data from a database, including user personal information, passwords, financial information, etc. Data breach events typically refer to large-scale data leaks that significantly impact user privacy and corporate reputation.
Credential Stuffing#
Credential stuffing is a cyber attack method where attackers obtain leaked username and password databases from other websites and then attempt to log into other sites using those credentials. Since many users reuse the same usernames and passwords across different sites, credential stuffing attacks can succeed in some cases.
Social Engineering#
Social engineering is a security attack technique that does not rely on traditional hacking techniques but instead exploits human psychological weaknesses to induce individuals or employees to disclose sensitive information or perform specific actions. This technique includes phishing attacks, pretexting, impersonating trusted individuals or institutions, and other methods.
Hidden Link#
A hidden link refers to links on a website that are concealed from normal users but can be crawled by search engines. Attackers implant hidden links on victim websites to improve the search engine ranking of malicious or related sites.
Defacement#
Defacement is an attack where attackers change the content of a website, typically to spread political messages, hacker tags, or malicious code. This attack not only damages the reputation of the website but can also be used to spread malware.
Command and Control#
C2 servers are used by attackers to maintain control over already compromised systems and issue subsequent commands. This mechanism allows attackers to remotely manipulate malware or botnets to execute data theft, distributed denial-of-service attacks, and other activities.
Spear Phishing#
Spear phishing is a more targeted form of phishing attack where attackers collect and utilize personal information to customize deceptive emails or messages, aiming to induce specific individuals or organizations to disclose sensitive information or install malware.
Phishing#
Phishing is a fraudulent method where attackers impersonate a trusted entity to send emails or messages, tricking victims into clicking malicious links or attachments to steal sensitive information such as login credentials or credit card information.
Pivoting#
Pivoting is a technique used in network penetration testing or attacks, where attackers use a compromised system as a stepping stone to further penetrate or attack other systems within the network. This allows attackers to bypass firewalls or security measures and delve deeper into the network.
Internal Network Attacks#
Lateral Movement#
Lateral movement refers to the process of an attacker moving from one system to another within a network, aiming to expand their influence, search for valuable targets, or gain higher access privileges. This often involves exploiting credentials and vulnerabilities within the network.
Privilege Escalation#
Privilege escalation refers to the process where attackers gain higher privileges (such as administrator rights) from lower-privileged accounts by exploiting system vulnerabilities, configuration errors, or design flaws. This is a key step for attackers to expand their access and control.
Reverse Engineering#
Overflow#
In programming and network security, overflow refers to data exceeding the predetermined storage space or container boundaries. This often occurs in buffer overflow attacks, where excessive data written to a buffer may overwrite adjacent memory areas, leading to undefined behavior, such as executing malicious code.
Buffer Overflow Attack#
A buffer overflow attack occurs when a program attempts to write more data to a buffer than its capacity, which may lead to overwriting adjacent memory areas. Attackers can exploit this behavior to execute arbitrary code or compromise the system.
Shellcoding#
Shellcoding typically refers to developers or attackers adding a layer of shell code to software before release to protect the program from reverse engineering analysis. In security, shellcoding can also refer to creating and using shellcode, which is a small piece of code used to exploit software vulnerabilities, aiming to provide attackers with command-line access to the victim's system.
Unpacking#
Unpacking refers to the process of removing protective shell code from software, typically used for malware analysis or reverse engineering. By unpacking, analysts can see the true code of the original program, allowing for a better understanding of its functionality and potential threats.
Obfuscation#
Obfuscation is a code obfuscation technique used to make the machine code of software difficult to understand. This technique is achieved by replacing, adding, or modifying instructions within the code, aiming to hinder reverse engineering and analysis, making it more difficult to analyze malware or protect copyrights. In security, obfuscation can be used to hide the true intent of malicious code, helping it avoid detection by security software.
Black and Gray#
Domain Hijacking#
Domain hijacking refers to attackers gaining control over a domain through illegal means and then changing the domain name system (DNS) settings to redirect users to malicious websites. This attack may be used for phishing, distributing malware, or engaging in other malicious activities.
Pig Butchering#
Pig butchering is a type of online scam that primarily targets victims through social platforms or dating websites. Scammers typically establish an emotional connection with victims and then induce them to transfer money under the pretext of investment or financial management, ultimately defrauding them. The term comes from the analogy of scammers "feeding" their targets like pigs until the "harvest" moment.
Telecom Fraud#
Telecom fraud refers to scam activities conducted using telephones, online communications, and other telecommunications tools. Scammers use various means to gain the victim's trust and then induce them to transfer money or provide sensitive information, such as bank account details or passwords.
Wool Pulling#
Wool pulling refers to exploiting vulnerabilities, policy loopholes, or promotional activities in online platforms, applications, or services to profit through legal or semi-legal means. This behavior may involve bulk account registrations, using automated scripts, or exploiting system vulnerabilities to gain improper benefits.
Cybercrime as a Service#
Cybercrime as a service refers to illegal activities conducted using internet technology, such as selling or renting malware, providing hacking services, and selling data leaks. These activities typically occur on the dark web or encrypted networks to hide identities and traces of activities.
Dark Web#
The dark web is a hidden part of the internet that is not indexed by conventional search engines and can only be accessed through special software like the Tor browser. The dark web is often used to protect user privacy and freedom of speech, but it also contains many places for illegal transactions and activities.
Attackers#
Black Hat Hacker#
A black hat hacker refers to hackers who conduct cyber attacks, data theft, system destruction, and other activities for illegal purposes and personal gain. They typically exploit discovered vulnerabilities for malicious attacks rather than reporting them.
White Hat Hacker#
A white hat hacker, also known as an ethical hacker, refers to professionals who use their skills to help organizations discover and fix security vulnerabilities. They typically conduct penetration testing with authorization to ensure system security.
Red Hat Hacker#
A red hat hacker typically falls between black hats and white hats, potentially taking more aggressive measures against black hat hackers. Unlike white hat hackers, who focus on defense and reporting vulnerabilities, red hat hackers may attack systems used by black hat hackers to stop their illegal activities.
Red Team#
A red team refers to a group that plays the role of attackers in simulated attacks, using various techniques and strategies to attempt to breach an organization's security defenses. The goal of the red team is to reveal security weaknesses that could be exploited by real attackers.
Blue Team#
A blue team refers to the group responsible for defense, tasked with detecting, preventing, and responding to red team attack attempts. The blue team focuses on strengthening security measures and enhancing the organization's security posture.
Purple Team#
A purple team is not a separate team but a concept of collaboration between red and blue teams. Purple team activities aim to improve overall security posture through close cooperation, sharing knowledge and experiences between red and blue teams. The purple team bridges the gap between attack and defense, enhancing security capabilities through collaboration.
Defense#
Firewall#
A firewall is a network security system that monitors and controls data packets entering and exiting a network. Based on predetermined security rules, a firewall can allow or block specific data flows, protecting the internal network from unauthorized access. Firewalls can be hardware, software, or a combination of both.
Intrusion Prevention System (IPS)#
An intrusion prevention system is a proactive network security device that monitors network traffic to identify and block potential malicious activities. Compared to intrusion detection systems (IDS), IPS can not only detect attacks but also take real-time measures to prevent them, such as disconnecting malicious traffic.
Intrusion Detection System (IDS)#
An intrusion detection system is a passive monitoring tool used to detect and report malicious activities or policy violations in networks or systems. Compared to IPS, IDS primarily focuses on detection and alerting, without directly taking action to block attacks.
Antivirus Software#
Antivirus software is a program used to detect, prevent, and remove malware. By scanning files and programs on a computer system, antivirus software can identify and eliminate viruses, Trojans, spyware, and other malicious software, protecting devices from harm.
Antivirus Gateway#
An antivirus gateway is a network security device located at the enterprise's boundary, used to scan incoming and outgoing network traffic for malicious software. It typically combines the functions of a firewall and antivirus software, providing more comprehensive network security protection.
Situational Awareness#
Situational awareness in the field of cybersecurity refers to a comprehensive understanding and awareness of the network environment and security threats. By collecting, analyzing, and synthesizing network data, security teams can gain a clear view of the current network security status, enabling them to more effectively identify, defend against, and respond to security threats.
Security Operations Center (SOC)#
A security operations center is a dedicated department responsible for managing an organization's information security. SOC teams use various technologies and processes to monitor and analyze the organization's security posture to timely detect, assess, respond to, and mitigate security incidents and threats.
Jump Server/Bastion Host#
A jump server is a specially configured server placed at the security boundary of a network, serving as the only entry point for accessing internal networks or systems. Through the jump server, remote access can be strictly controlled and monitored, enhancing security. Users must first authenticate through the jump server to access internal resources.
Database Audit#
Database audit is the process of recording and examining database operations to ensure data integrity, confidentiality, and availability. Audits can help identify unauthorized data access, data modifications, or other potential security issues. Audit logs typically include user actions, access times, and accessed data.
Vulnerability Scanning#
Vulnerability scanning is an automated process used to identify and report security vulnerabilities in networks, systems, or applications. Through vulnerability scanning, organizations can understand their security risks and take measures to remediate them to prevent potential attacks.
Data Diode/Gate#
A data diode is a network security device used to provide unidirectional communication between two networks. It ensures that data can only flow in one direction, preventing potential threats and data leaks. Data diodes are often used in high-security environments, such as military or critical infrastructure.
Unified Threat Management (UTM)#
Unified threat management is a network security solution that integrates multiple security functions into a single device. These functions may include firewalls, antivirus, intrusion detection and prevention, web filtering, and anti-spam. UTM provides a simplified approach to managing network security threats.
Internet Behavior Management#
Internet behavior management refers to the use of various technologies and strategies to monitor and manage users' online behavior to ensure compliance, improve productivity, and protect network security. This may include restricting access to specific websites, monitoring network traffic, and preventing information leaks.
Virtual Private Network (VPN)#
A virtual private network is a technology that allows users to securely access private networks over public networks through encrypted tunnels. VPNs hide users' IP addresses and encrypt data transmissions, protecting users' privacy and security on public networks.
Web Application Firewall (WAF)#
A web application firewall is a firewall specifically designed to protect web applications. It monitors, filters, and blocks malicious HTTP/HTTPS traffic, preventing various attacks against web applications, such as SQL injection and cross-site scripting (XSS).
Honeypot#
A honeypot is a security mechanism designed to lure attackers. It appears to be a valuable target (for example, a server that seems to contain sensitive data), but it is actually isolated and monitored, aiming to entice attackers to attack this system, thereby revealing their techniques, methods, and intentions.
Sandbox#
A sandbox is a security technology used to execute or run programs in an isolated environment, allowing untrusted code or programs to be tested without affecting the main system. Sandboxes provide a secure environment to analyze malware behavior or test unknown software.
Sandbox Evasion#
Sandbox evasion refers to malicious software or code recognizing that it is running in a sandbox environment and taking measures to avoid detection or limit its behavior to escape security analysis. This often involves detecting characteristics of the sandbox environment or simulating user behavior to avoid being analyzed.
Cyber Range#
A cyber range is a simulated network environment used for training and assessing the security of networks and systems. It provides a practical operational environment where security professionals can practice penetration testing, security defense, incident response, and other skills without risking real environments.
Network Access Control (NAC)#
Network access control is a network security solution used to prevent unauthorized access. NAC can enforce policies, such as checking the security status of devices (e.g., whether the latest security patches are installed) before allowing devices to connect to the network.
False Positive#
In cybersecurity, a false positive refers to a situation where a security system incorrectly identifies legitimate activities or data as malicious. Such false alarms can lead to unnecessary disruptions and resource waste, as security teams need to investigate each alert.
Alert#
An alert is a notification issued by a security system when a potential security event or policy violation is detected. The purpose of alerts is to draw the attention of the security team so they can respond to and address potential security threats in a timely manner.
Log Auditing System#
A log auditing system is a technology that monitors and records the activities of operating systems, applications, and other system components. These logs provide detailed records of system operations, user activities, system errors, and security events. By analyzing these logs, security experts can detect potential security threats, non-compliant actions, or system failures, allowing them to take appropriate preventive or corrective measures.
Traffic Scrubbing#
Traffic scrubbing is a network security measure used to protect networks from distributed denial-of-service (DDoS) attacks. During traffic scrubbing, incoming traffic is routed through a scrubbing center or device that identifies and filters out malicious traffic, allowing only legitimate traffic to pass through. This helps ensure the normal operation of the network and prevents service interruptions.
Security Information and Event Management (SIEM)#
SIEM is a security management approach that combines the functions of security information management (SIM) and security event management (SEM). SIEM solutions can collect and analyze security data and event logs in real-time from various sources (such as network devices, security devices, servers, databases, etc.). By analyzing this information, SIEM can identify anomalous behavior or potential security threats, triggering alerts and aiding in rapid response.
Hardware Security Module (HSM)#
A hardware security module (HSM) is a physical device used to generate, store, and manage digital keys, perform encryption and decryption operations on sensitive data, and create digital signatures and certificates. HSMs provide a highly secure way to protect and manage keys, typically used for high-security tasks such as financial transaction processing, data protection, authentication, and digital signing. HSMs are designed to resist various attacks, ensuring the security of key materials.