What are Some Commonly Used Acronyms and Terms for Incident Response and Threat Management?
The following list compiles some of the most important terms and acronyms we use to discuss cybersecurity incident handling and security threat operations.
Core Incident Response & Threat Management
IR (Incident Response): A process to prepare for, detect, analyze, contain, eradicate, and recover from cybersecurity incidents.
IRP (Incident Response Plan): A documented, structured approach for handling a cyber incident, as well as required by many regulators and insurers.
IRT / CSIRT (Incident Response Team / Computer Security Incident Response Team): A group or team that is tasked with responding to and managing cybersecurity incidents.
IRRaaS (Incident Response Readiness as a Service): A managed service that ensures your organization is always ready to respond to an incident.
SIRP (Security Incident Response Platform): Software or platform used to manage, track, and automate incident response work.
SOAR (Security Orchestration, Automation, and Response): Technology for automating manual response tasks and integrating security tools and threat intelligence.
SOC (Security Operations Center): A dedicated team or physical facility for monitoring, detecting, and responding to security events 24/7.
MSSP (Managed Security Service Provider): A third-party service provider for ongoing monitoring, detection, and incident response services.
MDR (Managed Detection and Response): A managed service that combines human expertise and automated tools to detect and respond to active threats.
EDR (Endpoint Detection and Response): Continuous monitoring and response for suspicious activity on endpoints (servers, desktops, laptops).
XDR (Extended Detection and Response): Analyzes and correlates data from various security layers to provide an integrated view of threats.
Threat Intelligence & Attack Simulation
TTPs (Tactics, Techniques, and Procedures): The general and specific patterns of how a threat actor goes about an attack.
IOCs (Indicators of Compromise): Artifacts such as IP addresses, hashes, or domains that may indicate a system has been attacked.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge): An internationally agreed-upon and crowdsourced knowledge base and framework for mapping attacker behaviors and techniques.
APT (Advanced Persistent Threat): A sophisticated, high-value, or targeted attack with the purpose of gaining and maintaining access, often over long periods.
CTI (Cyber Threat Intelligence): Data and information related to potential or current attacks, attackers, and their motives, targets, and methods.
IOC / IOA (Indicator of Compromise / Indicator of Attack): The former is evidence that a system was compromised in the past, the latter that it’s currently under attack.
RBTA (Risk-Based Threat Assessment): A risk-based approach to addressing threat and defense prioritization based on real-world risk and an organization’s risk tolerance.
HIT Index (HALOCK Industry Threat Index): HALOCK’s threat modeling approach and scoring system used to estimate the likelihood of different types of attacks for a specific industry.
Incident Handling & Forensics
DFIR (Digital Forensics and Incident Response): The combination of incident response and digital forensics with an emphasis on evidence-based investigation.
SIEM (Security Information and Event Management): Technology that aggregates and correlates logs from across an environment to detect and alert on suspicious activity.
UEBA (User and Entity Behavior Analytics): A technology for detecting abnormal user or system behavior to find insider threats or malicious account compromises.
NDR (Network Detection and Response): Technology for analyzing network traffic to identify malicious activities and lateral movement.
CIRT (Cyber Incident Response Team): A cybersecurity team that is tasked with containing and recovering from cyberattacks (synonymous with CSIRT).
IOC Triad (Indicators, Observation, Correlation): A forensic methodology for validating and correlating evidence and attack patterns.
Business Continuity & Compliance
BCP (Business Continuity Plan): Plans and processes that are in place to ensure critical operations continue during and after an incident.
DRP (Disaster Recovery Plan): Plans and processes that are in place to restore IT, systems and data after a major event or cybersecurity incident.
RTO / RPO (Recovery Time Objective / Recovery Point Objective): The time it should take to restore IT systems; acceptable level of data loss during an incident.
DLP (Data Loss Prevention): Tools and processes for preventing sensitive information from being shared or exposed accidentally or maliciously.
DoCRA (Duty of Care Risk Analysis): An objective framework for defining reasonable security based on compliance, risk, and a company’s business objectives.
ISO 27035 (Incident Management Standard): The international standard that defines best practices for managing information security incidents.
NIST CSF (NIST Cybersecurity Framework): The U.S. standard that offers a framework for how organizations can identify, protect, detect, respond, and recover from cyber risks.
Communication & Legal
PII (Personally Identifiable Information): Data that can be used to directly identify a natural person.
PHI (Protected Health Information): Healthcare data that is regulated and must be protected in line with HIPAA and privacy laws.
GDPR (General Data Protection Regulation): The EU’s cybersecurity breach notification regulation.
CCPA / CPRA (California Consumer Privacy Act / California Privacy Rights Act): U.S. state privacy laws that give individuals more rights over their personal data, as well as greater transparency in breaches.
SEC (Securities and Exchange Commission): The U.S. regulatory body that, as of 2023, is also now responsible for enforcing cybersecurity incident disclosure for publicly traded companies.
Sources
- “What Is Incident Response (IR)?” — Truesec. Truesec
- “What Is Incident Response?” — Palo Alto Networks. Palo Alto Networks
- “Incident Response (IR): Plan & Process” — CrowdStrike. CrowdStrike
- “What Is Endpoint Detection & Response (EDR)?” — CrowdStrike. CrowdStrike
- “What Is Endpoint Detection and Response (EDR)?” — Microsoft Security. Microsoft
- “What Is EDR?” — Fortinet. Fortinet
- “What Is User and Entity Behavior Analytics (UEBA)?” — Fortinet. Fortinet
- “What Is UEBA?” — CrowdStrike. CrowdStrike
- “What Is UEBA?” — IBM. IBM
- “What Is SOAR (Security Orchestration, Automation, and Response)?” — Fortinet. Fortinet
- “What Is SOAR?” — Palo Alto Networks. Palo Alto Networks
- “What Is SOAR?” — Microsoft. Microsoft
- “What Is Managed Detection & Response (MDR)?” — Microsoft Security. Microsoft
- “What Is Managed Detection and Response (MDR)?” — Cisco. Cisco
- “What Is Extended Detection & Response (XDR)?” — Microsoft. Microsoft
- “What Is Extended Detection & Response (XDR)?” — Palo Alto Networks (Cyberpedia). Palo Alto Networks
