📘 Security Glossary

Term	Definition
APT	Advanced Persistent Threat — a sophisticated, long-term intrusion campaign, typically state-sponsored.
CVE	Common Vulnerabilities and Exposures — standardised identifier for publicly known security vulnerabilities.
CVSS	Common Vulnerability Scoring System — numeric score (0–10) rating vulnerability severity.
IOC	Indicator of Compromise — artefact (IP, hash, domain) that indicates a system has been breached.
TTP	Tactics, Techniques, and Procedures — describes how threat actors operate.
C2 / C&C	Command and Control — infrastructure used by attackers to communicate with compromised systems.
RCE	Remote Code Execution — vulnerability allowing an attacker to run arbitrary code on a target system.
LPE / EoP	Local Privilege Escalation / Elevation of Privilege — gaining higher permissions on a compromised system.
Zero-Day	Vulnerability that is unknown to the vendor and has no patch available at time of discovery/exploitation.
KEV	Known Exploited Vulnerability — CISA catalog of CVEs with confirmed active exploitation.
SIEM	Security Information and Event Management — platform for real-time log analysis and threat detection.
EDR	Endpoint Detection and Response — security solution monitoring endpoints for suspicious activity.
SOAR	Security Orchestration, Automation and Response — automates security workflows and incident response.
OSINT	Open Source Intelligence — information gathered from publicly available sources.
Lateral Movement	Techniques used by attackers to progressively move through a network after initial compromise.
Exfiltration	Unauthorised transfer of data out of a compromised organisation.

⚡ Attack Types Explained

⚡ DDoS — Distributed Denial of Service

Attackers overwhelm a target's servers or network infrastructure with massive volumes of traffic from thousands of compromised devices (a botnet), making services unavailable to legitimate users. Common subtypes include volumetric (bandwidth exhaustion), protocol (SYN flood), and application-layer (HTTP flood) attacks.

🔒 Ransomware

Malware that encrypts a victim's files or systems and demands payment (typically cryptocurrency) for decryption keys. Modern ransomware operations also perform data exfiltration for double-extortion — threatening to publish stolen data if the ransom isn't paid. Major groups include LockBit, ALPHV, and Cl0p.

🎣 Phishing

Social engineering attacks that deceive users into revealing credentials, installing malware, or transferring funds. Variants include spear phishing (targeted), whaling (targeting executives), vishing (voice), and smishing (SMS). Business Email Compromise (BEC) is a costly form causing billions in losses annually.

🔨 Brute Force

Systematically trying all possible password combinations or using credential lists from previous breaches (credential stuffing) to gain unauthorised access. Commonly targets SSH, RDP, web admin panels, and VPN gateways. Mitigated by MFA, account lockout, and rate-limiting.

💉 SQL Injection

Inserting malicious SQL statements into input fields to manipulate backend databases. Can allow data exfiltration, authentication bypass, data modification, or remote code execution depending on the database configuration. Remains in OWASP Top 10 despite being well-understood.

🦠 Malware

Malicious software including viruses, worms, trojans, spyware, adware, and rootkits. Modern malware uses fileless techniques, living-off-the-land (LOLBins), and encrypted C2 channels to evade detection. Common delivery mechanisms: phishing attachments, drive-by downloads, and supply chain compromise.

💥 Zero-Day Exploits

Attacks targeting vulnerabilities unknown to the vendor, with no patch available. Zero-days are highly valuable, often sold for hundreds of thousands of dollars. Nation-state actors and sophisticated cybercriminal groups exploit these before discovery — examples include Stuxnet and Pegasus spyware.

🗝 Credential Theft

Harvesting authentication credentials through keyloggers, memory scraping (mimikatz), phishing, or purchasing from criminal marketplaces. Stolen credentials are used for initial access, lateral movement, and privilege escalation. Pass-the-hash and Kerberoasting are common Active Directory techniques.

👁 Man-in-the-Middle (MITM)

Intercepting communications between two parties to eavesdrop or alter data. Techniques include ARP poisoning, SSL stripping, rogue Wi-Fi access points, and BGP hijacking. TLS encryption with certificate pinning is the primary mitigation.

⛓ Supply Chain Attack

Compromising software, hardware, or service providers to gain access to their downstream customers. High-profile examples: SolarWinds SUNBURST (2020), 3CX (2023), XZ Utils (2024). Extremely difficult to detect as the malicious code arrives from trusted update mechanisms.

🗺 MITRE ATT&CK Overview

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used for threat modelling, detection gap analysis, and red team planning.

📋 The 14 Tactics (Enterprise)

ID	Tactic	Description
TA0043	Reconnaissance	Gathering information before the attack (OSINT, scanning).
TA0042	Resource Development	Acquiring infrastructure, tools, and capabilities for the attack.
TA0001	Initial Access	Gaining a foothold in the target network (phishing, exploit, supply chain).
TA0002	Execution	Running malicious code (scripts, LOLBins, macros).
TA0003	Persistence	Maintaining access across reboots and credential changes.
TA0004	Privilege Escalation	Gaining higher-level permissions (admin/SYSTEM/root).
TA0005	Defense Evasion	Avoiding detection — obfuscation, disabling AV, living-off-the-land.
TA0006	Credential Access	Stealing account credentials (keyloggers, Mimikatz, phishing).
TA0007	Discovery	Learning about the environment — hosts, shares, users, processes.
TA0008	Lateral Movement	Moving through the network to reach high-value targets.
TA0009	Collection	Gathering data of interest for exfiltration.
TA0011	Command & Control	Communicating with compromised systems to direct activity.
TA0010	Exfiltration	Stealing data out of the victim environment.
TA0040	Impact	Disrupting availability or integrity — ransomware, wipers, defacement.

📊 Understanding CVSS Scores

The Common Vulnerability Scoring System (CVSS) provides a standardised way to rate the severity of software vulnerabilities. Scores range from 0.0 to 10.0.

🎯 Severity Ratings

Score	Rating	Action Required
9.0 – 10.0	Critical	Patch immediately. Often unauthenticated RCE or critical data exposure.
7.0 – 8.9	High	Patch within 24-72 hours. Significant risk to confidentiality/integrity/availability.
4.0 – 6.9	Medium	Patch within 30 days. Requires some conditions (auth, local access) to exploit.
0.1 – 3.9	Low	Schedule for routine patching. Limited impact or difficult to exploit.

🔢 CVSS v3.1 Base Metrics

Attack Vector (AV)

Network (N) — exploitable remotely over the internet. Adjacent (A) — requires network adjacency. Local (L) — requires local access. Physical (P) — requires physical device access. Network vectors score highest.

Attack Complexity (AC)

Low — no special conditions required. High — requires specific circumstances, race conditions, or prior preparation.

Privileges Required (PR)

None — unauthenticated. Low — basic user account. High — admin/root required. Unauthenticated vulnerabilities score highest.

User Interaction (UI)

None — exploitable without victim interaction. Required — victim must take action (click link, open file).

Impact: CIA Triad

Confidentiality (C) — data exposure. Integrity (I) — data modification. Availability (A) — service disruption. Each rated None / Low / High.

🔄 Vulnerability Lifecycle

Understanding how vulnerabilities move from discovery to remediation is critical for prioritising patching efforts.

📅 Timeline

Stage	Description	Avg Time
🔍 Discovery	Vulnerability found by researcher, vendor, or attacker.	Day 0
📨 Responsible Disclosure	Researcher privately notifies the vendor.	Day 0–7
🔧 Patch Development	Vendor develops and tests a fix.	7–90 days
📢 Public Disclosure	CVE assigned, advisory published, patch released simultaneously (coordinated disclosure).	90 days
🚨 Exploit Development	Public PoC appears — typically within hours of disclosure for critical vulns.	0–48 hrs post-disclosure
💀 Active Exploitation	Threat actors weaponise and deploy at scale. CISA KEV entry added.	Days to weeks
✅ Patching	Organisations apply vendor patch or workaround.	Varies widely

Zero-Day Window

A vulnerability that is actively exploited before public disclosure is a zero-day. During this window there are no patches, no CVE assignments, and detection relies purely on behavioural anomaly detection and threat intelligence.

🏴 APT Groups Guide

Advanced Persistent Threat (APT) groups are sophisticated, well-resourced threat actors — typically state-sponsored — that conduct long-duration, targeted intrusion campaigns.

🌍 Major Nation-State Actors

🇷🇺 Russia

APT28 (Fancy Bear / GRU) targets governments, defence organisations, and elections. Known for DNC hack (2016), MH17 investigation interference, and WADA breach. Uses custom implants including X-Agent and Sofacy.
APT29 (Cozy Bear / SVR) specialises in long-term intelligence collection. Responsible for SolarWinds SUNBURST supply chain attack. Highly sophisticated with minimal footprint.
Sandworm (GRU Voodoo Bear) focuses on destructive attacks, particularly against Ukraine. Behind NotPetya (2017), Ukrainian power grid attacks (2015–2016), and Olympic Destroyer (2018).

🇨🇳 China

APT41 (Double Dragon) uniquely conducts both espionage and financially-motivated operations. Targets healthcare, telecoms, and gaming companies globally.
Volt Typhoon focuses on US critical infrastructure pre-positioning — CISA/NSA joint advisory confirmed presence in US military logistics and communications networks.
Salt Typhoon specifically targets telecommunications companies. Compromised major US carriers including AT&T and Verizon in 2024, accessing law enforcement wiretap systems.

🇰🇵 North Korea

Lazarus Group (APT38) is responsible for the 2016 Bangladesh Bank heist ($81M), Sony Pictures hack (2014), and WannaCry (2017). Funds North Korean government through crypto theft — estimated $3B stolen since 2017.

🇮🇷 Iran

Charming Kitten (APT35) targets dissidents, academics, journalists, and government officials. Uses elaborate social engineering and custom Android spyware. Known for multi-week phishing campaigns building rapport before deploying malware.

🔍 APT Naming Conventions

Vendor	Format	Example
MITRE	APT + Number	APT28, APT41
CrowdStrike	Animal + Country	Fancy Bear (Russia), Panda (China)
Microsoft	Weather Event	Volt Typhoon, Salt Typhoon, Midnight Blizzard
Mandiant	UNC + Number	UNC5221, UNC2452

🔒 Ransomware Deep Dive

Ransomware is the most financially damaging form of cybercrime, with estimated global losses exceeding $1 trillion annually when including downtime, recovery costs, and reputational damage.

💀 Modern Ransomware Kill Chain

1. Initial Access — Phishing, RDP brute force, VPN zero-day, or purchased credentials.
2. Foothold — Deploy backdoor/RAT (Cobalt Strike, Brute Ratel, Sliver).
3. Privilege Escalation — Gain domain admin via Kerberoasting, pass-the-hash, or exploit.
4. Lateral Movement — Spread through network using SMB, WMI, PsExec, or RDP.
5. Data Exfiltration — Steal 100s of GBs for double-extortion leverage.
6. Deployment — Trigger ransomware across all systems simultaneously (often on weekends/holidays).
7. Ransom Demand — Demand sent via Tor-hidden negotiation portal.

🛑 How to Prevent Ransomware

• Enforce MFA on all remote access (VPN, RDP, web apps).
• Patch vulnerabilities within 24hrs for CISA KEV entries.
• Maintain offline, immutable backups tested regularly.
• Deploy EDR on all endpoints with tamper protection enabled.
• Segment networks — limit lateral movement blast radius.
• Disable unused protocols: RDP on internet, SMBv1, PowerShell v2.
• Train employees with realistic phishing simulations.

🚨 Incident Response Playbook

A structured incident response (IR) process minimises damage, reduces recovery time, and prevents re-compromise. Based on the NIST SP 800-61 framework.

📋 The 6 Phases

1. Preparation

Establish an IR team, define roles, maintain contact lists, deploy security tooling (EDR, SIEM, netflow), and document critical assets. Run tabletop exercises quarterly.

2. Identification

Detect and confirm the incident. Sources: SIEM alerts, EDR detections, user reports, threat intel. Determine scope, affected systems, and initial entry point. Preserve evidence.

3. Containment

Short-term: Isolate affected systems (network quarantine), block attacker IPs/domains at firewall. Long-term: Clean rebuild environment, change all credentials, revoke compromised certificates.

4. Eradication

Remove all malware, backdoors, and persistence mechanisms. Identify and close the initial entry point. Patch the exploited vulnerability. Verify no attacker access remains.

5. Recovery

Restore systems from clean backups. Verify integrity before reconnecting. Monitor intensively for re-compromise. Gradual return to production with enhanced logging.

6. Lessons Learned

Post-incident review within 2 weeks. Document timeline, root cause, detection gaps, and improvements. Update playbooks, detection rules, and security controls.

📞 Key Contacts

Organisation	Contact	Purpose
CISA	cisa.gov/report	US critical infrastructure incidents
FBI IC3	ic3.gov	US cybercrime reporting
NCSC (UK)	ncsc.gov.uk	UK cyber incident reporting
Europol	europol.europa.eu	EU cross-border incidents

🛡 Defense Strategies

🔐 Zero Trust Architecture

Never trust, always verify. Every user, device, and network connection must be authenticated and authorised regardless of location. Key principles: least privilege access, micro-segmentation, continuous verification, and assume breach mindset.

🧱 Defence in Depth

Layered security controls so that if one fails, others remain. Layers include: perimeter (firewall, WAF), network (IDS/IPS, segmentation), endpoint (EDR, AV), identity (MFA, PAM), data (DLP, encryption), and application (SAST, DAST).

📊 Key Security Metrics

Metric	Target
Mean Time to Detect (MTTD)	< 1 hour for critical alerts
Mean Time to Respond (MTTR)	< 4 hours for critical incidents
Critical Vuln Patch Time	< 24 hours for KEV entries
MFA Coverage	100% of remote access
EDR Coverage	> 95% of endpoints
Backup Recovery Time	< 4 hours RTO for critical systems

🔑 Top 10 Security Controls

1. Multi-Factor Authentication on all accounts.
2. Privileged Access Management (PAM) with just-in-time access.
3. EDR on all endpoints with behavioural detection.
4. Network segmentation and micro-segmentation.
5. Immutable, tested backups (3-2-1 rule: 3 copies, 2 media, 1 offsite).
6. Vulnerability management with risk-based patching prioritisation.
7. DNS filtering to block malicious domains.
8. Email security (SPF/DKIM/DMARC, anti-phishing, sandboxing).
9. Security awareness training and phishing simulations.
10. Threat hunting and proactive IOC monitoring.