Glossary of Terms
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
An alert is a notification of an event to raise awareness of a potential security incident. Security products will create alerts for the Blue Team to acknowledge and respond to. In this image a Blue Team dragon is ringing the bell to alert the castle residents about a perceived threat.
A Blue Team represents the defensive team who actively works to detect, prevent, and resolve Cybersecurity incidents. This image shows a soccer goalkeeper who is protecting a goal by blocking shots, much in the same way a Blue Team protects an organization's assets.
Containment is a term used to describe the act of preventing the spread of a threat in an environment. In this illustration the Blue Team dragon is containing the Red Team robot so it is confined within a ring of fire, preventing them from going any further.
Detection in Cybersecurity refers to the initial discovery of an event. This may be the result of monitoring by a security solution or by threat hunting. This is demonstrated in the illustration showing a patrolling dragon identifying a threat below.
Endpoint Protection is a solution used to protect a device or host and the term is typically used to describe Antivirus products that protect operating systems. This illustration shows this by using an armored vehicle that transports digital devices, such as laptops, tablets, and computers. There is also a guard who protects the truck.
A firewall can be a physical device or logical software that limits network traffic both in and out of a computer network. Firewalls are used to limit the surface area of an environment to attackers, among many other things. A "fire wall" is depicted on this page by a dragon igniting tar that is being poured down a castle's walls to fortify defenses against adversaries.
A critical early phase during Incident Response or forensics engagements is Evidence Gathering, in which a Blue Team responder will collect and document relevant information for an incident. This dragon is putting robot gears, cogs, and Indicators of Compromise from malware into a "Chain of Custody" evidence bag. The name tag specifies the dragon is an Incident Handler who is sort of like a detective in a crime scene.
A honeypot is an alluring trap for an attacker that the Blue Team sets in order to provide advanced warning and time to react. Alerts can be set up for access to these non-legitimate resources so that if they are accessed it may indicate an active attack or unauthorized access to an internal resource. In this image the Blue Team dragon is setting a trap by placing a honeypot named, "Passwords" on top of a trap door with a cage underneath.
The process of responding to a Cybersecurity incident by a Blue Team is known as Incident Response. Just as there are first responders in the event of a fire or a medical emergency, there are first responders in Cybersecurity. Fire fighters are shown here responding to an incident with a trebuchet.
A jump bag is a physical bag with forensics equipment in it and jump kits may be digital tools that are at-the-ready for first responders. Both of these are necessary to rapidly respond to a Cybersecurity incident. This is depicted in the book by a paramedic/EMT responding to an emergency carrying a jump bag full of USB cables, write blockers, and hard drive connectors.
Key Management is the process of storing and retrieving sensitive secrets such as credentials and tokens in a way that is secure. Password managers and key vaults are good solutions for keeping these secrets unique and safe from interception. This illustration shows the Blue Team's castle with a visitor checking in with the clerk who manages the keys to the various protected resources in the hotel.
Parsing logs is a common activity performed by security analysts during incident response investigations. It involves taking data output from various network, application, and host logs and normalizing it into a format that can be organized by filtering or sorting it. This dragon is using a "stream" of "logs" and is sorting them into various piles which represent these different types of logs. The logs are named based on their Windows Event IDs or application names.
Monitoring is the act of watching data in order to spot anomalous or malicious traffic that could indicate an incident. This can be done by SOC analysts or a passive device which then generates alerts. This Blue Team dragon is acting as a security guard who is monitoring security cameras on the castle, watching the Red Team's attempts to break in.
Newly Observed Domains (NODs) are domains that have recently been registered. Spam, web filters, and network monitoring products look at how old a domain is to help make a determination about the legitimacy of sites that may be used for phishing, hosting malware or Command and Control servers. This Blue Team dragon is documenting a new Red Team "domain" that's being built with a camera in a hot air balloon above the city.
OWASP stands for the Open Web Application Security Project. It is an online resource for teaching secure coding best practices in order to help developers create safer and more secure web applications. It's also a great resource for teaching the general public about the dangers of common security vulnerabilities and is the home of the OWASP Top 10 resource, among others. This Blue Team dragon is using OWASP best practices to build secure architecture from the ground up, as they construct their castle.
Packet Capturing is leveraged during Network Security Monitoring and involves TCP/IP packets stored from data in transit. This can help with real-time monitoring as well as reactive incident response where the stream needs to be reconstructed for analysis. This dragon is following a postal worker and collecting "packets" of mail as they fall out. The truck says "IP" to stand for the TCP/IP stack and the packets have "UDP" and "TCP" written on them to represent the popular protocols in the protocol suite.
Quarantine, similar to Containment, is the process or location for placing malware in a state that cannot be executed or run. This is typically performed by Antivirus whenever malware is detected if it isn't set to simply remove it by default. Quarantine is a temporary location that can allow the end user to restore legitimate files that have ended up there accidentally or by malware analysts who want to study the malicious file. This image brings back the familiar Malware Monster from the original book and it's in a plastic quarantine "jail" to prevent it from getting out, monitored by a Blue Team dragon.
Reverse Engineering is the process of working backwards with an end product, like malware, to learn from or reconstruct it. This can allow researchers to develop kill switches or find weaknesses in malware, as well as find Indicators of Compromise, among other things. This illustration shows an artistic dragon who captured a Red Team robot and is repurposing the robot to work for the Blue Team as a robot-dragon.
Often people are the weakest link when it comes to Cybersecurity. Security Awareness Training helps to educate the end users about threats and teaches them about common practices attackers use that they should look out for. October is the annual "Cybersecurity Awareness Month" and is often used for employee-wide training or phishing demonstrations. This dragon is teaching the crowd what to look for when receiving mail, such as the sender's authenticity or message integrity issues with the seal being broken.
Threat Intelligence is knowledge about an adversary's Tactics, Techniques, and Procedures (TTPs) and often includes Indicators of Compromise (IOCs) which are similar to signatures that can be used by the Blue Team to detect malicious content. This intelligence can come from a variety of sources and can be gathered by malware analysis or knowledge gathered during Incident Response and forensics activities. Threat Intelligence is commonly shared within the Cybersecurity community to help keep others safe. The dragon on the park bench is spying on the Red Team as they discuss a Domain Generating Algorithm (DGA) for malware beaconing, which can be used by the Blue Team to help with detection and prevention.
Unencrypted Communications simply refers to the lack of encryption used when sending or receiving data in transit over the network. Without strong encryption, an adversary could eavesdrop in a Man-in-the-Middle scenario and intercept sensitive information or modify the integrity of the data as it travels across "the wire". In this illustration, the Red Team is not encrypting their communication in the Blue Team's environment and the Blue Team is about to catch the Red Team since they can overhear the plan.
Volatility, as it relates to Cybersecurity, is a popular and very useful tool in the community which allows host memory to be parsed and analyzed. This can help with malware analysis and incident response activities to locate malware and Indicators of Compromise that live in volatile memory. Information about running processes, registry settings, and network activities are just a few examples of what can be accessed during memory analysis. This illustration shows a Blue Team mad-scientist interrogating a Red Team suspect about his "communications" and is scanning the robot's memory with the "netscan" command. The hope is to determine the Command and Control server in order to block the communication elsewhere in the environment and to share the Indicator of Compromise as Threat Intel to determine other potentially infected hosts.
Digital Forensics professionals use a device (or software) known as Write Blockers to protect the integrity of physical media evidence when acquiring or analyzing them. For example, a USB write blocker may be used before powering on a hard drive to prevent the operating system analyzing the contents from writing any data that may change the original drive's contents. The data is essentially protected by intentional or accidental changes and is in a read-only state. This concept is demonstrated by showing a librarian who only allows reading in her library and does not allow changing the contents of the material. The library specifically bans pencils and other writing utensils to help enforce this rule.
XOR stands for "Exclusive or" and is a simple binary operation used in mathematics. Malware authors often use XOR to obfuscate (encode or encrypt) content to slow down analysis efforts by the Blue Team. In this case, XOR is being used to encrypt contents of a message meant for the Red Team that has been intercepted by the Blue Team. An encryption key is needed to decrypt the contents to plaintext, which is "CASTLE". Can you solve the message?
YARA is a helpful tool that allows Blue Teams to statically analyze content for strings or binary patterns. These matches can then help classify malware as certain variants that belong to specific malware families. YARA groups are made up of security researchers who contribute Indicators of Compromise (IOCs) to the community and can be used as Threat Intelligence in numerous Cybersecurity products and services. In this illustration, an unknown Trojan Horse is being scanned by Blue Team security for indicators. Although trying to hide, red team robot and malware monster feet are detected that belong to a known "group" and are determined to be malicious by the scanner app.
Zero Trust is a model, similar to the Principle of Least Privilege, in that it restricts access and permissions to everyone, even authorized users, by default. However, Zero Trust is further restrictive in that it assumes no trust (even on an internal network) until the requested resource or action is verified. This is demonstrated in the illustration by showing even pilots who are boarding a plane have to go through security screening processes like the passengers do, to ensure everything is safe.