Account takeover fraud is when cybercriminals use stolen login credentials to access a user’s bank accounts, credit cards, online shopping accounts and more. Account takeover fraud is a form of identity theft and fraudsters use tools like phishing and malware to take control of accounts and do things like make unauthorised transactions, change account information or steal sensitive data.

An advanced persistent threat (APT) is a sophisticated type of cyber attack where attackers gain access to a system and remain undetected for a prolonged period of time. APTs are often carried out by experienced cybercriminals, using advanced tools and techniques, such as malicious uploads and social engineering attacks. Targets for an apt attack are carefully chosen, and are typically large enterprises or government networks. APT attacks may be driven by financial gain, political or ideological motives or espionage.

The role of AI in threat intelligence is to leverage artificial intelligence, particularly machine learning, to detect and respond to cyber threats more effectively and rapidly than human capabilities allow.

A botnet (short for “robot” and “network”) refers to a network of hacked computer devices controlled by an attacker, or ‘botmaster’. Botnets are usually created by infecting devices with malware, which allows the botmaster to remotely control these devices and carry out DDoS (Distributed Denial of Service) attacks, send spam emails, steal personal information or spread more malware. Botnets allow cybercriminals to carry out large-scale attacks and can even be rented out to other cybercriminals.

Brand abuse is the unauthorised use of a company’s brand or trademark with the intent to mislead its customers. Brand abuse examples include false advertising, counterfeiting, trademark infringement, imitation websites and social media impersonation. A company’s reputation and financial performance can be seriously damaged by brand abuse.

Brand intelligence is knowledge gained from collecting and analysing data about consumers in order to understand their feelings and behaviour towards a brand. Sources of strategic brand intelligence include online mentions in blogs and the news, social media interactions and customer feedback. Brand intelligence is used to change or improve a brand’s image and understand and respond to what consumers want and need.

Brand protection is the process and tools an organisation uses to protect its brand and reputation, such as defending against trademark infringement, counterfeit goods, and unauthorised use of the brand online. Online brand protection includes monitoring social media channels, websites, and other online platforms for negative mentions, fake accounts, and other forms of brand impersonation or infringement, and removing it.

Business email compromise (BEC) is a type of cyber attack where attackers gain access to a business email account, using it to impersonate someone and trick people or other organisations into taking harmful actions. One type of business email compromise attack is CEO fraud, where attackers pose as the CEO or another executive to obtain fraudulent wire transfers, financial information or login credentials.

CEO fraud (or Business Email Compromise) is a scam where cybercriminals send convincing emails posing as company executives to trick an employee – usually in finance or HR – into conducting unauthorised wire transfers or providing confidential information. CEO fraud is also known as whaling CEO fraud, and authentic-looking emails are sent that emphasise urgency and confidentiality to encourage employees to take action without verification. A CEO fraud attack is a highly targeted form of spear-phishing, where attackers send emails that appear to be from a known or trusted sender.

A computer emergency response team (CERT) is a group of cybersecurity experts who prevent, detect and respond to cybersecurity incidents, like data breaches and denial-of-service attacks. Computer emergency response team roles and responsibilities include providing alerts and incident handling guidelines and helping to develop best practices for information security. Many large organisations and government agencies have their own internal CERT teams, such as the US Department of Defense computer emergency response team.

Credential stuffing is when hackers use stolen or leaked usernames and passwords from one online account to try to break into others. Many people reuse usernames and passwords across multiple services, so attackers use automated bots to try to gain access to different accounts with the stolen logins. In a credential stuffing attack, once an account is compromised, attackers can steal sensitive data and carry out other malicious activities.

A Cyber Fusion Centre (CFC) is designed to promote collaboration between teams responsible for IT and cybersecurity functions in order to give organisations a more complete view of their overall security posture. A CFC enables an organisation to be more proactive and effective in tackling threats by bringing together information that highlights vulnerabilities and enhances their understanding of the risks they face.

Cyber threat intelligence is information gathered from a range of sources about current or potential attacks against an organisation.

The dark web is a part of the internet that is not indexed by search engines and requires the use of special software to access. It is often used for illegal activities, such as drug trafficking, arms dealing, and money laundering. The dark web is made up of websites that are hosted on networks that use onion routing, a type of encryption that makes it difficult to trace the source or destination of traffic. This makes it difficult for law enforcement to track down users of the dark web.

A data breach is when confidential data is accessed, disclosed or stolen from a computer system without authorisation. Data breaches can happen as the result of hacking, social engineering attacks, or human error. The data exposed can include personally identifiable information – such as names, addresses, phone numbers and email addresses – or financial and medical records. A data breach can damage the target company’s reputation and result in identity fraud and financial losses

A data broker is a business that specialises in gathering large amounts of information about individuals and organisations, and then processing, cleaning and structuring it for use by companies and organisations. The data is generated from the collection and analysis of information from publicly available online sources, and data broker sites provide it to companies for different purposes, including targeted advertising, fraud prevention and research.

A data leak refers to the disclosure of confidential information due to human error, software vulnerabilities, hacking or malicious insiders. Examples of unintentional data leaks include sensitive information that is accidentally published on a public website or when an employee mistakenly sends an email with sensitive information to the wrong address. Data leaks can also be intentional, such as when hackers publish stolen data on the internet to embarrass the victim of a data breach, or make money from selling the data.

A DDoS attack (distributed denial of service) is a type of cyber attack that disrupts a website or online service and makes it inaccessible for legitimate users. In a distributed denial of service attack, cybercriminals overwhelm the targeted server with such a high volume of traffic that the site slows down considerably or crashes. DDoS attacks are different from denial of service attacks because they originate from multiple compromised computers and online devices. Motives for DDoS attacks include extortion, revenge, political activism or distracting from other more damaging attacks.

The deep web is the part of the internet that is not searchable using search engines like Google and Bing. The deep web is not indexed, and contains content like paywalled websites, private databases and the dark web. The dark web, known for illegal activities, is only a small part of the deep web. The majority of deep web content is noncriminal, such as private email, chat messages and social media messages, and electronic bank and health records.

Intelligence dissemination is an important part of the threat intelligence cycle, the continuous process that organisations go through to collect, analyse and share data in order to identify potential cyber threats.

DNS spoofing is a technique that cybercriminals use to carry out a pharming attack to redirect legitimate web traffic to a fake site for malicious purposes, like stealing sensitive data. Usually, when a user types in a website’s address, their computer sends a request to a DNS (Domain Name System) server to translate it into an IP address that opens the requested website or page. In a DNS spoofing attack, the DNS request is intercepted and a fake IP address is sent back that leads to a fake website.

Email spoofing is the practice of sending email messages from a forged sender’s address. A spoofed email is used by malicious actors to trick recipients into clicking malicious links, opening infected attachments, sharing sensitive data and even wiring money. A phishing email is a type of spoof email, when it uses a forged sender’s address.

Extended detection and response (XDR) is a solution that connects various security data – including an organisation’s endpoints, network analysis and visibility (NAV), email security, identity and access management, cloud security, and more – in order to optimise threat detection, investigation, response, and hunting in real time. XDR security solutions evolved from EDR (endpoint detection and response), which only focuses on endpoint data.

Finished intelligence is the final product of the intelligence cycle, which is the process of collecting, analysing and evaluating information to provide insights that help decision-makers make informed choices. Finished intelligence is typically written in a concise and objective format and tailored to the specific needs of the decision-maker.

‘Five Eyes’ (FVEY) is an intelligence alliance of five English-speaking countries – the United States, the United Kingdom, Canada, Australia and New Zealand. These countries work together on signals intelligence (SIGINT), which includes intercepting, collecting, analysing and sharing electronic communications. Examples include radio signals, phone calls, emails and more. Through trust and cooperation, the alliance counters threats to national security and defence, such as terrorism, cyberattacks and espionage.

Geopolitical intelligence is meaningful information generated from analysing data about political, social, and economic events and trends around the world. This includes data about trade relations, supply chains, sanctions, public health issues, political conflict and cyberattacks. Geopolitical intelligence helps organisations understand and manage political threats that impact the locations where they operate or hold assets.

Geopolitics refers to the geographical, political and economic factors that shape international relations and world events. In the field of geopolitics, analysts study the people, organisations and governments that carry out political, economic and financial activities, and how their actions affect other nations in terms of security, trade and diplomacy. The study of geopolitical events, such as global instability, conflicts, trade disputes or natural disasters, can be used to assess risks and opportunities regarding security, economic stability and investments.

Identity fraud is the use of stolen personal, private or financial information for unlawful gain. Examples of what is considered identity fraud include using a stolen identity to open new credit accounts, withdraw money from bank accounts, or commit crimes. Phishing (fraudulent emails) and malware (malicious softwared) are digital methods that criminals use to steal the sensitive information needed to commit identity fraud. Comparing identity theft vs fraud, identity theft is when criminals steal someone’s personal information, but identify fraud is how they use it for illegal purposes.

An impersonation attack is a type of fraud where an attacker pretends to be a known or trusted person in order to steal sensitive information or trick someone into transferring money. The most common impersonation attack types include phishing, a form of email impersonation attack where attackers pose as banks or legitimate organisations to obtain credit card numbers or login credentials.

An incident response team (IRT) is a group that is responsible for managing a variety of security incidents that can affect an organisation’s IT systems, data and operations. Examples include data breaches and cyber-attacks, as well as natural disasters, human error and harm to physical equipment. The typical Incident response team structure consists of team members with different technical skills and functions – like cybersecurity, legal and corporate communications – to be prepared for a wide range of security incidents and minimise their impact.

Indicators of attack (IOA) are signs of a cyber attack against an organisation’s systems or network. An important difference between an indicator of attack vs indicator of compromise is that an IOA focuses on identifying a cyber attack that is in progress, but an indicator of compromise relates to evidence that systems have already been compromised, such as discovering malware or the unauthorised transfer of data. Examples of IOAs include unusual network traffic and failed login attempts.

Indicators of compromise (IOCs) are pieces of digital evidence, such as data found in system log entries or files, that identify a potential breach of a system or network. By monitoring for indications of compromise, organisations can detect attacks and act faster to prevent breaches from occurring or limit damages sooner. IOCs can be shared within the cybersecurity community to better understand a particular malware’s techniques and behaviours.

An Information Sharing and Analysis Centre (ISAC) is a non-profit organisation that gathers information and analysis on cyber threats, including threats to critical infrastructure. ISACs enable two-way sharing of information between the private and public sectors, helping improve an organisation’s overall security posture by providing timely and relevant information.

An insider threat is the risk of a cybersecurity breach that comes from an organisation’s ‘insiders’ – such as their employees, partners or suppliers. There are different types of insider threat, including intentional insider threats, such as when an employee uses their legitimate access to steal sensitive data or harm the organisation’s systems, or they can be unintentional, such as when an employee accidentally shares sensitive information or unknowingly introduces malware into the system.

The intelligence cycle is a step-by-step process for gathering, analysing and synthesising data to produce and share useful intelligence. The intelligence production cycle is commonly associated with military and law enforcement agencies, but its principles and methodologies are also used in other sectors.  The intelligence cycle consists of several interconnected stages that ensure a structured and organised approach to intelligence operations.

Intelligence requirements (IRs) refer to the information an organisation needs from its threat intelligence team to protect it from cyber threats. Intelligence requirement examples include information about overall cyber risks to an organisation and its industry. IRs are more general and less operationally-focused than Priority Intelligence Requirements, which are more detailed and answer an organisation’s most critical cyber threat questions.

Machine learning (ML) is a type of artificial intelligence (AI) that involves teaching machines to learn from data and improve without being programmed by a human. Machine learning uses large volumes of data and algorithms to identify patterns, develop, adapt and produce insights. In cybersecurity, machine learning is used to spot patterns that help organisations detect future attacks. Other examples of machine learning include financial trading, facial recognition and DNA sequencing.

Malware (short for “malicious software”) is computer software designed to damage, disrupt or gain unauthorised access to a computer system or network. Types of malware include viruses, worms, trojan horses, ransomware and spyware. In a malware attack, cybercriminals use email attachments, malicious websites, social engineering or software vulnerabilities to infect a computer system with malware. Malware can be used to steal sensitive information, take control of a system or deny system access until a ransom is paid (known as ransomware).

A man in the middle attack refers to a cyber attack where a perpetrator intercepts an existing conversation between two parties in order to eavesdrop, impersonate one of the parties or capture data that is being transmitted. Man in the middle attacks can occur through compromised Wi-Fi networks, phishing attacks or malware infections and can lead to data breaches, financial loss and damage to reputation.

The MITRE ATT&CK Framework documents the tactics, techniques and procedures used by threat actors in real-world cyber attacks. ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge, and this knowledge base helps organisations understand the methods used by attackers to understand the threat landscape better and improve their defences against cyber threats. This framework is used by security professionals and organisations worldwide.

OSINT, or open source intelligence, refers to insights gathered from data that is publicly available and accessible by anyone. This generally means information found on the internet, but any public information is considered OSINT, including news, articles, social media posts, and blog posts, as well as data that is collected and openly shared by people or organisations.

Operational intelligence, or operational threat intelligence, is information gained from analysing details of known attacks, providing insight into specific attacks and their nature, intent and timing. Operational intelligence requires a strong technical background and is mostly used by security teams and incident responders. It helps security teams contextualise and prioritise risks and block attacks before they occur.

What is a data collection plan and how does OSINT data collection work? Find out more about data collection in the intelligence cycle with Silobreaker.

Paste sites, also known as pastebins or pasting sites, are websites that give users the ability to create and share plain text documents through public posts called ‘pastes’. Paste sites are largely used for legitimate purposes, such as sharing and reviewing computer code, but it is also used to share leaked or stolen data. Paste sites allow people to share large text files without a user registration, and as a result are popular with hackers.

Penetration testing, or pen testing, is a simulated cyber attack on a system or network used to identify possible vulnerabilities. A typical penetration test uses techniques like social engineering network scanning and application testing to find weaknesses in security controls. Cyber security penetration testing provides organisations with insights they can use to manage vulnerabilities and improve their security.

Personally identifiable information (PII) is any information that can be used to identify a person. Examples of personally identifiable information include an individual’s name, driver’s license number, date of birth, email address, phone number or home address. Cybercriminals use stolen personally identifying information to commit identity fraud for financial gain and other illegal activities. PII is subject to data privacy laws, such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Pharming is a type of online fraud where attackers use of malicious code to redirect victims to fake websites in order to steal their credentials and data. Normally, a user types in a web address and their computer sends a request to a server that sends back the correct web page. In a pharming attack, cybercriminals redirect the web traffic to a fake website that looks almost identical to the real one. DNS spoofing and malware-based pharming are two techniques used to carry out a pharming attack.

Phishing is when cybercriminals send emails designed to trick people into clicking a malicious link or disclosing sensitive information, like passwords or account information. Phishing is an example of social engineering, and is effective because it uses human nature (like trust, fear or curiosity) to trick people. Phishing attacks can result in identity theft and financial loss. Vishing (phishing phone calls) and smishing (phishing SMS messages) are types of phishing attacks.

Physical security intelligence is key information about situations and events that could potentially cause physical harm to an organisation and its people, buildings, or assets. Examples of physical threats include natural disasters and accidental damage, as well as vandalism, protests, theft and terrorism.

Priority Intelligence Requirements (PIRs) refer to the most important information needed to make intelligence-based decisions, achieve key objectives and assess potential risks.

Ransomware is a type of malware (malicious software) that cybercriminals use to block access to data or a computer system until a ransom has been paid. In ransomware attacks, the victim’s data is encrypted so that they can’t access files, databases or applications without the right ‘key’ to decrypt them. It’s nearly impossible to decrypt the files that are being held for ransom without the key. Ransomware is typically spread through phishing (fraudulent emails) or malicious software downloads.

Remote code execution (RCE) is a cyber security vulnerability that allows an attacker to run malicious code or commands on a target system from a remote location, using public or private networks. In a remote code execution attack, an attacker can gain full control over a compromised machine, steal data, deploy ransomware, disrupt service and more.

Reputational damage is the harm done to an organisation’s reputation due to ethical, safety, product-quality or employee issues, as well as data leaks and cyber attacks. Damage to reputation can result in lost revenue, increased costs, decreased shareholder value and loss of trust or confidence from customers, partners and other stakeholders.

SecOps intelligence is key information gained from security research, threat intelligence platforms and open sources about potential cyber threats and vulnerabilities. SecOps intelligence helps secops teams understand risk, including new and emerging threats, threat actors, malware, compromise indicators and vulnerabilities. This information is used to develop strategies to prevent, detect and respond to security incidents.

Security information and event management (SIEM) is a security solution that helps organisations detect, analyse, and respond to security threats. A SIEM solution collects, monitors, stores and analyses security-related data from multiple sources like servers, endpoint devices and applications. The data is then used to identify, investigate and prioritise cyber security attacks and breaches

Security operations (SecOps) is the combination of IT security and IT operations into a team that enables organisations to reduce risk and strengthen cyber security. This collaboration ensures an organisation is incorporating security considerations into IT operations as early as possible, and can meet its cyber security objectives without compromising on IT performance. SecOps often operates from a cyber security operations centre (SOC).

Shadow IT is the use of digital devices, software, applications, and services without the approval of the IT department. Shadow IT problems can occur when employees use unauthorised personal devices or cloud-based applications to do work-related tasks, bypassing official company channels and creating security risks that can result in breaches, compliance violations, and more.

Smishing is a form of phishing (an online scam using fraudulent emails), where SMSs or text messages are used to trick recipients into clicking on malicious links or disclosing sensitive information. Senders of smishing messages pose as legitimate organisations, using urgent language or authentic-looking offers. Smishing is often highly convincing because people are more likely to trust a message that comes from a messaging app on their phone than from a message delivered via email.

SOAR (Security Orchestration, Automation and Response) is a cybersecurity solution that combines different security tools to streamline cybersecurity in three key areas – threat and vulnerability management, incident response and security operations automation. Soar cyber security integrates security, IT operations and threat intelligence tools – even tools from different vendors – for a more coordinated approach that can lead to faster response times, better threat detection and an overall improvement in cybersecurity.

Social engineering is a technique used by cybercriminals that exploits human nature (trust, fear or curiosity) to get sensitive information, access to systems or financial benefit. Phishing, smishing and vishing are types of social engineering, and these fraudulent email, SMS or voice messages are designed to lure users into sharing information or clicking on a malicious link. Social engineering attacks are often effective because the messages appear to come from a legitimate company or person, and seem urgent or beneficial.

Specific Intelligence Requirements (SIRs) are a sub-type of intelligence requirement that provides the more detailed information needed to address specific questions or issues. As compared to Priority Intelligence Requirements (PIRs), which are higher level, SIRs may be set by analysts or others involved in the intelligence collection process to meet the PIRs of senior decision makers. SIRs tend to be more tactical and technical, with a focus on facts, entities or activities.

STIX TAXII (Structured Threat Information eXpression and Trusted Automated eXchange of Indicator Information) are cybersecurity standards developed to improve defence strategies against cyber attacks. Comparing stix vs taxi, stix is the cyber threat information component, while taxii is how that information is relayed, e.g., via services and message exchanges. Stix/taxii are an open-sharing and community-driven effort, and unlike previous methods of collaboration, they are machine-readable and easily automated.

Strategic intelligence provides a long-term view of the risks that could impact an organisation. Strategic cyber intelligence enables organisations to understand the financial and reputational consequences of cyber threats, and covers a wide range of information, including technical, political and social, gathered from multiple sources. Strategic threat intelligence helps organisations make key decisions, allocate resources and strengthen their security.

A supply chain attack, or third-party attack, is when cybercriminals attack a less secure supplier in group of organisations that work together in order to gain access to a larger target’s network. In cybersecurity supply chain attacks, criminals exploit weaknesses in third-party systems and use them to compromise other organisations in the supply chain. This means that even if an organisation has strong cybersecurity measures in place, they can still be vulnerable if a third-party supplier or partner is compromised.

Tactical intelligence is information about the tactics, techniques and procedures (TTPs) of cyber criminals. It helps security teams understand the capabilities and goals of attackers, along with their methods. Tactical intelligence enables organisations to detect and respond to cyberattacks and develop more effective defensive strategies to prevent similar attacks in the future.

Third party risk is the potential for an organisation to suffer a data breach or other cyber attack as a result of third-party vendors, suppliers or partners that have access to their systems or data. Third party risks occur when a third-party doesn’t have the necessary security measures in place to defend against cyber threats, providing an easier way for threat actors to attack even the most sophisticated of security systems.

A threat actor is a person or group that intentionally causes harm in the online world. Cyber threat actors look for weaknesses in computers, networks and systems to carry out attacks on people and or organisations. There are various types of threat actors, with different motivations ranging from data theft and financial gain, to disrupting the operations of an organisation or even a country. Threat actors in cybersecurity use tactics like phishing attacks, ransomware and malware.

A threat hunting team is a group of cyber security professionals who identify security incidents that may go undetected by automated security tools such as malware detectors and firewalls. Instead of waiting for potential threats to surface, a dedicated threat hunting team proactively searches an organisation’s IT environment to detect potential threats and respond to them before they can cause damage or disruption to the organisation.

The threat intelligence lifecycle is a continuous process that organisations go through to identify potential cyber threats. There are six phases of the threat intelligence lifecycle, including planning, data collection, processing, analysis, dissemination and feedback. This security intelligence lifecycle provides organisations with the intelligence they need to proactively manage security risks.

A threat intelligence platform (TIP) is a software tool that helps security teams collect, sort and analyse threat intelligence data to protect their organisation from cyber threats. TIPs usually collect data from a variety of sources, including internal security tools and the internet, and sometimes even the deep and dark web. Threat intelligence solutions provide security teams with a comprehensive view of potential threats to their organisation’s IT infrastructure, and helps them identify and respond more quickly and effectively.

Trademark monitoring involves keeping track of how a specific trademark is being used by third parties. This is done to ensure a trademark owner is aware of any potential misuse or weakening of their brand name, so that legal action can be taken when needed. Misuses can include trademark infringement, false advertising, counterfeiting, imitation websites, phishing emails and social media impersonation. International trademark monitoring tracks the use of a trademark globally, detecting any potential abuse in different regions.

TTP stands for tactics, techniques and procedures, and refers to the typical way various threat actors carry out their cyber attacks. ‘Tactics’ are their general strategies, ‘techniques’ are the tools used, and ‘procedures’ are the steps followed. Using TTPs, cybersecurity teams can better predict and detect attacks, as well as build more effective defences against them.

Unstructured data is information that does not have a pre-defined data model or is not organised in a pre-defined manner. Unstructured data is typically text-heavy, but may contain data such as dates, numbers, and facts as well. This results in irregularities and ambiguities that make it difficult to search, analyse and manage.

Vishing, or voice phishing, refers to criminals leaving voice messages or making phone calls to trick people into giving up sensitive information. In vishing attacks, the caller pretends to be calling from the likes of the government, tax department, police or the target’s bank, and uses threats and forceful language to convince victims to provide sensitive data. Vishing, phishing (fraudulent emails) and smishing (fraudulent text messages) all have the same goal – obtaining information from users that can be used for identity theft, financial gain or account takeover.

Vulnerability analysis is the process of finding and assessing gaps or weaknesses within an organisation’s computer network or system that could be exploited by cyber criminals. Vulnerability analysis typically includes identifying, evaluating and prioritising these vulnerabilities, to determine security risks and to develop strategies to mitigate or eliminate these risks.

Vulnerability intelligence refers to the identification, analysis and prioritisation of computer flaws and vulnerabilities that may pose a cybersecurity risk to organisations. This involves collecting information on known and potential vulnerabilities in various hardware and software systems – including operating systems, applications and network devices – and providing actionable insights to organisations. This information can be used to help organisations protect themselves from attacks by identifying and mitigating vulnerabilities before they can be exploited.

Vulnerability scanning is the process of using software programmes to find and resolve possible security weaknesses in computer systems, networks or applications. Scanning tools usually look for known vulnerabilities, such as outdated software or security flaws. There are many methods for scanning vulnerabilities, including network-based scanning and application-based scanning. This scan is also performed by attackers who try to find points of entry into targeted networks.

A watering hole attack in cybersecurity is an attack that targets a group of users by infecting websites that they commonly visit with malware. Similar to a watering hole where animals come to drink and are targeted by predators, in a watering hole cyber attack, malware is downloaded onto members’ computers when they visit the compromised website, allowing the attacker to access their organisation’s network and carry out malicious activities.

Whaling is a type of phishing attack (an online scam using fraudulent emails) that specifically targets C-suite and high-level executives. Whaling phishing attacks target senior executives with messages designed to trick them into sharing sensitive information or transferring funds. In a whaling attack, the fraudulent emails are more sophisticated than typical phishing emails – often containing personalised information about the targeted organisation or person and written in polished business language.