- Welcome to the CTI Lexicon, your guide to some of the jargon and acronyms liberally used in CTI. You will sometimes find these peppered in reports with no explanation offered or in the Tweets by professionals from Infosec Twitter™.
ACRONYM | DESCRIPTION |
---|---|
CTI | Cyber Threat Intelligence |
TIP | Threat Intelligence Portal |
IOCs | Indicators of Compromise |
IOAs | Indicators of Attack |
HBI | Host-based Indicator |
NBI | Network-based Indicator |
TLP | Traffic Light Protocol |
TTP | Tactics, Techniques, and Procedures |
TA | Threat Actor |
APT | Advanced Persistent Threat |
CNOs | Computer Network Operations |
CNAs | Computer Network Attacks |
CNE | Computer Network Exploitation |
BGH | Big Game Hunting |
HOR | Human-Operated Ransomware |
HOK | Hands-on-Keyboard |
DEATH | Detection Engineering And Threat Hunting |
STIX | Structured Threat Information Expression |
TAXII | Trusted Automated Exchange of Indicator Information |
MAR | Malware Analysis Report |
ACRONYM | DESCRIPTION |
---|---|
CARVER | Criticality, Accessibility, Recuperability, Vulnerability, Effect and Recognizability |
BLUF | Bottom Line Up Front |
FINTEL | Finished Intelligence |
ACH (1) | Analysis of Competing Hypotheses |
I/Os | Influence Operations |
PSYOPS | Psychological Operations |
ISR | Intelligence, Surveillance, and Reconnaissance |
AKA | Also Known As |
RFI | Request For Information/Intelligence |
SOP | Standard Operating Procedure |
ICP | Intelligence Collection Plan |
PIR | Priority Intelligence Requirements |
GIR | General Intelligence Requirements |
KIQ | Key Intelligence Questions |
OSINT | Open Source Intelligence |
HUMINT | Human Intelligence |
SIGINT | Signal Intelligence |
SOCMINT | Social Media Intelligence |
GEOINT | Geopolitical Intelligence |
MASINT | Measurements Intelligence |
FININT | Financial Intelligence |
CRIMINT | Criminal Intelligence |
OPSEC | Operational Security |
SATs | Structured Analytic Techniques |
AOO | Action on Objectives |
COA | Courses of Action |
FOUO | For Official Use Only |
ORCON | Originator Control |
NOFORN | No Foreign Nationals |
SC/eSC | Security Check / Enhanced Security Check |
DV/eDV | Developed Vetting / Enhanced Developed Vetting |
SCIF | Sensitive Compartmentalised Information Facility |
CHSI | Confidential Human Source Information |
OPE | Operational Preparation of the Environment |
CONOPS | Concept of Operations |
ACRONYM | DESCRIPTION |
---|---|
MENA | Middle East and Northern Africa |
EMEA | Europe, Middle East, and Africa |
APAC | Asia-Pacific |
ASEAN | Association of Southeast Asian Nations |
LATAM | Latin America |
BRICS | Brazil, Russia, India, China and South Africa |
CIS | Commonwealth of Independent States |
NATO | North Atlantic Treaty Organisation |
FVEY | Five Eyes Intelligence Alliance - US, UK, Australia, Canada, New Zealand |
GRU | Main Intelligence Directorate of the Russian Federation |
SVR | Foreign Intelligence Service of the Russian Federation |
FSB | Russian Federal Security Service |
MSS | Chinese Ministry of State Security |
PLA | Chinese People's Liberation Army |
IRGC | Islamic Revolutionary Guard Corps of Iran |
RGB | North Korean Reconnaissance General Bureau |
NSA TAO | National Security Agency Tailored Access Operations |
NSA SID | National Security Agency Signals Intelligence Directorate |
NSC | National Security Council |
DNI | Director of National Intelligence |
CIA | Central Intelligence Agency |
CYBERCOM | United States Cyber Command |
DOJ | US Department of Justice |
DHS | US Department of Homeland Security |
CISA | Cybersecurity and Infrastructure Security Agency |
ENISA | European Union Agency for Cybersecurity |
NCSC | UK National Cyber Security Centre |
GCHQ | UK Government Communications Headquaters |
JFCyG | Joint Forces Cyber Group |
NCF | National Cyber Force |
CCCS | Canadian Centre for Cyber Security |
CSIS | Canadian Security Intelligence Service |
ACSC | Australian Cyber Security Centre |
ASD | Australian Signals Directorate |
BND | Federal Intelligence Service of Germany |
AIVD | General Intelligence and Security Service of Netherlands |
ISI | Inter-Services Intelligence of Pakistan |
IB | Intelligence Bureau of India |
R&AW | Research & Analysis Wing of the Indian Foreign Intelligence Agency |
GIP | General Intelligence Presidency of Saudi |
SIA | Signals Intelligence Agency of UAE |
DGSE | Directorate-General for External Security of France |
ANSSI | French National Cybersecurity Agency |
NIS | National Intelligence Service of South Korea |
IDF | Israel Defense Forces |
INCD | Israeli National Cyber Directorate |
JSDF | Japan Self-Defense Forces |
OIC | Organisation of Islamic Cooperation |
BRI | The Chinese Belt and Road Initiative |
GCC | Gulf Cooperation Council |
QRF | Quick Reaction Force |
CBRN | Chemical, Biological, Radiological, Nunclear |
DSTL | The UK Defence, Science, Technology Laboratory |
CNI | Critical National Infrastructure |
CIKR | Critical Infrastructure and Key Resources |
ACRONYM | DESCRIPTION |
---|---|
CTSFO | Counter Terrorist Specialist Firearms Officer |
LEA | Law Enforcement Agency |
FBI | US Federal Bureau of Investigation |
NCA | UK National Crime Agency |
MLAT | Mutual Legal Assistance Treaty |
CLOUDA | Clarifying Lawful Overseas Use of Data Act |
FTO | Foreign Terrorist Organisation |
HVE | Home-grown Violent Extremist |
DVE | Domestic Violent Extremist |
ULO | Unaffiliated Violent Extremist |
ERWT | Extremist Right Wing Terrorist |
LASIT | Left-Wing, Anarchist and Single-Issue Terrorism |
MCI | Mass Casualty Incident |
UAS | Unmanned Aircraft System |
UAV | Unmanned Aerial Vehicle |
ACRONYM | DESCRIPTION |
---|---|
BEC | Business Email Compromise |
CVE | Common Vulnerabilities and Exploits |
CWE | Common Weaknesses Enumeration |
IoT | Internet of Things |
TOR | The Onion Router |
RAT | Remote Access Trojan |
C&C | Command and Control Server (aka C2 or CnC) |
RaaS | Ransomware as a Service |
MaaS | Malware as a Service |
DaaS | Downloader as a Service |
AaaS | Access as a Service |
IaC | Infrastructure as Code |
SaaS | Software as a Service |
PaaS | Platform as a Sevice |
DDoS | Distributed Denial of Service |
RCE | Remote Code Execution |
PoC | Proof of Concept |
LOLBin | Living off the Land Binary |
LOLBAS | Living off the Land Binary and Scripts |
VM | Virtual Machine |
VDI | Virtual Desktop Infrastructure |
ESXi | enterprise hypervisor developed by VMware |
VPN | Virtual Private Network |
VPS | Virtual Private Server |
RDP | Remote Desktop Protocol (Port 3389) |
SMB | Server Message Block (Port 139 or 445) |
XSS | Cross-site Scripting |
CSRF | Cross-site Request Forgery |
SSRF | Server-side Request Forgery |
XXE | XML External Entity |
SQLi | Sequel Injection |
FUD (1) | Fear, Uncertainty, Doubt |
FUD (2) | Fully Undetected |
TCP/IP | Transmission Control Protocol / Internet Protocol |
TLS | Transport Layer Security |
SSL | Secure Socket Layer |
SSH | Secure Shell Protocol |
2FA | Two-factor authentication |
MFA | Multi-factor authentication |
OTP | One-Time Passcode |
API | Application Programming Interface |
CDN | Content Delivery Network |
EDN | Email Distribution Network |
MitM | Man in the Middle |
MitB | Man in the Browser |
MBR | Master Boot Record |
MFT | Master File Table |
AD | Active Directory |
AAD | Azure Active Directory |
DC | Domain Controller |
NTFS | New Technology File System |
NRD | Newly Registered Domain |
JS | JavaScript |
VBS | Visual Basic Script |
VBA | Visual Basic for Applications |
GPO | Group Policy Object |
OS | Operating System |
SSD | Solid State Drive |
HDD | Hard Disk Drive |
FQDN | Fully Qualified Domain Name |
CIDR | Classless Inter-Domain Routing |
BGP | Border Gateway Protocol |
CMDB | Configuration Management Database |
MX | Mail Exchange |
IX | Internet Exchange |
FP | False Positive |
TP | True Positive |
FN | False Negative |
TN | True Negative |
RCA | Root Cause Analysis |
OCR | Optical Character Recognition |
DPI | Deep Packet Inspection |
DNS | Domain Name System |
DOH | DNS over HTTPS |
ACRONYM | DESCRIPTION |
---|---|
MSM | Mainstream Media |
SOC | Security Operations Centre |
CERT | Computer Emergency Response Team |
TVM | Threat and Vulnerability Management |
ISAC | Information Sharing and Analysis Center |
ISAO | Information Sharing and Analysis Organization |
PSIRT | Product Security Incident Response Team |
CSIRT | Computer Security Incident Response Team |
PII | Personally Identifiable Information |
ISP | Internet Service Provider |
MSP | Managed Service Provider |
MSSP | Managed Security Service Provider |
VDP | Vulnerability Disclosure Program |
IR | Incident Response |
DFIR | Digital Forensics and Incident Response |
EDR | Endpoint Detection and Response |
AV | Antivirus |
FW | Firewall |
DRP | Disaster Recovery Plan |
BCP | Business Continuity Plan |
ICS | Industrial Control System |
SCADA | Supervisory control and data acquisition |
OT | Operational Technology |
PLC | Programmable Logic Controller |
HMI | Human Machine Interface |
DCS | Distributed Control System |
SIS | Safety Instrumented Systems |
BMS | Building Management System |
DCIM | Data Center and Infrastructure Management |
SIEM | Security Information and Event Management |
SOAR | Security Orchestration, Automation, and Response |
XDR | Extended Detection and Response |
UEBA | User Entity Behaviour Analytics |
ML | Machine Learning |
AI | Artificial Intelligence |
ROI | Return on Investment |
FMCG | Fast Moving Consumer Goods |
NPP | Nuclear Power Plant |
O&G | Oil and Gas (also ONG) |
UTM | Unified Threat Management |
GDPR | General Data Protection Regulation |
CCPA | California Consumer Privacy Act |
CMA | Computer Misuse Act |
CFAA | Computer Fraud and Abuse Act |
MLAT | Mutual Legal Assistance Treaty |
CLOUDA | Clarifying Lawful Overseas Use of Data Act |
IP | Intellectual Property |
FOIA | Freedom of Information Act |
TTX | Table Top Exercise |
HIBP | Have I Been Pwned |
WP | Word Press |
AWS | Amazon Web Services |
GCP | Google Cloud Platform |
OCI | Oracle Cloud Infrastructure |
MDE | Microsoft Defender for Endpoint |
SME (1) | Small Medium Enterprise |
SME (2) | Subject Matter Expert |
PSOA | Private Sector Offensive Actor |
FIDO | Fast Identity (ID) Online |
PKI | Public Key Infrastructure |
OKR | Objectives and Key Results |
SMART | Specific, Measurable, Assignable, Realistic and Time-related |
SLA | Service-level Agreement |
BCP | Business Continuity Plan |
DRP | Disaster Recovery Plan |
IRP | Incident Response Plan |
GRC | Governance Risk and Compliance |
IAM | Identity and Access Management |
MDR | Managed Detection and Response |
ATO | Account Take Over |
HSM | Hardware Security Module |
MNO | Mobile Network Operator |
UAT | User Acceptance Testing |
MUA | Mail User Agent |
MTA | Message Transfer Agent |
MDA | Message Delivery Agent |
VX | Virus Exchange |
TERM | DESCRIPTION |
---|---|
BTC | Bitcoin |
ETH | Ethereum |
XMR | Monero |
DeFi | Decentralised Finance |
DEX | Decentralized Exchange |
CEX | Centralized Exchange |
P2PE | Peer-to-peer Exchange |
VAs | Virtual Assets |
VASPs | Virtual Asset Service Providers |
KYC | Know Your Customer |
CDD | Customer Due Diligence |
PoS | Point of Sale |
OFAC | Office of Foreign Assets Control (US) |
FINCEN | Financial Crimes Enforcement Network (US) |
FCA | Financial Conduct Authority (UK) |
SAR | Suspicious Activity Report |
STR | Suspicious Transaction Report |
ML | Money Laundering |
TF | Terrorist Financing |
AML | Anti-Money Launder |
CFT | Combating the Financing of Terrorism |
FATF | Financial Action Task Force |
SWIFT | Society for Worldwide Interbank Financial Telecommunication |
ACH (2) | Automated Clearing House |
FIU | Financial Intelligence Unit |
PRF | Payment Redirection Fraud |
PCI DSS | Payment Card Industry Data Security Standard |
SVC | Stored Value Card |
TERM | DESCRIPTION |
---|---|
Counter Intelligence | Learning what the opposition knows |
State-sponsored | Supported financially or authorised by a sovereign state |
NatSec | National Security |
Malware | Malicious Software |
Ransomware | Malware that encrypts files and demands a ransom for the decryption key |
Wiper | Malware that destroys data |
Worm | Self-spreading malware |
Spyware | Malicious Software for surveillance |
Trojan | Malware in disguise |
Infostealer | Credential harvesting malware |
Web Shell | Command and script interpreter deployed on a compromised website |
Skimmer | Malicious script that exfiltrates form data from a website |
Cryptomining/Cryptojacking | Malicious cryptocurrency mining program that consumes system resources |
Packer | Malware obfuscation tool |
Payload | Component intended for delivery |
Backdoor | Remote access via an infected system |
Botnet | Network of infected devices |
Loader | Malware delivery system |
Phishing | Malicious email to push malware or harvesting credentials |
Phishing Kit | Collection of assets used to launch a phishing campaign |
SMiShing | SMS-based phishing |
Simming/SIM Swapping | When mobile carriers are tricked to transfer a victim's phone number to an attacker |
Spear-phishing | Highly targeted phishing |
Vishing | Voice-based phishing |
Vulnerability | An error found within a system |
Exploit | Leveraging a vulnerability to gain an advantage |
Exploit Kit | Toolkit that exploits multiple vulnerabilities to push malware |
0day | Unpatched vulnerability |
PrivEsc | Privilege Escalation |
PreAuth | Pre-authentication (access without authorisation) |
Patch Gap | Time between a software patch is released and vendors apply it |
Shell | Command and script interpreter deployed on a compromised system |
Enumeration | The process of listing all the attributes of a system |
Cybercrime | Computer aided crime (aka eCrime) |
Clearweb | Websites without a barrier to entry |
Darknet | .onion sites invisible to the clearweb |
Deepweb | Closed parts of the clear web (e.g. group chats, private servers, underground forums) |
Doxxed | When an individual's private information is made public |
Honeypot | A system that mimics a device to attract attackers |
Honeytrap | A threat actor (attractive in appearance) deployed to target personnel |
Social Engineering | Exploiting the human factor in a secure system |
Initial Access Broker | A hacker who sells their initial foothold in a network |
Data Broker | A hacker who sells databases and information |
Proxy | A separate internet connection between the destination and the source (aka VPN, VPS) |
Cyber-espionage | Computer-enabled state intelligence campaigns |
Drive-by Compromise | Unintentional download of malicious code |
Sock Puppet | Fictitious online identity |
Carding/Carders | Fraud using stolen credit cards |
Magecart | Cybercriminals who target online shopping cart systems built with Magento |
Golden Image/VM | Templates of OS images with preconfigured settings and applications that can redeployed quickly |
Zero Trust | a security model based on the idea devices should not be trusted by default |
Tiger Team | a team of specialists assembled to work on a specific goal or to solve a particular problem |
Mixer | A non-custodial service for laundering cryptocurrency by obfuscating transactions |
CoinJoin | A method to obfuscate transactions by obfuscating wallet addresses |
Chain Hopping | A method to obfuscate cryptocurrency transactions by changing blockchains/cryptocurrencies |