Glossary of Terms
J K L M N O P Q R
S T U V W X Y Z
Adware is a type of malware that is known for displaying advertisements on an infected device. Sometimes these are in the form of pop-ups or browser redirects and can be overwhelming to deal with. On the page there's a monster, inspired by a famous coyote, who appears anxious in a sea of billboard advertisements.
A botnet is a term used to describe a large group of infected devices which can all perform a certain action by whomever controls them. Many times botnets will carry out a Distributed Denial of Service (DDoS) attack. In this case, we have a dragon monster who loves flight, and is controlling a swarm of bots to represent this concept.
Cryptojacking malware hides on infected devices, or in the browser via client-side code, and attempts to use a victim's processing power to mine cryptocurrency for financial gain. One physical sign you may be infected could be a sluggish PC or an internal fan working hard to cool the overworked CPU. This page exaggerates the concept by showing a hot laptop with smoke coming out of the sides with videogame-style coins being sent into the cloud.
Denial of Service
Mentioned in the Botnet description, a Denial of Service at it's most simple explanation is simply an attack that prevents the targeted host or service from working properly. It affects the availability of the service and stops or slows legitimate traffic from operating as expected. This illustration attempts to demonstrate this by an Alice in Wonderland inspired monster who is stuck in the only entrance to a building, effectively blocking access to or from the opening.
An exploit is the act of taking advantage or leveraging a vulnerability to perform an unintended action, such as gaining remote access or executing code. This is demonstrated in a real-world example by showing a monster cat burglar picking a vulnerable lock in order to gain unauthorized access to a room. Red team assessments often also include physical components, such as lock picking.
Digital Forensics is the process of investigating digital evidence to either discover traces of a cybercrime or investigate and better understand malware. It is often used in conjunction with Incident Response to aid with malware analysis and reverse engineering. This is represented in the illustration by showing a detective monster who is following digital footprints (zeros and ones).
A grey hat is the name for a hacker who's ethics and practices are borderline legal. While a white hat hacker is considered a "good" security researcher and a black hat is a cyber criminal, a grey hat is in the middle somewhere. The monster in this image represents two personalities, with a nod to Dr. Jekyl and Mr. Hyde, who's both good in the foreground and bad in the shadow.
A hacker can be defined at it's most simplest level as a person who bypasses security measures and gains unauthorized access through unconventional means. A hacker is typically someone who breaks things for good or for bad. The hacker monster on this page takes on the stereotype that all hackers work in dark hoodies with stickers covering their laptop.
Input sanitization is the act of filtering and escaping characters from user input that may otherwise be processed incorrectly by code which handles the input. What is demonstrated in this conversation between the two monsters really represents output encoding (URL encoding), which is the reverse process of displaying the input back again. We can assume the input is also filtered. You can see the raw input on the left with special characters and the encoded output in the response on the right.
A deserialization vulnerability is one in which serialized data such as a file, steam, or network socket is converted back into an object in an unsafe way, which could result in arbitrary code execution or a denial of service (letter "D"). Java Deserialization is when this happens within a Java application, specifically. This concept is difficult to demonstrate with a real-world representation, so I took the liberty to have fun with it instead. The monster is drinking coffee (java) and is spilling his cereal (De-serial-ization).
A keylogger is malware which captures keystrokes, or input, from a victim and leaks it back to an adversary, character for character. This is represented in the book as one monster copying another monster's homework in a classroom, similar to how a keylogger would capture credentials and other sensitive information.
Lateral movement is the process of moving horizontally from one compromised host to another in a networked environment. Typically once a hacker gains a foothold in a network they will attempt to move to other systems and gather credentials and other sensitive information as they go. The ultimate goal is then to escalate privileges and move vertically. The act of moving from one electronic device to another is demonstrated by this monster playing Dominos with mobile phones, transferring energy from one to another.
Malware is short for malicious software and is the general term for all code which is designed with the intention to do harm once executed. Malware is represented in many of the pages in this book, even the cover! The monster is inspired from Star Trek's tribble creatures and is shown doing harm to a desktop computer by destructively eating the insides, much like how malware can negatively affect the performance or modify the files of a workstation. However, most malware wants to be secretive and will run silently in the background to go unnoticed.
NOP stands for No-operation and is an instruction for the CPU to continue on to the next instruction. A series of these acts as a sled for the CPU execution flow. One example of this being used is by hackers who exploit buffer overflows when a location that's being jumped to is not easy to predict, in order to get arbitrary code to execute. Landing anywhere in these NOP instructions will cause the CPU to slide until it reaches the desired instruction. This Frankenstein's monster-inspired character is sliding down a snowy hill on it's "NOP sled".
Malicious code is often masked, or obfuscated, in order to make it more difficult for people or defensive technologies to detect and analyze it. This makes it challenging for researches who try to understand the malware and to create indicators to identify it. The Dracula inspired monster is masking themself to look like a sheep in order to fit in, similar to the famous "wolf in sheep's clothing" adage.
Phishing is a tactic used by hackers as a form of social engineering in which an email is sent to a target with the intent of tricking the recipient into some action. Typically a hyperlink is used with a fake landing page designed to look identical to a legitimate site with the intent to capture credentials or install malware. Malware or malicious documents (maldocs) can also be attached directly to the email. The half-shark half-swamp monster hybrid here is fishing with email bate for unsuspecting victims.
Query injection is a type of vulnerability which is a result of a lack of input sanitization (Letter "I"). The most famous example of this is SQL Injection (SQLi) in which user input is treated as part of the query syntax and executed by the database back end. This can allow an attacker to execute arbitrary queries in order to access sensitive data, such as in big data breaches, or even potentially execute operating system commands on the underlying system. The monster here who's attempting to access a restricted area is asked for a special password. The monster does not know the password but instead replies with a famous SQLi payload, which bypasses authentication and allows them access into the room.
Ransomware is a type of malware which encrypts files and prevents access to that data without a decryption key, which is unknown to the victim. Just like with any real-world ransom, a financial demand is made in order to "release" the files, typically in cryptocurrency that's not easily traceable. This concept is demonstrated with a traditional-looking ransom note made of monster letters with a Bitcoin demand to return the files.
Social Engineering is a technique used by adversaries in order to trick victims into performing some kind of action. For example, this can be a physical penetration test where a person or team breaks into a facility by pretending to be an employee or tailgating into a secured entrance. It can also be phishing, smishing (SMS phishing), or vishing (voice phishing). The illustration on this page shows a hacker monster pretending to be a help desk representative who is asking for credentials and credit card information.
Tunneling is a practice used by hackers in order to bypass firewall restrictions or to proxy traffic through a different route. The example here portrays a monster tunneling out of a restricted environment by going under a firewall, effectively bypassing the segmentation barrier.
Unauthorized access is the act of gaining access to a system or environment that's otherwise restricted for specified personnel. Bypassing authentication by exploiting a vulnerability or by cracking credentials are the most common examples of this. This Mission Impossible inspired octopus bandit is breaking into a locked vault by lowering themselves from the ceiling.
A vulnerability is a weakness in software that exposes it to an attack. This can then be exploited (letter "E") by an adversary in order to gain unauthorized access (letter "U"), execute arbitrary code, or to install malware (letter "M"). Vulnerability assessments and penetration tests can help identify these issues before a malicious actor would, preventing a breach. The illustration on this page shows a goat monster scaling a cliff with a rope which is vulnerable to breaking because it is frayed.
War driving is the act of driving around to identify wireless vulnerabilities or connect remotely to targets without physically being inside of the facility. Wireless attacks can be launched from a parking lot or a curb side in order to get access to a network by proximity. This bug monster's mini cooper is fully decked out with a directional parabolic and an omnidirectional WiFi antenna to pick up signals from far away.
XSS (Cross Site Scripting)
Cross Site Scripting is a form of a code injection vulnerability which results in user input that's displayed to a user in an unsafe way. This is caused by a lack of input sanitization (letter "I") and can lead to hijacked sessions, formjacking, content spoofing, and a number of other issues. Reflected, Persistent (or Stored), and DOM are the three types of XSS. The retro-styled monster on this page is spraying a famous XSS payload as graffiti and defacing a wall, similar to what you can do with XSS by injecting your own content onto a vulnerable page.
A YubiKey is a physical device, known as a hardware security token, used as the preferred method of authenticating with Two-Factor Authentication (2FA). A physical device such as this is difficult for a remote attacker to spoof, since this is something you have with you. A YubiKey or similar device can be placed on a keychain and used after typing in credentials, significantly helping to prevent an attacker with your credentials from logging in on your behalf. This monster is using their USB YubiKey to log into a popular search engine provider's site with 2FA.
A zero day is a type of vulnerability (letter "V") that is known but which does not yet have a patch available to prevent the vulnerability from being exploited (letter "E"). Vulnerabilities that are publicly disclosed, have proof of concepts or exploits available, and were not responsibly disclosed are likely to be zero days until the vendor of the vulnerable software has a chance to create a patch. This page demonstrates the concept by showing a vulnerability in the form of a hole in the raft, which is causing it to take on water and sink. The monster is searching for a patch, but there are none available.