Application Programming Interface
2. Behavior-based correlation
If a device is infected with any kind of malware, the behavior in the network changes. For example, new connections are established to servers never talked to before, the malware tries to spread within the network, and to detect further systems and vulnerabilities. To distinguish this behavior from the normal actions of a device and to detect threats hidden in legitimate traffic, the behavior of the device has to be deducted from the entire network traffic of this device. By correlating the different flows of a device over time, its behavior can be determined. Then it is possible to detect deviations from the known legitimate behavior to indicate infections or malicious actors.
Basic Input/Output System; firmware used to initialize hardware during the booting process and to provide runtime services for operating systems and programs.
Malicious software that neutralizes or circumvents local endpoint security solutions, connects to a C&C infrastructure for instructions from cyber criminals, and carries them out. In fact, the local device is under the control of the attackers.
Bring Your Own Device (also called device management); the practice of allowing network users to access the (usually wireless) network of an organization with their own computers, smartphones, tablets and other devices. BYOD has a major impact on networks with large and diverse user bases, such as educational institutions or large and small business networks.
Command and Control; a C&C server infrastructure usually controls a number of bots. Network traffic to known command and control servers is a certain sign of an infection.
Classless Inter-Domain Routing; a method for allocating IP addresses and IP routing. An IP address is stated with the number of leading 1 bits in the netmask, e.g.
192.0.2.0/24 for IPv4,
2001:db8::/32 for IPv6.
Data Leakage Protection; compares the traffic payload to defined patterns of filenames and data to detect and prevent the unauthorized transmission of confidential information to unauthorized parties.
Demilitarized Zone; a special network segment between two other larger segments to provide secure services and special filtering to network traffic. Network access is allowed from each side to the application proxies and services within the DMZ but not from one side directly to the other. Only the services within the DMZ can initiate (controlled) network access to both sides.
Dynamic Network Object; dynamic lists of addresses (MAC, IPv4 or IPv6) used in source/destination conditions of policies and rules. Device addresses are added by rule actions, for example when a specific behavior is detected for a device. The set of policies in effect for a certain device can change dynamically depending on whether the device is listed in a DNO or not. DNOs are one of the cornerstones of self-modifying policies and effects threat isolation and prevention.
Domain Name System; a system that is used to translate structured, human-readable names like "www.cognitix.de" into machine readable data, such as IPv4 addresses, IPv6 addresses, responsible mail server, etc.
Event Tracking Table; policy-specific tables that track and correlate pairs of enriched flow attributes over time. Rules can then check for the presence of certain attributes or count their number to influence how future flows are handled based on the attributes seen in earlier flows of communication. This is the cornerstone of behavior-based correlation to determine the behavior of users and devices and to monitor malicious behavior.
A logical connection of packets belonging to the same communication. For example, the request and response of an HTTP connection are one flow; the ICMP ping and its corresponding ICMP echo can also be seen as one flow.
The gateway in a layer 3 network segment is the device where traffic is sent if the destination is not within the same network segment. The gateway is the default router to connect a specific network segment with the rest of the networks.
Hypertext Transfer Protocol; used for unencrypted communication over computer networks, including the Internet, to transfer text and similar documents from a server to the client. Most commonly used by web browsers but also by applications and malicious software.
Encrypted version of HTTP; Transport Layer Security (TLS, formerly known as SSL) is used to encrypt the connection and to encapsulate the plain HTTP traffic. Authenticity of the server and optionally of the client is ensured using certificates and certificate authorities.
Intel's proprietary simultaneous multithreading (SMT) implementation. For each physical processor core, the operating system addresses two virtual cores and shares the workload between them when possible. One physical core therefore appears as two processors to the operating system, allowing concurrent scheduling of two processes per core.
Intrusion Detection System
Intrusion Detection System/Intrusion Prevention System; a software or appliance that inspects and analyzes packets and data for numerous patterns of malicious behavior and different types of risks. When deployed as a detection system, it raises an alarm. When deployed as a prevention system, immediate action is taken to block the malicious traffic and alarm the network administrators.
Internet Engineering Task Force; an open standards organization that develops and promotes voluntary Internet standards.
Indicator of Attack; a marker to indicate an imminent or running attack. For example, IoA lists contain IP addresses of known botnets. Network traffic from these addresses can usually be blocked right away to prevent attacks and infections.
Indicator of Compromise; a marker to indicate that the device might be infected with malware. IoC lists contain URLs, domains and IP addresses only seen in traffic between the malware and its C&C servers or when exfiltrating data. When devices access domains used for distributing malware, this may also be a sign for an imminent infection.
24. IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. Human readable names are translated into IP addresses via DNS. There are IPv4 and IPv6 addresses.
Internet Protocol Flow Information Export; provides a common, universal standard of export for Internet Protocol flow information from routers, probes and other devices. It defines how IP flow information is to be formatted and transferred from an exporter to a collector.
Internet Protocol version 4. IPv4 addresses are 32-bit addresses and are represented by 4 octets of decimal digits separated by a period, for example
Internet Protocol version 6 was created in response to the depletion of available IPv4 addresses. IPv6 addresses are 128-bit addresses and are represented by 8 octets of hexadecimal digits, separated by a colon, for example
2001:db8:0000:0000:0000:0000:0000:0000. IPv6 addresses can be abbreviated by replacing an occurrence of octets that are 0000 by a double colon; for example, the previous address can also be written as
28. Layer 2
The data link layer in the OSI networking model. This layer provides the functional and procedural means required to transfer data between network entities.
29. Layer 3
30. Layer 4
The transport layer in the OSI networking model. This layer provides the protocols for host-to-host communication services for applications.
31. Layer 7
The application layer in the OSI networking model. This layer is closest to the end user. This layer interacts with software applications that contain a communication component.
32. Link-local address
A link-local address is a network address that is valid only for communications within the network segment or the broadcast domain that the host is connected to.
33. MAC address
Media Access Control address; a unique identifier assigned to a network interface used for network communication. A MAC address is assigned to a device by the manufacturer and so this address, unlike an IP address, does not normally change. MAC addresses are represented in notation by six groups of two hexadecimal digits, separated by hyphens or colons for example,
Malicious software that infects the system and performs unwanted and possibly harmful actions. Subtypes are Trojans, worms, ransomware, bots and others.
Connecting a host or a computer network to more than one network to increase reliability and/or performance.
37. Network segmentation
A network can be divided into smaller segments for various reasons. Mostly it is used to protect the individual segments from each other. Each segment has its own layer 3 address range and routers are deployed to forward network traffic from one segment to another. If these routers are combined with a firewall, access from one segment to another can be controlled with firewall rules allowing or denying traffic.
38. Network switch
A hardware device that connects network devices on layer 2 (the Ethernet layer). Devices are identified by their MAC address and the switch forwards traffic as needed to a specific target device or broadcasts it to all devices.
Network Interface Controller; hardware component that connects a computer to a computer network.
Non-Uniform Memory Access; a computer memory design used in multiprocessing, where the memory access time depends on the memory location relative to the processor. Under NUMA, a processor can access its own local memory faster than non-local memory.
Open Systems Interconnection model; a conceptual model that characterizes the communication functions of a communication system irrespective of its underlying internal structure and technology. It divides the system into abstraction layers.
A packet is a unit of data that is transmitted between communicating devices. A packet contains both the message being sent and control information, such as the source and destination address, source and destination port, transport protocol and sequence number.
Private enterprise number
A set of rules, event tracking tables and dynamic network objects to describe legitimate and/or malicious behavior and to act on this behavior. While a single rule can only act on a specific flow, a policy acts on the behavior of a device and can affect the whole network traffic of a device for example by completely isolating an infected device.
Port numbers are communication endpoints used to allow network communication. Different ports are used for different application-specific or process-specific purposes. For example, the HTTP protocol uses port 80.
47. Proxy server
A proxy server acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server and requests some service (e.g. a connection, web page, etc.) available from a different server. The proxy server then evaluates the request.
A set of conditions of traffic parameters that trigger specified actions. When used in combination with cognitix event tracking tables (ETT) and dynamic network objects (DNO), more complex policies to describe the behavior of devices can be created.
The correlation and policy engine of Threat Defender classifies traffic and applies policies to it during a single pass through Threat Defender, minimizing delays and use of resources.
An open source software for intrusion detection.
By masquerading as something else, attackers try to get access to elevated permissions or just hide when entering and attacking networks. A local attacker might spoof their MAC address to disguise as a network printer to prevent detection. An attacker might spoof the IP address of another user to pretend to be that user and get past IP-based firewall rules to access more sensitive areas of the network.
A subnet is a segment of the network that is separated physically by routing network devices and/or logically by the different addressing of the nodes. Dividing the network into subnets increases performance by isolating traffic from network segments where it does not need to go, and it increases security by isolating access. The addressing scope of a subnet is defined by its IP address and subnet mask. Its connection to other networks is achieved using gateways and routers.
A standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.
Transmission Control Protocol; a protocol that defines how communication is established and maintained via an IP network. It provides host-to-host connectivity at the transport layer of the OSI model.
56. TCP reset
All packets of a TCP connection contain a TCP header with a bit known as the "reset" (RST) flag. If this bit is set to 1, it indicates that the receiving computer should immediately stop using this TCP connection and discard any further packets it receives with headers indicating they belong to that connection. A TCP reset instantly terminates a TCP connection.
57. Threat intelligence
Information about threats, attackers, malwares, resources, attack vectors, counter measures and prevention tactics to gain knowledge about the threats impacting the network. If threat intelligence is combined with real-time correlation of the network traffic and security events, situational awareness needed to assess and act on current threats is created.
58. TLS / SSL
Transport Layer Security, formerly named Secure Sockets Layer (SSL) is a protocol for encrypting information that is transmitted over a network, including the Internet. SSL can be used for secure communications to a webserver (HTTPS) and for allowing remote users to access a network via a virtual private network.
User Datagram Protocol; allows applications to send messages to other hosts in an IP network.
Unified Extensible Firmware Interface; defines a software interface between an operating system and platform firmware.
Uniform Resource Locator; a human readable text string that refers to a network resource. A URL mostly consists of a fully qualified domain name and the path in the server. For example,
www.cognitix.de/products/ denotes the domain name
www.cognitix.de and the path components
/products/. URLs are most commonly used on the Internet, where they are also known as web addresses. URLs can also be used in web filtering to block access to specific websites.
Universally Unique Identifier
Virtual Local Area Network; used to logically divide a single local area network (LAN) into different parts that function independently. By adding the VLAN tag to the layer 2 encapsulation of network traffic, several layer 3 networks can share one physical connection without interfering with each other.
Virtual Private Network; extends a private network across a public network. Applications running across a VPN benefit from the functionality, security and management of the private network. A VPN is created by establishing a virtual point-to-point connection using dedicated connections, virtual tunneling protocols and/or traffic encryption.
A weakness of a system or software that can be exploited. Vulnerabilities are usually caused by bugs in the implementation but some are also caused by problems in the design of a protocol or process. Known vulnerabilities are categorized by severity depending on the ramifications when exploited. Some vulnerabilities cause the target service to crash while others can be used to access data that is otherwise inaccessible. Other vulnerabilities can be exploited to execute arbitrary code and get elevated permissions for further exploits.
A TCP-based transaction-oriented query/response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block or an autonomous system, but is also used for a wider range of other information.
67. Zero day
A vulnerability that is not widely known and for which no prevention or fix is available. Exploits for zero days are sold for higher prices as they promise certain access to the targeted system.
68. Zero Trust
As networks grow more complex, applications become more distributed and interactions with foreign systems become more frequent. The classical notion of the trusted local network versus the untrusted outside world has to be forgotten. Instead, even the local networks cannot be trusted.