Attack of the cybersecurity acronyms: OSINT, IOC, TTP, & C2
This is part of an ongoing series covering common cybersecurity TLAs (three-letter acronyms) and terms that can seem incomprehensible. Even seasoned professionals struggle as different industries use the same acronyms to mean completely different things. To help clear up the confusion, we’re providing a list of common acronyms related to cybersecurity and cyber insurance, simple explanations, and key takeaways to help you tackle these risks! Click here to learn about FTF, RDP, MFA, BEC and SPF.
Technology is evolving at an almost daily pace. But with each new capability we gain from technology, attackers are usually just a couple of steps behind with new ways to exploit it. Unfortunately, cyber crime has become a profitable industry with the bad guys (attackers, threat actors, or just criminals) on one side, and good guys (defenders) on the other. Here are some key terms you should know about cyber crime and defense.
Open Source Intelligence (OSINT)
OSINT is the gathering of intelligence (useful, actionable information) from open or publicly available sources. Any time you’ve looked up a business and gotten review details about their services, you’ve been performing OSINT. Based on the reviews you may choose to engage that business or find an alternative.
Security impact: Attackers can utilize OSINT to glean details about a target that may prove useful, like social connections or work history. For example, attackers might scan social media to identify the personal interests of your employees (like cooking), then use that as part of the pretext of an email attack by attaching a “team cookbook” PDF to an email. OSINT can be useful for gathering details about an organization's operations as well, skimming professional resources like LinkedIn or conference presentation materials can provide clues about your technology environment. If your employees routinely present or post resources about optimizing Oracle database functionality, it’s a safe assumption that you might be using Oracle, which is a clue for attackers to use.
How to protect yourself: Defined procedures for professional use of social media can be a good starting point, and occasional OSINT audits to see what information your organization is sharing publicly are also useful. If possible, consider including them in the scope of other activities like penetration testing. Governing personal social media belonging to employees is somewhat trickier, and may be overkill for some organizations. General best practices include reminding everyone to create strong, unique passwords, and be cognizant of what they’re sharing and who can see it.
Learn more:Read about, and check out the US Cybersecurity & Infrastructure Security Agency’s.
Indicator of Compromise (IOC)
IOCs are useful forensic evidence that a system has been compromised, much like a fingerprint at a crime scene indicates that a suspect was there.
What are they: IOCs can be any digital proof that a system has been compromised. Some may be definitive evidence of a particular attack, such as a known malware file being found on a server, while others simply indicate suspicious activity like unusual use of highly privileged accounts or users logging in from unusual locations.
How are they used: Indicators can be legitimate or malicious, and making that determination is part of a forensic investigation. A system administrator logging in at an unusual hour from a different location could be an attacker who’s stolen that admin’s username and is attempting something malicious, or it could be the admin themself logging in while traveling. Complex investigations obviously require human analysis and judgment, but some security tools can also use IOCs for automated analysis, such as scanning a network to identify any servers with a known malware file or configuration. These tools can run continuously to monitor for IOCs, which is a best practice when designing a security program.
How to protect yourself: Security monitoring tools like endpoint detection and response (EDR) and digital forensics processes can utilize IOCs to identify malicious activity. Ensuring you have appropriate tools and monitoring processes in place is a security best practice.
Tactics, Techniques, and Procedures (TTP)
TTPs describe the behavior of someone performing an action, who is often called an actor or threat actor when discussing cybercrime. TTP is a hierarchy describing these actions from least to most specific.
What are they: A tactic is the high-level description of a behavior, a technique is a more detailed description, and a procedure is the lowest-level, most detailed description. This is similar to the documentation hierarchy at many organizations, with policies providing high-level guidance, standards providing more specifics, and procedures or checklists providing the most detailed information about how to apply the guidance in particular situations.
How are they used: An example of an attacker’s TTP might include the use of user credential theft as a tactic to gain access. Techniques to achieve this might include phishing as well as physical theft of the target’s IT resources, while a specific procedure would be the use of OSINT to determine a valuable employee (information from LinkedIn) and a coffee shop frequented by that employee (information from Instagram, Yelp, etc.). This information can easily be used to orchestrate the theft of a laptop.
How to protect yourself: The first and most important step to protection is to understand the risks your organization faces. Your entire security program should be designed to address these risks, as TTPs will vary based on the actors targeting your industry, region, or business. Once you’ve assessed your unique risks, choose appropriate risk mitigation strategies like, security awareness training, and data security practices.
C2 = Command & Control
Cyber criminals need to be able to marshall resources to carry out an attack and borrow an idea from military science known as Command & Control (C2). C2 is a set practice for issuing commands and controlling actions (pretty self-explanatory, really), and in the context of cybercrime, C2 is deployed for gaining control over compromised resources like servers or workstations.
What are they: You’ll most often hear “C2 server”, which is simply a server that is being used by cyber criminals as part of their operations. User workstations or servers that are infected with malware will communicate with the criminals’ C2 server for a variety of purposes.
How are they used: Some malware lies dormant for a while to evade detection then springs to life and communicates with a C2 server. Malware may also gather information about its host and send it to the C2 server, which decides what to do. For example, malware on a server connected to a bank network may be instructed to install ransomware since the bank likely has money to pay the ransom, while the same malware on a random person’s laptop is instructed to install a keylogger to steal usernames and passwords. Malware may even be instructed to search for sensitive information and send it to the C2 server, a process known as data exfiltration.
How to protect yourself: Network security tools often have the ability to detect and block traffic to known C2 servers, so if you have such tools make sure they are properly configured. There are some countries where permissive laws mean cyber criminals can operate with impunity, so restricting your network traffic to these countries may also be an effective means of protecting your data.
Making sense of it all
Security is fast-paced, and the terminology is a challenge. The acronyms and concepts in this guide are far from exhaustive, but explain some of the most common issues we see at Coalition in terms of questions, incidents, and insurance claims. Click here to learn more cybersecurity acronyms like FTF, RDP, MFA, BEC and SPF.
If you’d like to learn more, we encourage you to check out the Coalition Learning Center, where you’ll find explainer articles on common security and insurance topics, as well as links to help you implement many of these recommendations.
For specific questions or additional details, you can always reach us at firstname.lastname@example.org, and we’ll be happy to set up a time to discuss how to improve your security and reduce your cyber risk.