A format for storing memory dumps for analysis, including for creating Indicators of Compromise

.dmp files 4 109 (IOCs).

.vmdk 4 97 The virtual disk file in VMware indicating stored virtual machine disk data.
The change from the base memory in a virtual machine environment capturing user actions and
.vmss 4 98 processes.
Required to fully recover all relevant actions, processes, and activity related to adversaries in a
.vmss and .vmem combination 4 98 virtual environment.
/GoTo* 4 83 Changes view to a specified destination within PDF.
/JavaScript 4 83 Specifies JavaScript to run in PDFs.
/Launch 4 83 Launches a program or opens a document from PDF.
/Names /AcroForm /Action 4 83 Specify and launch scripts or actions in PDFs.
/ObjStm 4 83 Hides objects inside an Object Stream in PDFs.
/OpenAction and /AA 4 83 Specifies script or action to run automatically in a PDF.
/RichMedia 4 83 Embeds Flash in PDFs.
/SubmitForm and /GoToR 4 83 Can send data to a URL from a PDF.
/URI 4 83 Accesses a resource by its URL from PDF.
A variable used in network monitoring to define known internal networks for alerting on outsider
$INTERNAL_NET 3 78 communications.
Exploits that are unknown to the public and vendors until they are disclosed, frequently used in
0-day exploits 1 137 targeted attacks.
The process of delivering the crafted attack to the target environment, potentially through various
2nd Stage Delivery 1 83 vectors to maintain stealth.
A foundational concept for examining network traffic which includes Source/Destination IP,
5-Tuple 3 100 Source/Destination Port, and Protocol.
6+ Months in the Environment 4 13 Extended duration within a network before detection
In ICS, there are numerous possibilities for unintentional disruption or destruction, emphasizing
Accidental disruption/destruction 1 80 the need for robust security measures.
Applications concerned with the calculation of Area Control Error and system reliability in power
ACE/Reliability Apps 2 59 grid operations.

ACH (Analysis of Competing Hypotheses) 1 74 A process for evaluating multiple hypotheses to aid in decision-making and problem-solving.
ACH Process 1 70 A structured approach to analyze and compare hypotheses in decision-making.
Description: Collecting forensic quality evidence from systems involved in a cybersecurity
Acquire forensic evidence 1 26 incident.

Acquire meaningful forensic data 4 25 Gathering sound forensic data is crucial for later analysis to understand and mitigate threats.
Action 3 80 The operation to perform when a rule condition is met, such as alerting
Actionable Intelligence 1 90 Intelligence that can be used directly to guide decisions or actions.
Actions on Objectives 1 58 Final stage where the attacker achieves their goals within the network.

Active Cyber Defense Cycle 5 6 A methodology emphasizing safe threat manipulation and learning within an ICS environment.
Active Cyber Defense Cycle 1 30 A mental model for finding and responding to cyber threats through five key steps.
Active Cyber Defense Cycle (ACDC) 1 24 A framework for identifying and responding to threats in ICS environments.
Measures including incident response and manipulation of architecture to counteract attacks like
Active Defense 2 120 Havex.

Active Defense 3 16, 58 Includes activities like incident response and is essential for a comprehensive security posture.
7, 19, 20, 21,
Active Defense 1 22, 23 A strategy that includes measures to prevent, detect, and respond to threats.
Active defense 1 5, 18 An approach focusing on taking proactive measures in incident response.
Active Defense 4 7, 14 A strategic approach to defending systems by taking proactive measures.
Active Directory / Domain Controller 2 85 A critical infrastructure component that can be a vulnerability point from IT to OT networks.
A technology or physical mechanism designed to automatically prevent or mitigate safety
Active Safety System 2 32 hazards.
Active Safety Systems 2 30 Systems that require electronic feedback and may control processes at specific setpoints.
Active Scanning 2 24, 29, 33 A method of asset identification varying in risk and information retrieval capabilities.
A method of clustering related cybersecurity events or intrusions to improve detection and
Activity Group 1 62 analysis.
Activity Groups 3 39 Tracked threat groups and their observed TTPs in the context of industrial cyber threats.
Activity Groups 1 60, 61, 64 Clusters of intrusions grouped by threat intelligence to focus on specific characteristics.
Additional security protocols for staff 4 60 Implementing measures like two-factor authentication and secure password policies.
Description: Entities with full-time roles focused on exploiting targets for future capabilities
Advanced Adversaries 1 136 without causing physical harm.
Advanced intrusion attempts 2 5 Failures of traditional defenses to detect or prevent complex cyber threats.
AdvantOvation Interface Gateway 2 130 A gateway device for one-way communications between systems.
An adversary's possession of knowledge on both IT and ICS environments suggests an elevated
Adversary ICS Knowledge 3 9 threat capability.
Techniques, and Procedures (TTPs), Key behaviors and methods used by attackers, useful for
Adversary Tactics 1 27 threat intelligence.
Recognizing that improper malware handling can alert adversaries, prompting them to alter their
Adversary Tactics Awareness 5 20 strategies.
AGC (Automatic Generation Control) 2 52 Level 2 system control for optimizing power plant operation.
AIDE (Advanced Intrusion Detection
Environment) 4 42 A tool for checking file and directory integrity, particularly useful in *nix environments.

Page 1
Air-gap jumping malware 1 115 Malware that can bridge isolated (air-gapped) networks, typically via physical means like USBs.
A security measure to physically isolate a network to prevent unauthorized access, bypassed by
Air-gapped network 1 11 Stuxnet.
Air-gapped networks 1 85 Highly secure networks isolated from unsecured networks to prevent cyber attacks
Alerts 3 57 Short description of unexpected events indicating potential security issues.
Alternatives 5 49 Enables OR-styled Boolean comparisons within hex patterns.
A valve that controls water flow into a tank based on the water level, closing when a certain
Altitude Valve 2 32 height is reached to prevent overfilling.

Analysis of Competing Hypotheses (ACH) 1 65 A structured analytical technique helpful in decision making.
Analytical Breadth 3 41, 42 Coverage of all tactics/techniques used by a threat
Analytical Breadth (A-B) 3 42 Description of covering across various tactics and techniques for threat detection
Analytical Depth 3 40, 41, 42 Expanding detection capabilities to catch a wider array of similar threats.
Analytical Depth (A-D) 3 42 Description of having multiple detections for the same tactic or technique
Analytical Leap 1 53 Going beyond evidence to discern unknowns in intelligence analysis.
Analytical Problem 1 62 Defining the specific cybersecurity issue or requirement that needs to be addressed.
A Python script that enhances PDF analysis by utilizing YARA rules for detecting malicious
AnalyzePDF 4 85 content.
A collection of virtual machines each running different antivirus software to analyze suspect files
Antivirus Farm 5 25 in ICS environments.
APDU (Application Protocol Data Unit) 2 92 Divided into APCI and ASDU for information control in IEC-104.
Advanced persistent threat campaigns often use sophisticated techniques like phishing to breach
APT Campaign 4 81 networks.
APT campaign 4 87 An advanced persistent threat targeting members of a specific community.
Architecture 1 17, 19, 88 Designing and maintaining a secure network infrastructure, including supply chain security.
Area of Responsibility (AOR) 2 20 A defined area within an ICS environment where one has responsibility for network security
ARP 2 63, 68 A protocol used for mapping an IP address to a physical machine address
A technique where an attacker sends fake ARP messages over a network to associate their
ARP Spoofing 3 63 MAC address with the IP address of another host.
ARP Tables 2 26, 27 Reveal MAC and IP pairings, identifying registered and rogue devices on the network.
Asset communication identification 2 132 Importance of recognizing how assets communicate within ICS for efficient assessments.
Asset Discovery 4 41 Identifying and documenting hardware and software assets in a network.
Asset ID 3 27 The process of identifying devices within an ICS network.
A practice to understand and catalog assets within ICS environments for enhanced security and
Asset Identification 2 18 visibility.
Asset Identification 3 65 Identifying and mapping control system assets and network architecture for monitoring
The comprehensive list or database of assets (hardware, software, firmware) within an
Asset Inventory 2 17, 22, 33 organization's ICS environment.
A comprehensive list of an organization’s IT assets within the network for monitoring and
Asset Inventory 3 70 managing purposes.

Attack Surface 2 17 The aggregate of all possible points where an unauthorized user can try to enter or extract data.
Attack trends 1 116 Observations in cybersecurity threats that help in understanding the threat landscape.
Attack Vector 2 117 Using interfaces to pivot between ICS and enterprise networks.
Attack vectors 1 139 Concise paths or methods an attacker might use to breach a system.
Automated Collection 3 25 Automatically gathering data from various sources for analysis or action
Malware that operates on automation or preplanned commands, which can be manipulated by
Automated Malware 5 21 altering its environment.
A method to quickly assess malware by running it in a virtual environment and recording various
Automated Malware Analysis 5 34 activities.
Automated malware analysis 4 86 An efficient method for analyzing potential malicious activities within files.
Automated Malware Analysis Sites 5 35 Websites that allow submission of files for malware analysis.
Automatic Anomaly Detection 3 33 Machine learning techniques to identify deviations
Automatic Generation Control 2 51 Controls to balance power supply and demand, preventing overloads.
Automation Footprint 3 16 The extent to which automation is utilized in security operations and threat detection.
AVR (Automatic Voltage Regulator) 1 36 A device that regulates voltage to ensure stable electrical power generation.
BACnet 2 97 A protocol primarily used in building automation and data center systems.
Balancing Mode 1 36 A state aiming to match electricity generation with load demand to ensure system stability.
Ballast Control System 2 138 A system critical for maintaining the stability and buoyancy of offshore oil rigs.
Bandwidth Spikes 3 88 A sudden increase in network data transfer rates that may indicate unusual activity.
Banners 2 76 Contain device-specific information like make, model, and firmware.
A crucial starting point for incident response, involving asset and software inventories and
Baseline Information 4 42 network flow data.
Established measurements of normal operations in an ICS environment to aid in identifying
Baselines 3 86 anomalies.
Behavioral analysis 5 41 Analysis based on the behavior of malware to supplement when automated analysis fails.
BlackEnergy 5 17 Malware used to infiltrate ICS networks and gather intelligence
BlackEnergy 3 48 A piece of malware used by cybercrime groups and for DDoS attacks.
BlackEnergy YARA Rule 5 54 A specific YARA rule used by ICS-CERT to identify malware related to BlackEnergy.
BlackEnergy YARA rules 4 14 Previous rules designed to detect specific threats within an ICS environment

Page 2
BlackEnergy2 5 52 Malware targeting ICS, discovered in 2014 with data destruction capabilities.
Espionage toolkit incorrectly associated with Ukraine power outage, highlighted for ICS
BlackEnergy2 and 3 3 52 environment access without destructive capabilities.
BlackEnergy3 4 11 A specific malware used in the cyber attack against Ukrainian power facilities.
A cyber-attack example involving exploitation of internet-connected surveillance equipment,
BTC Pipeline 1 109 leading to an over-pressured explosion.
The process of creating a controlled environment for testing tools and training incident response
Building Your Lab 4 54 personnel.
C2 (Command and Control) 3 103 The means by which adversaries control compromised systems within a target network
C2 Ports 5 57 Command and control server ports used by malware.
A server controlled by attackers used to receive stolen data or send instructions to compromised
C2 Server 2 114 systems.
C2 server 4 88 Communication with a command and control server indicated by network traffic analysis.
C2 servers 2 113 Command and control servers used by malware for communication and control.
Capability 1 50 Intent, and Opportunity, A formula for evaluating threats in cybersecurity.
Capture Memory 4 39 Collecting volatile data from system memory for forensic purposes.
A simple methodology for measuring threat intelligence: Complete, Accurate, Relevant, and
CART methodology 1 93 Timely.
A method of identifying the cause and effect relationship between different elements in
Causal Analysis 1 67 cybersecurity incidents.
Causal Relationship 1 66 A conclusion that assumes a cause-and-effect link between two events mistakenly.
Centrifuge Drive System 1 25 Control system for centrifuges, potential target in cyber-attacks on industrial environments
Chain of Command 4 51, 52 A structured hierarchy defining roles in incident response.
Chain of Custody 4 29 Documentation noting evidence details, handling, and possession history.
Change Management 3 110 Procedures for implementing and managing changes securely
Characterizing the threat 4 28 A process to understand and manage the nature of a cybersecurity threat.
Used to ensure all necessary steps are followed during an incident response, enhancing
Checklists 4 54 effectiveness and coordination.
Chokepoints 3 64, 65, 66 Strategic points used to monitor and control network traffic for security purposes.
The foundational model of Information Security emphasizing Confidentiality, Integrity, and
CIA Triad 1 112 Availability.
CIMPLICITY SCADA 3 49 A SCADA system by GE targeted by specific malware variants
CIP 2 98 Protocol used within EtherNet/IP for data transfer and device communication
Cloud connectivity 2 136 The ability of devices and systems to connect and interact with cloud computing services.
Cloud Resources 4 97 Involving vendors in checking for compromises and acquiring digital evidence.
cmdline 4 110 Prints what was accessed via the command line

CMF 2 39 A framework used for organizing and understanding data sources in cybersecurity operations
CMF (Cybersecurity Maturity Model
Certification) 3 23 Framework aiding in understanding and organizing security efforts.

CMF Adaptability 2 43 Configuration Management Frameworks (CMFs) enable customizable security configurations.

CMF Development Process 2 37 A structured approach to creating and maintaining a Cybersecurity Maturity Model Framework.
Collection Management Framework: a tool for organizing security controls and collection
CMFs 2 44 requirements
Collect and Document 2 20 Gathering and recording detailed information on ICS assets and network connections
Collection 1 44 The step in the Intelligence Life Cycle focused on gathering data.
Collection agent 3 69 A tool deployed on hosts to collect and forward logs for monitoring
Collection Gaps 3 16 Identifying the deficiencies in data collection which could prevent the detection of threats.
Collection Gaps 2 42 Description: Identifying deficiencies in data collection to enhance detection capabilities.
Collection Management Framework 2 33, 34, 35 A strategy for gathering, storing, and using data efficiently in ICS environments.
A system or process for managing data collection efforts to improve detection and response
Collection Management Framework 3 42 capabilities
Collection Plan 2 39 A strategy for gathering data needed for security analysis in an ICS environment
Integrating various defense systems and sensors to maximize strengths and minimize
Combined Arms 1 23 weaknesses in network security.
A power plant system where two types of turbines, gas and steam, are used to increase
Combined Cycle Generation 1 35, 36 efficiency.
Command and Control 3 25 A technique used by malware to maintain communication with an attacker's server
The method by which attackers maintain communication with compromised systems within a
Command and Control (C2) 4 11 target network.
Command and Control (C2) 1 58, 82 Establishing a channel to remotely manage compromised systems.
Command and Control (C2) server 4 87 A server used by adversaries to maintain communication with compromised systems.
Command and Control (C2) servers 2 107 Servers used by Havex for remote access, control, and data exfiltration.
Description: External servers used by Stuxnet during its initial stage to collect data about
Command and Control (C2) Servers 1 12 Industrial Control Systems.
Command and Control (C2) Servers 3 49 Servers used by attackers to maintain communication with compromised systems
Command and Control (C2) Servers 4 80 Servers that manage compromised systems part of a botnet.
Commenting in YARA rules 5 56 Facilitates understanding and operational use of the rule by analysts.
Common Industrial Protocol (CIP) 2 87 Protocol carried via EtherNet/IP containing header and payload frames for communication.
Community support 1 138 Importance of cautious sharing in ICS forums.

Page 3
Compensating Controls
Conficker
Conficker Worm
Configuration Analysis
Configuration Analysis
Configuration data
Configuration File Analysis
Configuration issue
conn.log
2 15 Security measures that are put in place to mitigate risks when primary controls are not feasible
5 14 Malware that halted a steel facility network in Brazil when accidentally brought in via USB.
3 62 An untargeted malware that can cause significant disruption in Industrial Control Systems.
2 26 Configurations indicate how systems or networks are intended to function.
3 30, 32, 35 An environmental approach to detect changes in system/network configurations.
3 37 Best source of alerts for performing forensics
2 23 Validates connected assets through analysis of configuration and engineering documents.
3 97 Issues that can be quickly remediated without an Incident Response process.
3 93 Logs connections between two network assets, revealing communication patterns.

Consequence Analysis 2 15 Evaluating potential impacts of compromises to understand and prioritize security responses
Prioritizing the containment and eradication of threats, especially with the aid of engineers and
Contain and eradicate threats 4 25 system architects in an ICS environment.
Containment 4 22, 27 Contain the intrusion and malware
Continuous Monitoring 3 27 Ongoing surveillance of network activity to detect and respond to threats.
Control Center 2 58 A central location for monitoring and controlling the electric system.
Controller Logs 4 117 Logs that can indicate errors and issues on controllers.
Failure of an organization to meet the standard of care that a reasonable entity would observe in
Corporate Negligence 2 14 a specific situation.
Corporate negligence 2 8 The failure of a company to follow safety protocols, resulting in disaster.
Corporate web server IP addresses 1 129 These can often be targeted for attacks as they might be connected to ICS networks.
Process of linking related alerts across the network to provide context and enhance
Correlation 3 57 understanding of security incidents.
COTP 2 94 An ISO-based protocol designed to work within TCP for packet-based data transmission.
Covellite 1 63 A sophisticated implant targeting North American electric grid operators.
Fourth-ever tailored malware for Industrial Control Systems providing key takeaways and
CRASHOVERRIDE 1 106 tradecraft focus.
CRASHOVERRIDE 5 17 Malware with knowledge of operations to disconnect transmission substations
CRASHOVERRIDE 4 75, 76 The first malware designed to disrupt electric grids.
CRASHOVERRIDE Framework 4 74 A specific malware framework designed to target electric grids.
CRASHOVERRIDE malware 4 73 Malware used by ELECTRUM in the 2016 Ukraine power grid attack.
Create Disk Image 4 39 Creating an exact copy of a system's hard drive for analysis.
Credential Harvesting 4 12 A method for attackers to gather legitimate user credentials to access systems.
Critical Thinking 1 65 Critical thinking is essential for effective analysis in cyber intelligence.
Cross-border Legal Considerations 4 32 Laws affecting evidence collection across different jurisdictions.
CrowdResponse 5 51 A tool that leverages YARA rules for quick data analysis
Crown Jewels 2 15 Components critical to the operation of an environment, the focus of protection efforts
Crown Jewels Analysis 2 38 A method to identify the most important assets that need protection.
Cryptocurrency 2 81 Facilitated anonymous payments and increased the scale of ransom demands

Cryptographic Routines 5 28 Essential for understanding obfuscation practices in malware through manual code reversing.
Cuckoo Sandbox 5 38, 39, 40 An open-source sandbox solution for malware analysis
Customized virtual environments for detailed malware analysis tailored to specific ICS
Custom Sandboxes 5 34 architectures and settings.
CVE-2010-0188 4 89 Vulnerability in Adobe Reader exploited by malicious PDF files.
Cyber Kill Chain 1 58 A structured analytical technique to analyze intrusions across seven stages.
Cyber Threat Intelligence 1 52 Analyzed information related to adversaries with intent and capability to harm.
Cyber Threat Intelligence (CTI) 1 30 Information about cyber threats and actors that helps inform defense strategies in ICS.
An unauthorized digital attack aimed at causing disruption to physical systems and
Cyber-Attack on Infrastructure 4 9 infrastructure.
Cyber-attack on power grid 4 72 Describes a significant cybersecurity incident affecting the energy sector.
CyberLens 2 141 Educational tool used for asset identification in SANS classes
The concerns associated with vendor and OEM connections into operational technology
Cybersecurity concerns 3 112 networks.
Data Coverage 2 43 Indicates the extent and granularity of data analysis.
Data Flow Maps 2 137 Document the type and volume of normal data flow beyond mere connections.
Data Gaps 2 41 Identifying and addressing missing data that could hinder detection and response efforts.
Data Historian 4 119 Historical and statistical data used for anomaly detection in ICS environments
Systems used to collect, store, and retrieve production and process data over time for analysis
Data Historian 2 35 and reporting in industrial environments.
Data Historian 3 60, 61 Collects and logs all process data in an industrial environment.
Data servers 2 134 Centralized repositories for storing and managing data.
Used for limited energy flow between different power interconnections, converting AC to DC and
DC Tie Lines 2 46 back to AC.
DCE/RPC 2 93 Identifying this can help identify OPC communications in an ICS environment.
DCOM/RPC Vulnerabilities 2 115 Highlights security risks associated with using DCOM/RPC in OPC communication
DCS (Distributed Control System) 2 124, 126, 129 A control architecture used in complex automation environments.
dd 4 37 A command-line utility for data duplication and transformation in Linux.

Page 4
DD and Netcat 4 33 Lightweight tools for digital image collection over networks.
Debugger 5 29 Steps through assembly code to reveal function calls and variables.

Dedicated ICS Intelligence 1 92 Intelligence services or reports specifically focused on the security of Industrial Control Systems.
Deep Packet Inspection 2 142, 148 A method to analyze network traffic in detail, identifying IT and ICS protocols.
Deep Packet Inspection 3 83 Analysis technique for detailed network packet inspection

Deep Packet Inspection (DPI) 3 62 Analyzing the data part of a packet as it passes an inspection point to identify malicious traffic.
Default IP addresses 1 128 The use of factory-set IP addresses which may not be changed, posing a security risk.
Delivery 1 58 The transmission of the weaponized bundle to the victim.
Denial of Service 4 12 Attack designed to overload services, preventing legitimate access or functionality.
Descriptive Analysis 1 66 Describing observed information without interpreting it.
A process ensuring process and equipment-specific information supports risk analysis and
Design to Commissioning Life Cycle 3 59 security schemes in ICS
Detect intrusion attempts 3 55 Identifying unauthorized access or exploration attempts in ICS/SCADA systems.
Ensuring detection capabilities are deployed across all stages of the ICS Cyber Kill Chain to
Detection across Kill Chain 3 43 identify adversarial actions.
Detection Across Kill Chain 3 43 The importance of having detection capabilities at every stage of the ICS Cyber Kill Chain
Detection Strategy 3 17 Development and implementation of methods to detect security threats.
Detection TTPs 2 85 Identifying threat tactics, techniques, and procedures through network analysis.
Determining Requirements 4 47 Identifying what is necessary to protect and respond effectively in an ICS environment.
A description emphasizing the importance of maintaining operational consistency in ICS
Deterministic stable environments 3 109 environments.
Develop a Collection Plan 2 37 Building the CMF based on existing knowledge and documentation.
Develop New Requirements 2 37 Identifying the purpose, risks, and problems for creating a CMF.
Develop phase 3 52 Initial stage in an ICS cyber attack, emphasizing access without direct harm.
DHCP 2 73 Protocol for automatic IP allocation in networks including ICS environments
A framework for analyzing cyber intrusions and understanding the relationships between
Diamond Model 1 60, 90 adversary, capability, infrastructure, and victims.
Digital Evidence Acquisition 4 34 Ensure tools tested, coordinate with staff, use proper media for collection
7, 16, 18, 19,
Digital Forensics 4 20 The meticulous process of collecting and analyzing digital evidence following an incident.
Digital Hash 5 31 A unique identifier of a file's content.
A method for ensuring the integrity of software or firmware by comparing expected and actual
Digital Hash Comparison 1 115 cryptographic hashes.
Digital Image 4 29 A digital copy of system resources including hard drive, memory, and network connections.
Digital Imaging/Acquisition Tools 4 54 Critical for creating forensic copies of digital evidence during an incident response.
A component that bridges physical switches and software control systems in an ICS
Digital Input / Relay Output module 4 67 environment.
Initiatives to incorporate digital technology into all areas of a business, leading to fundamental
Digital transformation 2 136 changes in operations.
Direct interaction 5 13 Access and manipulate control systems directly after initial access, without using malware.
Direct interaction threats 5 18 Threats without malware aiming to manipulate processes and cause physical harm.
Disable unused features 4 60 Deactivating unnecessary services to minimize potential entry points for attackers.
Disassembler 5 29 Translates binary files into human readable assembly code.
Disconnect Internet access 4 60 Eliminating external access points to reduce attack vectors.
Discovery and Configuration Protocol
(DCP) 2 96 A protocol used by PROFINET for device naming and configuration.
Dissemination and Integration 1 45 The process of distributing intelligence and incorporating it into defensive operations
Distributed Control System 2 51 A system for managing complex, distributed processes and automation.
Distribution Automation 2 57 Technologies used in the field to automatically respond to changing system conditions.
A system used to improve downtime, efficiency, and supervisory control over electricity
Distribution Management System (DMS) 2 133 distribution.
Importance of securing the distribution aspect of power grids, often considered the vulnerable
Distribution Security 4 10 point.
Distribution Substations 2 56 Substations that step down the voltage for various customer needs.
Distribution System 2 48 Delivers electricity to consumers

Distribution Systems 2 56 Systems that receive electricity from transmission systems and distribute it to end customers.
The importance of having a team with varied backgrounds to prevent group-think and enhance
Diverse Team Composition 4 53 perspective in incident response.
DLL Injection 1 14 A method used by malware to insert malicious code into running processes.
A physical or logical subnetwork that contains and exposes an organization's external-facing
DMZ (Demilitarized Zone) 3 68 services to an untrusted network.
A protocol identified in detecting unauthorized write requests to PLCs in industrial control
DNP3 3 76 systems
A commonly used protocol in electric and water utilities for configuring devices and data
DNP3 2 91, 100 exchange.
DNP3 and Modbus TCP preprocessors 3 78 Preprocessors used by Snort to analyze SCADA network traffic for anomalies.
DNP3 Preprocessor 3 74 A Snort preprocessor designed for dissecting and generating signatures for DNP3 traffic.

DNP3 Protocol 1 103 A set of communication protocols used between components in process automation systems.
DNP3 Unauthorized Write Request 3 77 A Snort rule to detect unauthorized write requests to PLCs in SCADA systems.
Page 5
DNP3.0 2 55 Distributed Network Protocol, a communication protocol used in SCADA systems.
DNS 2 71 Resolves hostnames to IP addresses
DNS Exfiltration 3 31 Stealing data by disguising it as DNS traffic to bypass security measures.
dns.log 3 93 Focuses on DNS communications between assets, aiding in network traffic analysis.
Maintaining records of assets and network connections, including historical data for future
Documentation of Assets 2 21 reference.
Domain Expertise 3 21 Your understanding of the problem based on experience.
Dragonfly 2 106, 118 Threat group focusing on espionage, particularly in the industrial sector post-2013.
DRAGONFLY 3 19, 20, 24 A threat actor targeting electric, mining, and petrochemical companies within ICS networks
Dragonfly 2.0 2 122 Re-emergence of hacking group targeting US electric companies in 2017.
DRAGONFLY TTPs 3 23 Tactics, techniques, and procedures of the cyber threat group DRAGONFLY.
A public/free tool for aligning threat group activities with mitigation and detection efforts in ICS
Dragos Navigator 3 39 environments.
A system design with two circuits from different substations providing power, with one circuit as
Dual Feed 2 57 backup.
Dual Homed Systems 2 25 Systems with multiple network interfaces or connections, important in asset identification.
DumpIt 4 36 A command line tool developed by MoonSols for memory acquisition on Windows systems.
The duration attackers remain undetected within an ICS environment can significantly impact the
Dwell time 1 80 success of high confidence attacks.
Dwell Time 1 94 Reducing the time adversaries spend undetected in the network.
Dynamic Load Management 2 58 Adjusts power demand in response to supply conditions.
Monitoring internal network traffic to identify anomalies or threats that bypass perimeter
East-West Traffic Analysis 4 79 defenses.
Analysis focusing on internal network communications, particularly important in ICS
East/West Traffic 3 67 environments
Edge Devices 2 85 Key network devices like Firewalls and Remote Access Points crucial for ICS security.
eFiveVPN 2 112 Provides connectivity to diverse industrial devices across networks
EKANS 2 83 A ransomware family specifically tailored to target Industrial Control Systems.
ELECTRUM 4 76 The activity group responsible for the deployment of CRASHOVERRIDE.
ELECTRUM (Activity Group) 4 73 The Activity Group involved in the 2016 Ukraine CRASHOVERRIDE malware attack.

ELK 3 85 A combination of Elasticsearch, Logstash, and Kibana used for log management and analysis.
The creation of email messages with a forged sender address, often used in phishing scams to
Email Spoofing 4 81 trick recipients.
Embedded in Installers 2 109 Malware delivery method via compromised vendor websites targeting ICS environments
Emerson Ovation 2 131 An architecture for managing and controlling Concentrated Solar Power plants.
Emerson Ovation Control Systems 2 130 A specific control system used in industrial environments.
Encrypted C2 Detection 3 92 Identifying potentially malicious encrypted command and control traffic
Endpoint port and services hardening 3 111 Securing network endpoints by managing ports and services.
Endpoints 2 66 Specific network points viewed in Wireshark to understand traffic sources and destinations.
Energetic Bear 2 118 Attributed the campaign to Russian Federation.
Focuses on increasing efficiency and maintaining balance in electricity generation and
Energy Management System (EMS) 2 133 transmission.
Enforce change control 3 55 Ensuring policy compliance via visibility and monitoring.
Engineering documents theft 3 22 The act of stealing sensitive documents that detail the design and function of ICS systems.
Engineering Workstation Compromise 3 40 A focus point for creating specific detections in an ICS environment.
Engineering workstations, especially with mobile capabilities, play a crucial role in ICS
Engineering Workstations 4 116 environments for process and system management.
ENISAs Guide for CERTs in ICS 4 21 Good practice guide for incident response in Industrial Control Systems.
Enterprise Networks 1 114 Evaluate vulnerabilities and interconnections to secure ICS networks.
Enterprise SIEM 3 91 Centralized management of security alerts and logs for both IT and ICS environments.
Entropy check 5 33 A method to determine the randomness of code to identify if it is obfuscated or packed.
Changes in the ICS environment should be carefully planned and coordinated to avoid impacting
Environment Considerations 5 22 operations.
Delay attackers and buy defenders some time by introducing changes to the operational
Environment Manipulation 5 21 environment.
Equip Phase 3 23 Determining people, process, and technology aspects for a security hunt.
Eradication 4 22 Eliminate the malware
Eradication and Recovery 4 27 Neutralizing the threat and restoring systems to normal operation
ERP system 2 135 Manages business processes like order fulfillment and shipping.
EtherNet/IP 1 134 An industrial network protocol used for real-time data collection and control.
EtherNet/IP 2 98, 139 Application layer protocol common in manufacturing networks

Ethernet/IP CIP Queries 2 99 Use of protocol queries to yield asset information in Industrial Control Systems environments.
Ethernet/IP Profiling 3 27 Technique used to identify control devices on a network.
A continuous part of the Intelligence Life Cycle where the usefulness and fulfillment of
Evaluation and Feedback 1 45 intelligence are assessed

Evidence Acquisition 4 26 Focus on maintaining operations while gathering sufficient evidence for later forensic analysis.

Evidence assessment 1 73 The process of comparing evidence against hypotheses to identify support or contradictions

Page 6
Evidence Collection 1 72 Collecting all available evidence before analysis to avoid confirmation bias.
Evidence/Incident Handlers 4 51 Execute response plan and acquire digital evidence.
eWON Devices 2 112 Direct access to L2 and below devices in ICS networks
Executable File Validation 5 58 A process to check if a file is an executable and meet specific conditions like size limitation.

Execute ICS Attack phase 1 86 The phase where malware actively manipulates industrial processes to cause physical damage.
Execution Chain 4 105 Understanding how processes should logically spawn reveals anomalies.
Exfiltration 1 82 The process of adversaries extracting data from a target network.
Identifying data exfiltration attempts through various methods such as DNS queries, HTTP
Exfiltration Detection 3 92 POSTs, and FTP PUT commands
ExifTool 5 32 Extracts file metadata like creation path, time, and zone
Expanding Threat Landscape 1 64 Mentioned as an aspect defenders must understand in ICS security.
Experion system 1 133 A specific control system mentioned in the context of a vulnerability notice

Exploit Databases 1 120 Description: Publicly accessible databases where vulnerabilities and exploits are documented.
Exploit Kits 1 136 Description: Ready-made tools for purchase used to carry out cyber attacks.
Exploitation 1 58 Taking advantage of vulnerabilities to execute code on the victim’s system.
Exploratory Analysis 1 66 Identifying relationships and connections between data points.
Factory Acceptance Test (FAT) 3 59 A verification process for security features in ICS prior to deployment
False Positive 3 34 The incorrect identification of benign activity as malicious

False Positives 5 50 Incorrectly identifying benign activity as malicious, impacting the efficacy of security measures.
False-positives 3 97 False positives consume most of the time in NSM due to improperly tuned sensors.
The process of determining and weighing the importance of various event features in
Feature Selection 1 62 cybersecurity analysis.
Ferrett 2 141 A Rockwell-specific tool for identifying Rockwell devices
A concept denoting the limited perspective an organization has on cyber threats based on its
Field of View Bias 1 48 specific operational environment and intelligence collection capacities.
Field Point Verification 3 117 Checking the physical or operational points in a facility to troubleshoot issues.
Field-of-view bias 1 101 An oversight in data analysis, potentially skewing results toward specific sectors.
File Analysis 3 99 Inspecting files to detect malicious content or behavior.
files.log 3 93 Records all files transferred through network traffic, essential for monitoring file movements.
A network security device that monitors and filters incoming and outgoing network traffic based
Firewall 3 68 on an organization's previously established security policies.
Firewall Configurations 2 27 Details how firewalls manage traffic and secure network borders
Firewall Log Analysis 3 26 Review firewall logs to detect abnormal activities or potential security breaches.
Firewall Unfriendly Protocol 2 115 Describes OPC's challenges with firewall segmentation and security
Firmware manipulation 1 116 A security threat where firmware updates are altered to compromise devices.
Firmware Modification 3 90 A change to device software that can enable unauthorized access or control.
FIRSTs Incident Handling Teams Guide 4 21 Recommendations for creating and managing security incident handling teams.
A group of five specific components (source IP, destination IP, source port, destination port,
Five Tuple 2 140 protocol) crucial for network communication analysis.
Flare Stack 2 9 A safety and economic device for burning off undesirable or over-pressurized gas.
A safety device to burn off flammable gas released by pressure relief valves during overpressure
Flare Tower 2 11 situations.

Flat Network 3 63 A network architecture with little or no segmentation, making it vulnerable to lateral movement.
Description: Devices that enhance the controllability and increase the power transfer capability of
Flexible AC Transmission (FACTS) 2 53 the transmission network, utilized in substations for power stability.
A source of network traffic data that can indicate communication patterns within an ICS
Flow Data 3 86, 87 environment.
FlowBAT 3 87 A graphical interface tool for analyzing network flow data
FMEA 5 9 A systematic method for evaluating processes to identify where and how they might fail
Forensic Analysis 4 57 Should be performed away from the War Room to avoid distractions and maintain focus.
Forensic Quality Evidence 4 7 High-integrity data collected for in-depth analysis during incident response.
Forensic Science 4 16 The broader field encompassing various methods of gathering and analyzing evidence.
FTK Imager 4 38 A software tool for data imaging and preservation in forensic investigations.
FTK Imager Lite 4 37 A digital acquisition software used for collecting evidence off a machine.
A tool used to acquire and analyze digital evidence, stating the importance of metadata for
FTK Imager Metadata 4 40 verifying contextual information.
FTP 2 76 A network protocol for transferring files between systems.
Fuel Valve Control 3 113 Adjusting the control of fuel valves to optimize energy production.
Full Content Data 3 56 Complete packet capture of network data.

Fully automated analysis 5 42 Description: Utilizing software tools to automatically analyze properties and actions of malware.
Fully-automated analysis 5 27 A method focusing on using automated tools for malware analysis.
Function Code 2 89 Part of Modbus TCP, indicates the type of action to be performed.
Description: An example showing how an attacker might use existing functionality to compromise
Function Code 90 in ModbusTCP 1 95 a system, negating the need to exploit certain vulnerabilities.
Function codes 2 91 Identifies actions within the DNP3 protocol such as reading, writing, or starting applications.
Gas Scrubber 2 9 An industrial process device for cleaning waste gas.
Page 7
 Transmission, and Distribution, Three main components of power grids, highlighting the focus
Generation 4 10 areas in power system security.
Generation Step Up Transformer 2 48 Increases voltage for transmission efficiency

German Steel Works ICS Cyber Kill Chain 3 13 A specific example of a cyber attack on an Industrial Control System environment.
glassRAT 5 57 A Remote Access Trojan example.
Global rule 5 48 A rule condition in YARA that applies globally to tailor sets of matching rules.
Global supply chain 2 60 A network essential for providing materials and operational components to power utilities.
Searching for PR documents using specific Google search strings can reveal sensitive
Google Dorking 1 122 information.
GRASSMARLIN 2 141 Open source tool developed by NSA for ICS network mapping
Group access changes 3 111 Modifications to the access rights or permissions of a user group.

Hacking Back 1 20 Not considered an appropriate or effective component of active defense within ICS networks
Hard-coded Backdoor 1 50 A covert pathway into a system that bypasses normal authentication mechanisms.
Hardcoded C2 Servers 3 25 Specific servers predefined within malware for command and control communications
A common security weakness where default or hardcoded credentials in devices can be
Hardcoded passwords 1 128 exploited by adversaries.
Hash 4 29 A cryptographic function acting as a digital fingerprint.
HAVEX 2 106 Second discovered malware specifically tailored for Industrial Control Systems.
107, 109, 110,
Havex 2 118, 120 A Remote Access Trojan specifically targeting Industrial Control Systems.
Havex 1 116, 137 A specific malware targeting Industrial Control Systems.
Havex 5 17 Malware used for scanning OPC environments for intelligence-gathering in ICS
HAVEX 3 24, 27 Malware that targets industrial control systems.
HAVEX Communications 2 113 HAVEX malware targets ICS environments through compromised software installers.
Havex malware 1 101 A malware targeting energy and ICS environments.
Havex malware 2 111, 121 A malware campaign specifically targeting Industrial Control System environments.
HAVEX malware 3 20 A type of malware specified in threat hunting within ICS environments.
Heat Rate 3 113 The amount of fuel required to generate a unit of energy, aimed at improving efficiency.
Differentiating between heuristic-based and signature-based detections is crucial in analyzing
Heuristics vs Signatures 5 25 antivirus scan outputs.
Hex Wild Cards 5 49 A method to return any value in a specified spot within a hex string.
High confidence attacks in ICS require deep knowledge of the system to cause physical damage
High confidence attacks 1 80 or manipulation.
High confidence process attacks 1 111 Attacks that require deep understanding of ICS to cause physical damage or disruption.
Description: A key device within substations used to change voltage levels according to the
High Voltage Transformer 2 53 needs of the power system.
High-value IT 1 113 Describes critical IT infrastructure that shares security and operational priorities with ICS.
Highly Coordinated 4 13 A type of cyber operation involving synchronized and simultaneous actions
Historian Replication 2 52 Critical for capturing and storing historical industrial process data for analysis.
Historian Server 2 58 Archives data from SCADA systems for analysis and reporting.
Historians 2 134 Databases specifically designed for time-series data from industrial processes.
Historical Forensics Example: The
Cuckoos Egg 4 18 An early exploration into digital forensics documenting a real hacking incident.
Historical/Statistical Data 3 86 Recorded data over time that can be analyzed to detect deviations from normal operations.
Human-Machine Interface focuses on the interaction point between the user and the broader
HMI 4 114 control system.
HMI 2 134 Human Machine Interfaces allow operators to interact with their systems.
HMI (Human Machine Interface) 3 10 A user interface in industrial control systems allowing interaction with machinery.
HMI (Human-Machine Interface) 2 58 Allows human operators to interact with control systems.
HMI Data Accuracy 3 115 Ensure Human-Machine Interface displays receive and show correct data.
HMI Manipulation 3 12 The act of tampering with Human Machine Interfaces that control industrial processes.
A specific incident where an HMI was malfunctioning due to physical pressure, leading to
HMI Over Pressurization 4 115 unintended commands.

HMI problem 4 70 A Human-Machine Interface issue that was not resolved by traditional troubleshooting methods.
Information targeted by Dragonfly 2.0 indicating espionage and preparatory activities for potential
HMI Screenshots 2 122 sabotage.
A Human-Machine Interface displaying a process piping and instrumentation diagram for
HMI w/ Piping View 2 127 operational insight.
Host logging 2 44 Logging activities on devices like HMIs, EWS, and Historians for security event collection
Host observables 1 15 Critical indicators on individual machines for identifying threats
Host Registry key modifications 1 25 Tracking changes to registry keys as indicators of compromise or malicious activity
Specific to an endpoint, important for incident response and threat detection on individual
Host-Based IOCs 1 28 devices.
Host-based Log Analysis 3 26 Examine logs on individual hosts for unauthorized applications or processes.
http_files.log 3 93 Specifically targets HTTP file transfers, providing focused network traffic analysis.
A protocol used for accessing web pages, revealing product information in Industrial Control
HTTP/HTTPs 2 75 Systems.
Human Intelligence (HUMINT) 1 43 Gathering intelligence through human interaction and observation.
Human Operated Ransomware 2 81, 82 More targeted and sophisticated, involving direct breaches and demanding larger ransoms
Page 8
 hypothesis-driven process, A description of how effective threat hunting is conducted with a
Human-led 3 18 strong emphasis on human direction and testable hypotheses.
A method of developing initial theories to explain a cybersecurity incident within ICS
Hypotheses 1 71 environments
Hypothesis creation 3 20 A testable proposition guiding the scope of a security hunt in ICS.
I/O Point Mapping 3 115 Review how input/output points are mapped to final control elements.
ICCP 2 55 Inter-Control Center Communications Protocol data links to Control Centers.
Investigated for issues in communications but found to be functioning normally in this incident
ICCP Protocol 4 115 context.
ICCP Servers 2 59 Server systems that allow for inter-control center communication protocol operations.
ICMP 2 63, 68 A protocol used for operational information about the state of the network
ICMP type 8 3 81 Specific Internet Control Message Protocol type indicating an Echo request.
ICS Activity Group TTPs 1 97 Leveraging adversary TTPs for creating resilient threat detections beyond IOCs.
A process to systematically identify and catalog assets in Industrial Control Systems
ICS Asset Identification 2 17 environments.
ICS assets 1 139 Industrial Control System components directly exposed to the internet.
Various routes through which Industrial Control Systems can be compromised, emphasizing the
ICS Attack Paths 1 115 importance of reducing these paths.
ICS Capable Threat Actor Pool 1 112 A group capable of conducting ICS-specific attacks.
ICS Cyber Kill Chain 5 10 A model describing stages of cyber attack on Industrial Control Systems.
ICS Cyber Kill Chain 4 12, 76 A structured framework describing phases of a cyber attack on Industrial Control Systems.
ICS Cyber Kill Chain 3 43, 103 A structured model outlining the stages of a cyber attack targeting ICS environments.
81, 85, 87, 88,
ICS Cyber Kill Chain 1 106 A framework describing stages of cyber attacks on Industrial Control Systems.
ICS Environment 3 58 Highlighting the unique challenges and dependencies in industrial networks.
ICS escalation factors 3 104 Factors used to assess and prioritize responses to incidents in ICS environments.
Experience in Industrial Control Systems essential for understanding system nuances and
ICS Experience 4 53 response strategies.
The specialized knowledge required to understand and secure Industrial Control Systems
ICS Expertise 1 103 environments.
ICS Exploits 3 50 Techniques used to compromise Industrial Control Systems directly.
ICS Incident Response 4 23 Tailoring the incident response process to address unique ICS requirements and limitations.

ICS Incident Response Team 4 47 A team dedicated to responding to security incidents in Industrial Control Systems environments.
ICS Information Attack Surface 1 119 The range of information about an ICS that can be targeted or used by adversaries.
The mention of interactions at the L2 and L3 layer highlights the importance of network topology
ICS Network Layers 2 69 in ICS environments.
Networks specifically designed to support industrial control systems and their unique
ICS Networks 2 108 requirements.
ICS observables 1 15 Specific indicators within Industrial Control System components for threat detection
ICS Port Scan 3 25 Scanning for open ports specific to Industrial Control Systems to identify potential targets
ICS Port Scanning 3 24 Technique used to identify vulnerabilities in industrial control systems.
Detailed knowledge of industrial control systems and manufacturing processes essential for
ICS Production Processes 3 11 targeted attacks
ICS Protocol Analysis 3 92 Analyzing Industrial Control System protocols to identify unauthorized changes or activities
ICS protocols 2 100 Protocols used within Industrial Control Systems for communication and data exchange
Standards and conventions for communication within Industrial Control Systems, crucial for
ICS Protocols 2 90 ensuring interoperability and security.
ICS Specific Detection 3 91 A process tailored for Industrial Control Systems to identify and respond to potential threats.
ICS tailored ransomware 2 83 Ransomware designed specifically to disrupt Industrial Control Systems environments.
Information on specialized entities offering intelligence tailored to Industrial Control Systems
ICS threat intelligence providers 1 92 security needs.
ICS Topology 2 130 Understanding of the structure and layout of Industrial Control Systems networks.
ICS Victim Sharing 2 111 Highlighting the importance of sharing threat data within the ICS community.
ICS Visibility Solution 2 101 A solution deployed to analyze ICS protocols and improve incident response.
ICS vulnerabilities 2 5 Shortcomings in current ICS defenses against targeted cyber-attacks.
ICS vulnerabilities 3 5 Existing vulnerabilities in Industrial Control Systems that attackers exploit.
Description: Highlighting the misallocation of resources in prioritizing and patching vulnerabilities
ICS Vulnerability Prioritization 1 95 that pose minimal risk to ICS environments.
ICS-CERT 4 45 Organization involved in incident response and guidance
ICS-CERT 5 52 Responded to BlackEnergy2 infection with unconventional incident response measures.
ICS-CERT Advisory 1 133 A notification of vulnerabilities in Industrial Control Systems by the US government
ICS-CERT BlackEnergy YARA Rule 5 53 Guidance for detecting BlackEnergy malware in ICS environments.
Criteria specific to ICS environments for determining the severity and priority of an incident
ICS-specific Incident Escalation Factors 3 104 response.
Discussing the prevalence of malware that, while not tailored specifically for ICS, impacts these
ICS-themed Malware 5 15 environments significantly.
Increasingly sophisticated targeting of Industrial Control Systems/Operational Technology
ICS/OT Networks 2 122 networks by threat groups.
A comprehensive phase-by-phase approach on how threats progress through a network
ICSCyber Kill Chain 1 84 targeting ICS environments.
Identification/Detection 4 22 Detect and analyze the cause of the incident
Identify changes 3 55 Monitoring for deviations from normal operations in ICS environments.
Page 9
Identifying ICS Hotspots 3 66 Identification of critical points for security within Industrial Control Systems.
IDS signatures 5 37 Patterns or rules that allow intrusion detection systems to identify malicious activity.

IEC 60870-5-104 (IEC-104) 2 92 Protocol part of IEC 60870 protocols, used in electric power SCADA for monitoring and control.
IEC-104 2 100 A standard for telecontrol in electrical engineering and power system automation
IEC104 4 75 A protocol module within CRASHOVERRIDE used in the attack.
IEDs 2 54 Intelligent Electronic Devices that provide advanced monitoring and control of the system.
IEEE EtherType 0x8892 2 96 Unique identifier allowing PROFINET to skip the TCP/IP stack for faster data handling.
Impending Threat 1 50 A threat actor with both hostile intent and capability seeking an opportunity.
Implement 2 37 Establishing processes and procedures to utilize the CMF effectively.
Enables importing of additional context like PE information or digital hashes into YARA rules for
Import modules 5 55 enhanced detection capability.
Advantages include consistent access to trusted personnel and tailored plans specific to ICS
In-House Incident Response 4 49 requirements.
Decision-making regarding whether to develop incident response capabilities internally or hire
In-House Versus Outsourced 4 47 external services.
Incident Preparation 3 16 Using threat hunting to better prepare for potential security incidents.

Incident Response 4 18, 21, 91, 118 The process of responding to and managing a cyber security incident.
The organized approach to addressing and managing the aftermath of a security breach or
Incident Response 2 5, 22 attack.
The process of managing and responding to cybersecurity incidents to minimize impact and
Incident Response 3 5, 90 recover from them.
Incident Response 1 83, 98 The process of responding to identified security incidents.
Incident Response (IR) 3 14, 99 Essential for managing and mitigating cyber incidents to prevent physical destruction.
Incident Response Activation 3 117 Initiating procedures to address suspicious or malicious events affecting system security.
In incident response, coordination with response personnel is crucial to not negatively impact
Incident Response Coordination 5 22 operations.
Incident Response Director 4 51 Interfaces with management and prepares pre-incident strategies.
Incident Response Lab 4 55 A controlled environment for testing ICS incident response tools and techniques.
Incident Response Plan 5 11 A plan for identifying, responding to, and recovering from cybersecurity incidents.
Incident Response Planning 3 102 Planning is the key element to effective incident response in ICS environments.
Incident Response Planning 4 48 Planning for incident response based on requirements and dependencies.
Incident Response Team Composition 4 50 A few well-trained responders can effectively manage ICS incidents.
Individuals with response expertise important for managing security incidents within ICS
Incident Response Trained Personnel 4 53 environments.
Incidental Malware 5 15, 16 A study showing the range of unique infections in ICS environments globally.
Incidental malware 4 28 Malware that is present but not actively affecting system operations.
Incidental malware 3 97 Malware that can be quickly remediated without initiating an Incident Response process.
Indicator feed 1 97 Use of IOCs by detection tools for identifying compromise requiring further investigation.
Indicator of Compromise (IOC) 1 45 A sign of a possible breach or intrusion into a system

Indicator Sweeps 2 40 Consuming Indicators of Compromise (IOCs) to detect threats compromising safety systems.
Specific elements identifying adversary activity, often with high contextual relevance but prone to
Indicators 3 30, 34 rapid change.
Indicators of Compromise (IOCs) 4 103 Used to detect malware presence and behavior, highlighted by the Stuxnet case study.
Indicators of Compromise (IOCs) 2 120 Information used to detect and respond to cybersecurity threats.
Indicators of Compromise (IOCs) 5 23, 26, 31 Key indicators that can signal an ongoing attack or compromise within the system.
Indicators of Compromise (IoCs) 1 24 Artifacts or patterns that indicate malicious activity.
Indicators of Compromise (IOCs) 1 27, 28, 54 A method to identify and scope infections within a network.
Indicators of Compromise (IOCs) 3 37 Used for scoping an incident or seeing reach of capability
Industrial Control System Protocols 3 83 Mention of Zeek's ability to decode ICS protocols

Industrial network switches vulnerabilities 3 89 Research into vulnerabilities in industrial switches highlighting security flaws.
Describes how industrial facilities consume power, emphasizing the dynamics of load
Industrial Plant Behavior 1 36 management.
Industroyer 4 74 Malware assessed by ESET to be capable of targeting various industries.
Infected Project File 3 106 A malicious file used to manipulate or disrupt the logic of a safety PLC.
Inferential Analysis 1 66 Extrapolating from a small sample to make broader predictions or conclusions.

Information attack space 1 117 The conceptual area where an organization is vulnerable to information gathering by adversaries.
A visualization of the variety of information sources that can be exploited by an adversary or
Information Attack Surface 1 121 protected by a defender.
Information that must be shared out during incident response for compliance, safety, or
Information Sharing 4 27 actionable info
Information Sharing Analysis Centers
(ISACs) 1 92 Organizations that facilitate the sharing of security information within specific sectors.
Initial attack vectors 4 78 Brief description of how adversaries begin their attack on ICS environments.
Insider threat 1 85 A security risk that originates from within the targeted organization
Installation 1 58 Establishing presence on a victim’s system to maintain control.
Integrated Attack 4 13 Highly coordinated and sophisticated use of multiple tools to target systems
Integrated Detection and Identification 4 26 Cooperation between NSM team and incident response to identify all impacts of a threat.
Page 10
Intel Lifecycle 1 90 A process for creating and managing intelligence.
Intelligence 1 18, 49 Gathering information from infected systems for threat intelligence is legal and encouraged.

Intelligence as a Product and Process
Intelligence Driven
Intelligence Gathering
Intelligence Life Cycle
Intelligence Reports
Intelligence Reports for Situational
Awareness
Intelligence Requirements
Intelligence Tradecraft
Intelligence-gathering efforts
Interactive behavior analysis
Interactive Behavior Analysis
Internal threat intelligence
International Atomic Energy Agency
(IAEA)
1 43 An in-depth look at intelligence as both the outcome and the methodology in security operations.
3 21 Using friendly or threat intelligence to guide threat detection efforts.
2 117 Targeting interfaces like OPC for collecting network data.
1 44, 47, 104 A formal and tested process to plan and create finished intelligence products.
1 107 Tailored investigations or analyses designed to meet specific intelligence requirements.
1 97 Understanding external threats to prioritize internal security measures.
1 53 A need for information to fill a knowledge gap or address a pain point.
1 30 The practice of collecting, analyzing, and applying information relevant to threat intelligence.
1 128 Activities conducted by adversaries to collect information on infrastructure vulnerabilities.
5 27, 42 Observing malware's actions in a controlled environment.
5 30 The process of executing malicious files to observe their system interactions.
1 88 Knowledge gained from past threats and attacks to improve security measures.
1 9 An organization promoting peaceful use of nuclear energy and preventing nuclear proliferation.

Internet-Connected Devices 1 120 Description: Devices connected to the internet can provide information about ICS environments.
Internet-connected PLCs 4 78 Mentioned as commonly vulnerable devices in ICS environments.
Internet-facing touch points 1 113 Points of network exposure to the Internet, which increase risk in ICS environments.
Intertie 1 36 A connection that allows for the transfer of power between systems or regions.
Interviewing operators 4 68 A method for gaining context and understanding of apparent issues in ICS environments.
Intrusion Analysis 1 52 Foundation of Cyber Threat Intelligence, focused on analyzing adversary intrusions.
Intrusion Observable Steps 3 103 Key observable steps during an intrusion, useful in identifying and responding to threats
Inventory Creation 2 29 Active scanning helps create an inventory of devices
Investigation and Blocking 3 29 Different roles security plays in IT vs. ICS environments
IOC (Indicator of Compromise) 4 44 A sign that a network or system may have been breached
Artifacts observed on a network or in operating system that with high confidence indicate a
IOC (Indicators of Compromise) 4 109 computer intrusion.
Artifacts observed on a network or in an operating system that with high confidence indicate a
IOC (Indicators of Compromise) 5 19 computer intrusion.
IOC checks 3 82 A method to identify potential security threats based on observables in network traffic.
Indicator of Compromise (IOC) is used in incident response scenarios for quick rule creation in
IOC usage during incident response 3 84 Snort.
Indicators of Compromise are artifacts observed on a network or in operating systems that with
IOCs 5 37 high confidence indicate a security breach.

IOCs (Indicators of Compromise) 5 50 A key concept in identifying cybersecurity threats by analyzing compromised system indicators.
IP Address Attribution 1 103 The practice of identifying attackers based on their IP addresses, which can be misleading.
iptables –L 2 27 Command to view Linux firewall configurations
IRT (Isochronous Real Time) 2 96 Protocol level for applications requiring cycle times of less than 1ms.
Carrier protocol used in ICS environments, often for Siemens S7 or ICCP protocols, runs on TCP
ISO-TSAP 2 94, 95 port 102.
IT Attacks 1 112 Incidents that can impact ICS through interconnected IT systems.
IT Discovery Protocols 2 63 Protocols containing information for identifying network assets and information about them
Describes specific ICS network requirements and potential vulnerabilities exposed through job
Job Descriptions and Skills 1 131 postings.
Jump 5 49 Allows a range to be declared within hex sequences for matching rules.
A collection of essential tools and equipment for incident response in an industrial control
Jump Kit 4 54 systems environment.
Just in Time Generation 2 46 A strategy to balance the supply and demand of electricity in real-time.
A deterministic seven-step process adversaries execute to successfully accomplish their mission
Kill Chain 1 57, 59, 90 in network intrusions.
A framework that outlines the phases of a cyber attack from reconnaissance to objectives
Kill Chain Model 4 43 achievement.
Malware that can disable or destroy systems, often used in cyber attacks against ICS
KillDisk 4 14 environments
Known Good Logic 3 116 Downloading previous working system logic to restore normal operations.
Known Good Logic File 3 117 A file restored to a trusted state that may not reflect current system operations or data.
Description: A concept emphasizing the importance of comprehensive knowledge of one's ICS
KnowYourself 2 18 for effective defense.
Lack of evidence 1 74 A lack of evidence does not necessarily indicate that there is no threat present.
Description: The process of moving from one compromised host or network to another within a
Lateral Movement 1 12 victim's environment.
Lateral Movement 4 14 The technique attackers use to move through a network in search of key assets or data
Adversary techniques for moving through a network, crucial for detecting unauthorized access
Lateral Movement 3 67 and manipulation of control systems
Describes human error as an unofficial layer in the OSI model, contributing to network security
Layer 8 issue 1 115 vulnerabilities.

Lead Responder 4 49, 51 Essential for maintaining knowledge and guiding outsourced teams or in-house response efforts.

Page 11
Legacy Components 3 12 Components in an industrial environment that may be outdated but are essential for operations.

Legacy Systems 4 23 Challenges posed by outdated systems in ICS including lack of logging and compatibility issues.
Lessons Learned 4 27 Documenting findings and best practices for internal use and to prevent reinfection
Lessons Learned Post-Incident Activity 4 22 Write up and analyze lessons learned, watch for reinfections
LiME 4 36, 37 Linux-based tool for memory acquisition supporting local or remote collection.
Limit remote connections 4 60 Restricting remote access to essential personnel and services only.
LLDP 2 74, 139 Layer 2 protocol that advertises device information
LLMNR 2 72 A protocol for resolving the name of a host within the same local network.
Load 2 48 Consumption of electrical power by end-users

Local acquisition 4 31 Faster and often easier method of obtaining system information on-site using preapproved tools.
Locards Exchange Principle 4 20, 35 No interaction is without a trace, crucial in incident response.
Log file review 3 118 Critical for identifying potential security incidents through alerts and system events.
Defines minimum durations for storing various types of security logs at different classified sites to
Log Storage Policy 2 36 aid in threat detection and response.
Logging 4 58 Recording system and network activities essential for incident analysis.

Logging Configuration 2 41 Ensuring logging is appropriately enabled on critical systems to capture relevant security events.
Logic Changes 3 113 Modifications in the system's logic to enhance operation or efficiency.
Logical elements 4 68 Key components in the analysis of ICS systems for identifying potential security issues.
Logistic Sophistication 4 13 Advanced planning and execution capabilities in cyber operations
Loop Feed 2 57 A design with two lines from the same substation providing redundant paths to customers.
LSASS (Local Security Authority
Subsystem Service) 4 106 A process responsible for enforcing security policy on Microsoft systems.
Maintain safe and reliable operations 4 25 This includes ensuring operations continue safely and reliably in the face of incidents.
Permanent or time bound VPNs and connections facilitate OEMs and Integrators' access for
Maintenance and Vendor Links 4 79 maintenance, potentially compromising security.
malfind 4 107, 108 The malfind command in Volatility helps identify injected DLLs and hidden malicious code
The technique of embedding JavaScript or other commands within PDFs to execute malicious
Malicious PDF objects 4 82 code.
Refers to unauthorized or malicious software updates and patches that could compromise the
Malicious updates and patches 3 22 network.
A process analyzing malware in secure environments to understand threats without
Malware Analysis 5 20, 26 compromising network integrity.
Malware Artifacts 5 46 A list of malicious software characteristics used to create indicators of compromise.
Malware campaigns 4 88 Coordinated attempts to infect systems with malicious software.

Malware Internet checks 3 22 A methodology used by malware to confirm internet access, often by contacting known websites.
Malware Sample 2 5 61 An example of malware used by the Sofacy Group in cyber attacks.
Malware-enabled attacks 5 18 Targeted or accidental infections that degrade services or halt systems.
Malware-enabled espionage 5 18 Use of traditional IT malware for intellectual property theft or process data.
Managed Switch 4 55 Enables analysis of normal network traffic in an ICS environment.
Management decides on engaging in Incident Response based on operational needs and
Managements Role in Incident Response 3 102 analysis.
Manual code reversing 5 27, 29, 42 The process of analyzing malware by manually examining and reversing its code.
Manual examination of code to decode, deconstruct, and analyze malware functions and
Manual Code Reversing 5 28 capabilities.
Manual mode 4 72 Utility transferred operations to manual mode to restore power after a cyber-attack.
Switching from automated to manual control of systems often as a contingency measure
Manual Operation 4 9 following a cyber-incident.
Manual Thresholding 3 33 Criteria set by users to flag anomalies after a certain count
Manufacturing Sector Attacks 2 82 Highlighting manufacturing as a major target for ransomware attacks in ICS environments.
Map for Business Processes 3 66 Approach for finding ICS security hotspots through the examination of business operations.
Map for Technology 3 66 Methodology for locating ICS security hotspots based on technological infrastructure.
Mariposa Botnet 4 45 An example of IT malware impacting an ICS environment
mDNS 2 71 Utilizes network broadcasting to resolve hostnames without a central server
Mean Time to Recovery (MTTR) 1 94 Reducing time to restore operations post-incident.
Discussion on the specific relationships among elements in an incident, especially in relation to
Mechanistic 1 67 malicious domain connections.
Memory acquisition is crucial for capturing digital evidence from system memory with minimal
Memory Acquisition 4 36 loss.
A method to retrieve and analyze volatile data from RAM revealing insights into recent system
Memory Analysis 4 100 activities and potential malware.
The process of studying the volatile data in a system's memory dump to identify malicious
Memory analysis 5 39 activity.
LiveCDs consume significant system memory, potentially impacting the analysis of valuable
Memory Consumption 4 35 forensic evidence.
Memory Forensics 4 101, 102, 103 A process to analyze the memory of a computer after an incident to uncover evidence.
Memory-Only Malware 4 101 Malware that resides only in memory, making it volatile and difficult to detect traditionally.
MES 2 135 Tracks and documents the process from raw materials to finished goods.
Metadata 3 56 Data about data including timestamps and OS type.
Page 12
Metadata in YARA rules 5 56 Provides crucial information for analysts, such as MD5 hashes of malware.
Metasploit CIP Module Detection 3 34 A specific example of an indicator within a cybersecurity context
A type of ICS firewall designed for deep packet inspection on ICS protocols with support for port
mGuard Firewall 2 138 mirroring.
mGuard firewall 2 75 A common industrial firewall used in manufacturing environments, notably in Europe.
MIB 2 74 Database for managing networked entities
A research project measuring ICS malware infections utilizing public data sources like
MIMICS 5 16 VirusTotal.com
Mirrored Port 3 61, 68 A network feature allowing traffic to be copied to another port for monitoring.
MITRE ATT&CK 1 55 A framework focused on identifying common Tactics and Techniques of adversaries.
A framework outlining tactics, techniques, and procedures (TTPs) used by threat actors targeting
MITRE ATT&CK for ICS 3 39 industrial control systems.
MITRE ICS ATT&CK 3 38 A framework specifically for ICS tactics and techniques.
Communication protocol used for transmitting information over serial lines between electronic
Modbus 1 35, 45 devices.
Modbus RTU 3 71 A serial communication protocol used for connecting industrial electronic devices.
Modbus TCP 2 27, 89, 139 A protocol often open on devices in an ICS environment, associated with port 502
Modbus TCP 1 49 A protocol used for communications over TCP/IP networks in ICS.
A Snort preprocessor that allows accurate analysis and signature generation for Modbus TCP
Modbus TCP Preprocessor 3 74 traffic.

Modbus TCP unauthorized write 3 84 An example of a specific cyber threat that Snort can detect through byte-matching signatures.
ModbusTCP 2 100 A protocol for industrial applications, including control and automation systems
Modeling 3 30, 33, 37 Uses models, often mathematical or machine learning, to profile and identify anomalies.
Modeling Alerts 3 35 Alerts generated from modeling potential threat scenarios or behaviors in the environment.
Motivation and Compensation 4 58 Strategies to maintain high morale and properly reward incident response team members.
Detection for exploitation attempt of the MS17-010 vulnerability in Microsoft Windows SMB
MS17-010 Shellcode Heap 3 36 service.
Multi-Factor Authentication 2 44 An enhanced security measure requiring two or more proofs of identity for access
Demonstrates leveraging existing system tools for efficient scripting and automation in diverse
Native Tools Integration 4 56 Windows environments.

NBNS 2 70 Part of NetBIOS protocol aiding in address resolutions for Windows-based ICS environments.
Near miss event 4 70 A potentially significant issue that was narrowly avoided or went undetected.
NERC CIPv5 4 48 Mandatory incident reporting requirements for the Energy sector.
NetBIOS 2 69, 139 NetBIOS provides name resolution and session services for networked devices.
NetDecoder 3 71 A diagnostic and analysis tool for industrial networks that supports multiple ICS protocols.
Netflow Data 2 142 Provides detailed information about network traffic flow for analysis and incident response.
netscan 4 110 Finds local/remote IPs and the process that spawned the connection
netsh advfirewall firewall 2 27 Command to view Windows firewall configurations

Network access points 1 129 Identifying how corporate networks connect to ICS environments is crucial for securing them.
Network and Asset Map 2 137 The most critical map identifying network connections and asset locations.
Network Capture Points 4 58 Locations within the network where traffic is monitored and collected.
Network Changes 5 22 Modifying the network layout can affect system support and warranties

Network customization
Network diagrams
Network Flow
Network Forensics
Network Information
Network infrastructure changes
Network Interaction Artifacts
2 132 Highlights the variance in networks, customization, and specifics in Industrial Control Systems.
1 139 Visual representations of physical and logical connections within a network.
2 148 The path that network traffic takes through a network.
4 16 Analysis of network activity and logs to identify unauthorized intrusions or activities.
4 96 Reveals connections and interactions, important for detecting lateral movements.
3 111 Alterations to the networking components, layout, or protocols.
5 46 Indicators from malware's communication over the network.

Network Knowledge 2 18 Description: Essential for defenders to detect anomalies and counteract adversaries effectively.
Network monitoring 5 13 Essential for identifying and responding to nonmalware threats against ICS environments.
Network observables 1 15 Key indicators in network traffic for threat detection
Network Security Monitoring (NSM) 2 120 Technique to identify unusual traffic patterns or command and control servers.
Network Security Monitoring (NSM) 4 41, 45 Continuous monitoring of a network for security threats and anomalies.
5, 14, 54, 57, The collection, analysis, and escalation of indications and warnings to detect and respond to
Network Security Monitoring (NSM) 3 65, 83 intrusions.
Dividing a network into multiple segments or subnets, each acting as a small network to enhance
Network Segmentation 5 11 security and performance.

Network Segmentation 2 5 Dividing a network into smaller, manageable segments to improve security and performance.
Network Segmentation 3 5, 62, 63, 64 Dividing network into smaller parts to limit access and improve security.
Network structure 1 126 The design and organization of a network in an industrial setting.
Network Switch Connection 2 64 Best practice for capturing a comprehensive set of network traffic with Wireshark
Network Tap 1 49 A device that allows monitoring of network traffic.
Network Tap 4 54 A device that allows monitoring of network traffic integral to incident response activities.
Network Tap 3 60, 61 A hardware device that duplicates and captures network traffic.
Page 13
Network traffic analysis 1 13 The examination of network communication to identify suspicious activities or anomalies.
Network Traffic Analysis 3 92 Identification and analysis of network traffic to detect anomalies and malicious activities
Network Visibility 4 115 A crucial aspect in identifying and troubleshooting abnormal activities in an ICS environment.
Nonintrusive analysis of network traffic that identifies potential threats without impacting system
Network-Based IOCs 1 29 performance.
Quickly parse packet captures to detect OS types, session data, export files, and determine
NetworkMiner 3 101 hostnames.
Description: Vulnerabilities that are not a concern for operations and engineering staff in
Never vulnerabilities 1 96 reducing risk.
Next vulnerabilities 1 96 Description: Concerns for the next maintenance cycle, not immediate threats.
NIST SP 800-61rev2 4 21 Guide for computer security incident handling.
Non-networked Equipment 2 25 Devices not connected to the network but crucial for understanding the overall cyber risk.
Non-Proliferation of Nuclear Weapons
(NPT) 1 9 A treaty aimed at preventing the spread of nuclear weapons and technology.
North/South Traffic 3 67 Analysis of data crossing boundaries such as in and out of the L3 Firewall

Now vulnerabilities 1 96 Description: Vulnerabilities that pose real risk and are likely to be exploited in ICS environments.
NSM 4 91 Network Security Monitoring, a crucial approach for visibility in an ICS environment.
NSM (Network Security Monitoring) 5 19 A practice aimed at monitoring and analyzing network traffic for security threats.
NSM (Network Security Monitoring) 4 43, 44 A method to detect malicious activity through network analysis.
NSM (Network Security Monitoring) 3 58, 89 A strategy for increasing visibility and response to threats in ICS environments.
Network Security Monitoring personnel responsible for maintaining the security of computer
NSM personnel 4 89 networks.
NSM Process 3 55 Active defense through network security monitoring.
NSM personnel play a crucial role in informing management about incidents but do not declare
NSM Role in Incident Declaration 3 102 them.
Number of Connections 3 88 The total count of individual network connections made over a period.
Obtain Protected Files 4 39 Accessing encrypted or otherwise secured files during an investigation.
Describes how original equipment manufacturer architectures often stay similar across different
OEM architectures 2 132 product lines.
Connections from Original Equipment Manufacturers into ICS networks for monitoring and
OEM connections 3 112 optimization.
Actions such as hack-backs are generally discouraged and can be illegal, except for state-
Offense 1 18 sanctioned operations.
OIDs 2 74 Used for asset identification in SNMP queries
OLE Zero-Day Exploit 3 49 An exploit leveraging Object Linking and Embedding to target Windows systems
Mao Zedong's book discussing the concept of active defense in the context of guerilla warfare,
On Guerrilla Warfare 1 21 translated into cybersecurity practices.
OPC 2 107, 115, 117 A protocol leveraged by Havex to identify ICS environments.
A universal translator for data exchange between systems from different vendors in ICS
OPC Classic 2 93 environments.
OPC Communications 3 24 Description of leveraging OPC for mapping infrastructure in ICS environments.
OPC Data Capture 3 72 A method to intercept and examine OPC communications for integrity checks.
Enumerating OPC (OLE for Process Control) tags, important in ICS environments for control and
OPC Enumeration 3 25 monitoring
An industrial automation industry standard allowing interoperability between different devices and
OPC Protocol 2 114 systems.
OPC protocol 2 116 Acts as a translation layer in heterogenous ICS environments.
OPC Scans 2 120 Havex's unusual method of scanning, signifying suspicious activity.
OPC server 4 73 Utilized by adversaries to enumerate the environment for targeting information.
Description: Gathering data from publicly available sources to gather information about ICS
Open Source Intelligence (OSINT) 1 120 environments.
Operational Technology (OT) 3 104 Technologies that monitor and control industrial equipment, processes, and events.
Operational Threat Intelligence 1 56, 60 Used by those in operational roles for developing security strategies and relationships
A guideline for collection of digital evidence prioritizing data types by their tendency to change or
Order of Volatility 4 30, 34 disappear.
Description: Open Source Intelligence, key for both novice and funded adversaries in gathering
OSINT 1 136 information for attacks.
An ICS data management system that helps in troubleshooting, optimizing production, and billing
OSIsoft Pi Historian 2 136 processes.
detection, and response, Essential approaches for identifying and addressing attacks in
OT specific visibility 4 70 Operational Technology environments.
OT systems 2 135 Critical operational technology systems that impact manufacturing processes.
Outage Management 2 58, 59 Processes for restoring service after power system outages.
Outsourced Incident Response 4 49 Benefits include access to experienced personnel and fresh perspectives on investigations.
Overflow Tank 2 11 Used to safely store surplus chemicals which exceed the capacity of primary containers.
Packet Analysis 3 99 Examining network packets for detection and troubleshooting.
The methodology involving the analysis of captured network data to identify suspicious activities
Packet Capture Analysis 3 101 and potential threats.

Partnership Announcements 1 125 Exposing trust partners that can be exploited to pivot into networks, emails, supply chain, etc.
Passive Defense 2 120 Strategies including whitelists and traffic regulation to block known attack vectors.
Automated security measures such as firewalls, intrusion prevention systems (IPS), and
Passive Defense 1 17, 19 antivirus software.

Page 14
Passive Network Scanning 2 148 A technique that monitors and analyzes network traffic without injecting any new traffic.
A safety mechanism designed to operate without any human or electronic intervention, often
Passive Safety System 2 32 through mechanical failure at a set point.
Passive Safety Systems 2 30 Designed to operate without electronic feedback, often ensuring a fail-safe response.
Passive Scanning 2 21, 142 A less-intrusive method of collecting network data, preferable over active scanning.
Password Reuse Management 1 132 Strategies to prevent the use of identical passwords across multiple accounts and services.
Patches 3 111 Applying updates to software or firmware to improve security or functionality.
Patching 3 62 The process of updating software to address security vulnerabilities.
Payload Security’s Hybrid-Analysis 5 38 A paid service providing sandbox analysis for malware
PCAP Analysis 3 26 Analyze packet captures to identify abnormal protocol usage or cyber threats.
A description of the components that make up a PDF document including header, objects, cross-
PDF file structure 4 82 reference table, and trailer.
PDFiD 4 84 A tool for scanning PDFs for potentially malicious content created by Didier Stevens.
PEBKAC (Problem Exists Between
Keyboard And Chair) 1 115 A humorous term signaling that a problem is user-related, not technical.
Description: A method used by Stuxnet for spreading by manipulating flow data between
Peer-to-Peer Updates 1 12 Programmable Logic Controllers.
PEiD 5 32, 33 Identifies compilers and packers used on a file
Incident response personnel must identify the threat scope and type swiftly to manage the
Perform timely analysis 4 25 situation effectively.
PEstudio 5 32 Identifies file functionality and potential malice via PE analysis
Phasor Data Concentrators 2 59 A device or system that collects and stores synchrophasor data from multiple sources.

Phishing 1 122 Contact information from PR documents can be used to create customized phishing campaigns.
Phishing 3 50 A technique used for acquiring sensitive information via deceptive communications.
A method of tricking individuals into revealing sensitive information or installing malware via
Phishing 4 81, 86 deceptive emails.
Phishing email 4 90 A fraudulent email designed to deceive recipients into revealing sensitive information.
Phishing Emails 2 109 Short description: Emails with malicious files targeting systems to deliver malware
Phishing emails 1 63, 129 Used by Covellite for initial intrusion focusing on engineering personnel.
Phishing emails 4 78 A common method attackers use to gain initial access to systems.
Phishing Emails 4 80 A method of delivering malicious payloads or droppers via email.
Physical and Logical Separation 3 64 Strategies used to isolate network resources physically and logically to enhance security.
Physical and network prints 3 118 Important for understanding the physical and network layout of ICS facilities.
Physical Breach Documentation 4 34 Take photos of system, its setup, and visible screen contents
Physical Damage 3 11 The ultimate impact of cyber attacks on industrial systems leading to material destruction
Indicates the ultimate impact of certain cyber attacks on physical systems within an ICS
Physical Destruction 3 9 environment.
A significant impact of cyber attacks on industrial environments resulting in tangible, physical
Physical destruction of control systems 3 8 damage.
Physical Element Troubleshooting 3 115 Start troubleshooting by examining the physical device or component that is malfunctioning.
Physical elements 4 68 A starting point for examining system health and anomalies in ICS environments.
Physical Error Elimination 3 116 Identifying and ruling out physical errors or faulty connections.
Physical Inspection 2 23, 25 Time-consuming asset identification method, difficult in large environments.
Memory that is volatile and holds data like encryption keys and malware temporally during
Physical Memory (RAM) 4 100 operations.
Adjustments to the network or physical setups to mislead or neutralize threats, including
Physical or Logical Changes 5 21 honeypots or password changes.
Differentiation between the actual RAM (Physical) and the portion of disk space used as RAM
Physical vs Virtual Memory 4 100 (Virtual).
Physics View 2 126 Understanding the physical processes within an industrial system.
PID and PPID 4 105, 106 Key identifiers for process analysis to track execution paths.
Piping and Instrumentation Diagram A diagram illustrating the interconnection of process equipment and instrumentation used to
(P&ID) 2 12 control the process.
Pivoting 3 11, 106 The technique of using one compromised network segment to attack another segment
Planning and Direction 1 44 The phase of intelligence where requirements are defined and a plan is aligned with them.
Playbooks 2 40 Creating step-by-step guides for quick investigation in response to detections.
PLC 2 134 Programmable Logic Controllers are a type of industrial digital computer.

PLC 1 35 Programmable Logic Controller: A digital computer used for automation of industrial processes.
Programmable Logic Controller, critical in industrial control systems and subject to security
PLC 3 76 monitoring through IDS rules
PLC Configuration Change 3 32 Modifications to a programmable logic controller's operational mode or logic.

PLC Data and Memory Types 4 69 Concise overview of the different types of data and memory in Programmable Logic Controllers
Programmable Logic Controllers that automate specific processes, machines, or production
PLCs 4 62 lines.
Extensions that enhance the functionality of the Volatility Framework for diverse memory
Plugins 4 102 analysis tasks.
PoCs (Points of Contact) 4 48 Establishing contacts for incident response coordination.
Policy violations 3 97 Violations that can be resolved without IR, often mistaken for serious threats.
Port Numbers 2 90 Description: Utilized in identifying ICS protocols and establishing baselines for normal usage.

Page 15
Portable Executable (PE) File Format 5 31 Provides information on data, compilation time, and functions related/imported to the system.
Post-Investigation Action 3 29 Actions taken after investigating the threat to mitigate risks in ICS environments
Information on layouts can help adversaries understand the structure of industrial control
Potential ICS network layouts 1 125 systems.
Power Generation 2 48 Creation of electrical energy for distribution

Power restoration 4 72 The process of restoring electrical power after an outage, particularly following a cyber incident.

PowerShell Empire 3 34 A tool not native to Windows systems used for malicious purposes, an indicator of compromise
PR documents can contain sensitive information useful for attackers, such as new projects and
PR Documents 1 122 contact info.
Practical Model for Threat Hunting 3 18 A model recommended for structuring threat hunting, emphasizing a repeatable approach.
Software/application positioning in advance for operational readiness and security in ICS
Pre-position software 4 33 environments.
An approach to forecasting future cybersecurity threats with caution against basing metrics on
Predictive 1 67 such predictions.
Preparation 4 22, 26 Prepare the environment, team, tools, and the purpose
Preparation Ahead of Time 4 23 The importance of proactive measures and preparation in ICS incident response.
Preparation Phase 4 58 The initial stage of incident response focusing on readiness and planning.
The failure to properly monitor pressure and temperature leading to an inability to foresee the
Pressure and Temperature Monitoring 2 13 disaster.
A lack of maintenance or uneven application of preventive controls leading to security
Prevention Atrophy 2 84 vulnerabilities.
The inclination within cybersecurity, particularly in ICS environments, to focus more on
Prevention Bias 1 48 preventing intrusions rather than detecting and responding to them.
Primary Control Center (PCC) and Backup
Control Center (BCC) 2 133 Description of key infrastructure components in an electric grid control center.
Description: A specific vulnerability utilized by Stuxnet to spread through network share
Print Spooler Exploit 1 12 movements.
Printer share scanning and spreading 1 25 Technique used by malware to spread across networked printers
Private rules 5 48 In YARA, rules that do not trigger alerts but can be used as conditions for other rules.
Privileged Users 1 114 Monitor and understand the landscape of network administrators to detect malicious actors.
NSM allows for the identification and mitigation of threats before attackers accomplish their
Proactive Defense 3 54 goals.
Process Hazard Analysis 5 9 A thorough review to identify potential risks in an industrial process
Process performance optimization
changes 3 111 Adjustments made to improve the efficiency or effectiveness of operational processes.
Process Safety Management 2 8 A system to prevent the release of hazardous chemicals.
Process software 1 126 The software utilized for controlling processes in an industrial environment.
Procurement Language 3 59 Critical for managing risk through specifications in equipment procurement processes
Ensure all malware neutralization attempts are verified and authorized before implementation in
Production Network Safety 5 20 live environments.
Profibus 2 128 A standard for fieldbus communication in automation technology.
Profinet 2 71, 128 Example of a protocol that can store asset information utilizing DNS
Utilizes Ethernet technology for communication in industrial settings, not dependent on TCP/IP
PROFINET 2 96 for data transmission.
Profinet-RTM 2 67 An example of a specific protocol used in ICS environment communication
Profinet-RTM device 2 65 Identifying communications between network devices for operational visibility
Identifying and securing project files and engineering documents is essential to protect against
Project Files Security 4 116 intellectual property theft and cyber attacks in ICS settings.
Project/Logic Files 4 118 Project files less likely to contain malware but prone to manipulative alterations.
Proprietary Protocols 4 117 Protocols specific to vendor equipment making forensic analysis challenging.
Protective Relays 2 54 Devices that respond to system conditions to protect electrical equipment.

Protocol abnormalities 3 100 Identifying non-standard behaviors or manipulations in ICS protocols to detect potential threats.
Protocol Analysis 2 101 Mechanism used to determine issues in ICS by analyzing communication protocols.
Protocol Dissection 2 43 Analyzing network protocol interactions to identify security issues.
Protocol Hierarchy 2 88 A feature in Wireshark to identify and apply filters to ICS protocols.
Description: The process of determining the protocol by industry, system type, and port numbers
Protocol Identification 2 90 to understand what is "normal" for that ICS.
Protocol Payloads 2 87 Identify payloads within protocols like DNP3 and Modbus TCP to map ICS communications.
Protocol Usage 3 88 Identifying which communication protocols are used and how frequently.
pslist 4 105 Identifies running processes in memory for analysis.
pstreec 4 110 Helps detect hidden processes by comparing processes observed in different locations
Psychology of Intelligence Analysis 1 65 A recommended book for developing intelligence analysis skills.
Public Reports 1 107 A general overview or threat collection for a varied audience, often less focused.
Publicly available exploits 1 139 Known vulnerabilities that have publicly accessible information or tools for exploitation.
Purdue Model 2 110, 131 A structured framework for organizing network layers in ICS environments
An architectural framework for industrial control systems emphasizing the separation of IT and
Purdue Model 1 84 OT networks.
qemu-img 4 99 A tool to convert VMDK files to raw disk images for analysis.
Description: Rapid assessment to understand the extent of a cybersecurity incident and plan
Quick analysis to scope incident 1 26 response.

Page 16
QuickDraw Rules 3 77 A project for creating Snort signatures targeting ICS vulnerabilities.
Radio frequency manipulation 5 13 A method to impact control systems without malware by altering radio frequencies.
Ransom 4 62 A demand for payment in exchange for releasing control of a system or data.
Ransomware 4 90 Malware that encrypts files or systems demanding a ransom for decryption.

Ransomware Worms 2 82 Malicious software that can spread across networks autonomously impacting ICS significantly.
rdp.log 3 93 Tracks Remote Desktop Protocol communications, important for auditing remote access.
Reconnaissance 4 11 The initial stage in identifying and analyzing potential targets in a cyber attack.
Reconnaissance 1 132 The process of collecting information about an opponent or target.
Reconnaissance 3 50 The act of gathering preliminary data or intelligence on targets.
Reconnaissance and Precursors 1 58 Initial stage involving gathering information before an attack.
Recovery 4 22 Restore backups, fresh install on systems
Red Teaming 1 98 Using offensive security tools to test systems against specific industry threats.
Redline 4 36 A Mandiant tool for collecting strings/data from memory, but not full disk images.

Reference Architecture 2 124 A standardized architecture serving as a blueprint for multiple implementations in an industry.

Reference other rules
Refining segregation
Refrigeration System Failure
Refrigeration Units
Regedit
Registry Hives
Registry Key Modification
Regripper
Regulation and Compliance
5 55 Allows for tailored YARA rule creation based on rule families for precise malware identification.
3 55 Enhancing network security by defining clear zones and enforcing policies.
2 13 The failure of the refrigeration system contributing to the inability to control the reaction.
2 9 Critical for maintaining safe temperatures in chemical processes.
4 95 A native Windows command to open and view the Registry
4 95 Groups of Registry keys and subkeys commonly used for system information and settings
1 14 Changes made to the Windows Registry, often by malware, to alter system behavior.
A tool capable of extracting and parsing information from the registry, recommended for use in
4 95 ICS environments to avoid downloading tools to the target system
4 23 Legal and regulatory factors influencing incident response in the ICS environment.

Regulatory Requirements 4 10 Mention of the lack of regulations or requirements for securing distribution sites in power grids.
REMnux 5 30 A Linux toolkit for reverse-engineering and analyzing malicious software.
Remote acquisition 4 31 Slower method requiring certain considerations, performed across LAN or WAN.
Remote Administration Tools 4 12 Software used for controlling systems remotely, leveraged by adversaries in attacks.
Remote Connections 1 114 Secure authentication and use of DMZs for remote ICS network access.
Remote Evidence Acquisition 4 32 Considerations before performing remote acquisition of evidence in ICS environments.
Remote Maintenance Support 2 52 Allows for off-site troubleshooting and support, potentially introducing security risks.
Tools for remote system acquisition and analysis in low bandwidth or constrained ICS
Remote system tools 4 33 environments.

Removable media logs 1 25 Logs of removable media usage which can help identify malicious activities or policy violations
Requirements and Dependencies 4 48 Identifying operational requirements and dependencies is critical in ICS environments.
Research 1 81 The initial stage of gathering data about targets through open sources and testing.
Restoration Actions 3 116 Verify that changes leading to system impact are understood for analysis and restoration.

Reverse Engineering Malware (REM) 5 26 A core component of malware analysis focusing on understanding and manipulating malware.
Highlighting the necessity to thoroughly assess changes due to potential risks to industrial
Review process 3 109 processes.
RFC 5424 3 73 Protocol standard defining Syslog.
Risk Assessment 4 32 Evaluating risks involved in remote evidence acquisition against the value of the evidence.
A foundational step in identifying and evaluating risks associated with ICS components and
Risk assessment process 3 104 operations.
Managing and controlling OEM connections rather than removing them to balance between
Risk management 3 112 cybersecurity and operational benefits.
Risk Management 2 38 The practice of identifying and mitigating risks.
Risk to Operations 2 29 Even purpose-built ICS tools for active scanning can cause outages or failures
Root Cause Analysis 2 14 A methodical approach for identifying the underlying causes of failures or incidents.
RT (Real Time) 2 96 PROFINET IO application protocol level with up to 1ms cycle times.
RTU Commands 2 101 Commands sent from the SCADA system to the RTUs without operator interaction.
RTUs 2 54, 55 Remote Terminal Units collect data and control remote equipment.
Rule Options/Content 3 80 Specifies what to look for in matched network traffic with Suricata rules
Rule Writing 3 79 Essential for creating detection patterns in Suricata to identify threats in network traffic.
Ryuk Ransomware 1 59 A specific family of malware known for rapid execution of attacks.
S7 over ISO-TSAP 2 139 A protocol used for communication between Siemens PLCs and HMIs.
S7COMM 2 95 Siemens proprietary protocol that leverages ISO-TSAP for communication with PLCs.
Safety briefing 3 118 A crucial step in preparing incident response teams for ICS environments.
Safety Engineering 3 10 A discipline focused on designing systems to remain safe under operation.
Safety engineering 2 8 The discipline of engineering focused on designing systems to be safe.
Governed by ISA 84.01/IEC 61511 and functions as per IEC 61508 for reliable safety measures
Safety Instrumented System (SIS) 2 30 in control environments.
Safety instrumented systems 1 111 Systems designed to prevent hazardous conditions by taking corrective actions.

Page 17
Safety Instrumented Systems 5 9 A system designed to protect human life in industrial environments
Safety Procedures 2 13 Description of lacking or inadequate safety measures that lead to disaster.
Sandbox errors 5 41 Errors or false positives in a sandbox environment affecting malware analysis.
Sandboxes 5 38 A specific type of virtualization for running and analyzing untrusted code safely
A security mechanism for separating running programs to reduce system failures or software
Sandboxing 5 35 vulnerabilities.
SANDWORM 3 48, 50 A zero-day exploit associated with the BlackEnergy malware.
A coordinated campaign targeting critical infrastructure and military targets, mainly in Eastern
Sandworm Campaign 3 51 Europe.
Satellite Jamming 1 109 A risky method that involves blocking satellite signals, violating international treaties.
SCADA 2 55 Supervisory Control and Data Acquisition systems manage large-scale processes.
SCADA (Supervisory Control and Data
Acquisition) 2 52, 124 Critical for monitoring and controlling industrial processes.
SCADA control center 1 71, 73 A centralized system that monitors and controls industrial processes remotely
SCADA network 4 62 A network system used for controlling industrial processes remotely.
SCADA server 1 126 A server type used in managing Industrial Control Systems.
SCADA Server 2 58 Manages control commands and data collection for industrial processes.
A common system used in control and dispatch centers for monitoring and controlling distribution
SCADA Systems 2 57 systems.
Short for Supervisory Control and Data Acquisition, a key component in controlling industrial
SCADA Systems 4 9 environments and critical infrastructure.
A high-level network term for critical utility management systems including state estimation,
SCADA/EMS 2 59 contingency analysis, and system simulation.
SCALANCE X 2 128 Industrial switches designed for network communication in industrial environments.
Scheduled downtime 4 28 Planned time period when a system is taken offline for maintenance or updates.
Scheduled maintenance outage 3 109 Time allocated for implementing changes without disrupting industrial operations.
Schematic View 2 126 A graphical representation of an industrial process layout.
Automation increases efficiency and reduces human error in incident response within ICS
Scripting and Automation 4 56 environments.
Secure storage of files 2 26 Important for protecting sensitive configuration files and network information.
Security Onion 3 69 A monitoring tool for security operations that aggregates logs and network flow data

Security Operations Center (SOC) Model 4 50 Consider integrating into a SOC model for improved incident management.
Security Patching 3 110 Applying critical updates to protect against vulnerabilities
Sensitivity 1 76 A measure of how critical certain data is to the validity of a hypothesis in analysis.
Sensor Security 3 10 Importance of securing sensors feeding into safety systems to prevent manipulation.
Serial Protocols 3 71 A set of rules governing the exchange of data over serial lines in ICS environments.
Session Duration 3 88 The length of time a network session remains active.
Session/Flow Data 3 56 Represents how network traffic moves between devices.
Shamoon 5 17 A destructive malware targeted at Saudi Aramco, rendering 30k+ computers unusable
Shellcode 4 80 Code executed to gain control over a system via a command shell.

Shifts for Incident Response 4 50 Advised that 2 shifts are used to cover the required 12-20 hours a day for incident response.
Shodan 1 134 A search engine that allows users to find specific types of internet-connected devices.
SIEM 4 119 A tool for syncing process data for operations overview and incident response
SIEM 2 42, 44 Description: Centralizing logs and alerts for improved incident response.
Siemens SIMATIC ET 200 2 128 Modular I/O system for multiple control applications.
Siemens SIMATIC PCS7 2 127 A Distributed Control System used for monitoring and controlling industrial processes.
Signal or Communications Path 3 115 Inspect the path along which commands and data are transmitted.
Intelligence gathering by interception of signals, whether communications between people or
Signals Intelligence (SIGINT) 1 43 from electronic signals not directly used in communication.
Signature Detection 5 60 Identifying malware based on specific patterns or strings within its code
SiLK 3 87 A tool for network flow analysis
SIMATIC and Siemens WinCC 3 49 SCADA systems targeted by malware for espionage purposes

SIMATIC Server Polling and S7 Protocol
SIMATIC/CIMPLICITY/Advantech
Single Radial Feed
Sinkholing
SIPROTECT vulnerability
SIS (Safety Instrumented System)
1 25 Communication patterns between servers and controllers, often in Industrial Control Systems
3 48 Targeted ICS environments by versions of BlackEnergy2.
2 57 A distribution system design where a substation feeds a customer directly.
5 23 Redirecting malicious traffic to a controlled location for analysis and neutralization.
4 75 A non-critical vulnerability that could impact digital relay functionality.
5 11 A system designed to monitor and control industrial processes for safety.

Site Acceptance Test (SAT)
Site Classification
Situational Awareness
Slammer worm
Sliding Scale of Cyber Security
Sliding Scale of Cyber Security
3 59 Validates installation and integrated functions at the site post-FAT and just before commissioning
Describes a system to prioritize industrial sites (A, B, C class) based on criticality for security
2 36 logging and incident response.
3 21 Awareness of the environment and organization to generate security hypotheses.
5 14 Malware that impacted the Davis-Besse Nuclear Power Station HMI and SCADA network.
A framework categorizing Cyber Security measures into offense, intelligence, active defense,
1 17, 19 passive defense, and architecture.
A framework illustrating the progression from basic cyber hygiene to advanced defensive tactics
3 70 in cybersecurity.
Page 18
Smart Meters 2 56 Meters that provide real-time electricity usage data to both utilities and consumers.
Smart Wireless Gateways 2 131 Devices that connect wireless sensors and controllers to the network.
A protocol for network file sharing that enables users to access files, printers, and other shared
SMB 2 69 resources.
smb_files.log 3 93 Monitors files transferred via SMB protocol, crucial for spotting potentially malicious activity.
SNMP 2 63, 74 A protocol used for managing and monitoring network devices
Open-source, free, and widely understood Network Intrusion Detection System (NIDS) that is
Snort 3 74, 84 easily customizable.
An example of a specific rule used to detect unauthorized write requests using DNP3 protocol in
Snort Rule 3 76 an IDS
Describes the structure of Snort rules, allowing for the creation and customization of detection
Snort Rule Format 3 74, 75 patterns based on network traffic characteristics.
Snort Rule Options 3 75 Details the specifics of what to look for in packets and the actions to take upon detection.

Snort Signatures 3 77 Custom signatures for detecting specific network traffic patterns indicative of security events.
Sock puppets 1 138 Fake accounts used to ask sensitive questions in forums.
Sofacy 5 58 A cyber espionage group known for targeting various organizations globally.
Sofacy Group 5 61 A group associated with cyber espionage and APT attacks.
Sofacy Malware 5 60 Mention of malware targeting the German Government in a campaign
An example of how maintenance links can be compromised, leading to unauthorized access
SolarWinds Incident 4 79 without asset owners' knowledge.
SolarWinds Status Query 3 81 Content match string used in Suricata rule to detect specific network traffic.
SPAN/Mirror Port 3 60 Enables passive network data capture from a network switch.
A cyber attack technique used to gain unauthorized access by targeting specific individuals or
Spear-phishing 3 8 organizations.
Spear-Phishing Email 3 11 A targeted email attack aiming to gain unauthorized access to sensitive information
Spearphishing 2 121 A technique involving sending malicious emails to target specific individuals or organizations.
Spearphishing 1 132 A targeted email attack strategy to gather information or access.
SQL Queries 4 119 Method to retrieve process data from databases for analysis
The process of analyzing malware without executing it, often used with .dmp files for identifying
Static analysis 4 109 malware characteristics.
Static file analysis 3 118 Essential for analyzing firewall rules, network configurations, and communication protocols.
Static properties analysis 5 27, 42 Examination of malware without executing the code.
Static Properties Analysis 5 31 Examination of malware attributes without executing the malware.
Step Down Transformer 2 48 Reduces voltage for local distribution
Strategic Threat Intelligence 1 56 Description for executives and decision makers for high-level organizational decisions
String Grouping in YARA rules 5 56 Enhances rule flexibility and precision by categorizing related strings.
Strings 5 32 Extracts ASCII and HEX strings from files
Structured Analytical Techniques 1 53 Methods such as the kill chain or diamond model used to structure analysis.
Stuxnet 5 17, 28 Tailored malware causing physical damage to specific ICS networks
7, 9, 10, 11,
Stuxnet 1 13, 15, 85, 86 A detailed case study on a sophisticated cyber attack targeting Industrial Control Systems.
Stuxnet 4 94, 118 Example of malware that exploited VPNs for spreading across ICS environments
Stuxnet Memory Analysis 4 103 An advanced piece of malware that is a key study in memory forensics within ICS security.
Description: A critical component of the power system where voltage levels are adjusted and
Substation Facility 2 53 electrical pathways converge, containing various essential equipment.
Substation gateway device 2 100 A device for collecting various types of data in a substation environment
A method by which adversaries compromise a component in the supply chain to gain access to
Supply Chain Backdoors 1 82 the target system.
Supply Chain Challenges in Patch Description: Addressing the difficulty in tracking and notifying of vulnerabilities due to shared
Notification 1 95 software components among ICS vendors.
A method by which adversaries target less-secure elements in the supply network to breach
Supply Chain Compromise 2 108 target systems or networks.
Supply Chain Compromise 1 115 An attack that targets an organization by infiltrating its supply chain.

Supply chain cyber security requirements 2 60 Specific actions countries adopt to secure the supply chain of high consequence facilities.
Supply Chain Standards 3 110 Requirements for vendor interactions and patch validation
An open-source network traffic threat detection engine supporting IDS/IPS/NSM and pcap
Suricata 3 79 processing.
Suricata detection 3 32 A rule-based network threat detection engine.
Suricata Rule Structure 3 81 A guideline on how to structure Suricata IDS rules for packet analysis.

Suricata Rules 3 80 A structured format for creating detection rules in Suricata including action and protocol details
Suricata Simple IOC Check 3 82 Suricata rules enable the detection of Indicators of Compromise (IOC) in network traffic.
Synchronous Interconnections 2 46 A description of the major interconnected power system layouts in North America.
A standard for message logging, should be enabled and collected alongside Windows Events for
Syslog 4 114 comprehensive oversight.
Syslog 2 39 A standard for message logging, often used for system management and security auditing
Syslog 3 73 Logging protocol that gathers events and alerts from systems for analysis.
The process of converting Snort alerts to be compatible with centralized syslog servers for
Syslog Integration 3 75 analysis.
Syslog Message Format 3 73 Structure for syslog messages including severity, timestamp, and event details.

Page 19
System Errors 2 14 Mistakes or faults in the design, operation, or management of technical systems.
The importance of maintaining specific frequency (50Hz or 60Hz) in the electric system to avoid
System Frequency 2 47 catastrophic outcomes.
System Interaction Artifacts 5 46 Observables generated by malware interacting with the host system.
System Memory 4 96 High value and volatile, stores malware, executables, cryptography keys.
System overview 3 118 Essential for understanding normal operations and identifying anomalies.
System Processes 4 96 Shows active processes and their resources, crucial for identifying malicious activity.
A discussion-based session where team members meet to discuss their roles during a potential
Table-Top Exercise 3 17 incident and identify gaps in the response plan.
Tactical Threat Intelligence 1 56 Aimed at day-to-day security personnel identifying adversaries' TTPs and IOCs
Techniques, and Procedures (TTPs), The behavior of attackers, crucial for understanding and
Tactics 1 28, 54, 55 defending against attacks.
Techniques, and Procedures (TTPs), Developing advanced network and SIEM detections for
Tactics 2 40 continuous monitoring.
Tag to Point List Translation 3 115 Check the conversion processes between tag lists and point lists for accuracy.
A specialized attack designed to have a specific impact on targeted ICS environments, making it
Tailored Capability 1 83 harder to detect and respond to.
Targeted Malware 5 17 A software specifically designed to attack Industrial Control Systems (ICS)
TCP Port 135 2 93 Sometimes configured for OPC communications but not always indicative of OPC usage.
TCP port 20000 2 91 Often associated with the DNP3 protocol.
TCP port 2404 2 92 Default TCP port for IEC 60870-5-104 communication.
TCP port 44818 2 98 For EtherNet/IP explicit messaging and configuration changes
TCPdump 4 37 A powerful command-line packet analyzer for network monitoring and data acquisition.
TCPdump 3 60 A command-line tool for capturing and analyzing network traffic.
Team Structures and Positions 1 131 Identifies key personnel and access levels within ICS environments.
Technical Exploit 1 109 Utilization of vulnerabilities in the software of camera systems to gain unauthorized access.
Telnet 2 76 A network protocol used for accessing remote devices.
Temporal Nature of Indicators 1 106 Importance of timing information in cyber indicators for enhanced situational awareness.
Test 2 37 Verifying the accuracy of the collection and functionality of processes/procedures.
Highlighting the importance of validating scripts in a controlled environment to ensure reliability
Testing Scripts 4 56 and avoid impacts on ICS operations.
Threat and Environment Manipulation 5 23 Preparing for both physical and logical environment changes to improve security posture.
Threat Behavior Analytic 3 31 A method focusing on patterns of malicious activity rather than specific indicators.
Threat behavior analytics 3 37 Best way to achieve scalable detection of threats with the context

Threat Behaviors 3 30, 35, 38 Analysis focusing on adversary TTPs, offering context and insight into the nature of the threat.
Threat Coverage 3 43 Understanding your ability to detect adversary actions in an ICS environment
The practice of monitoring and analyzing the security of an environment to identify any potential
Threat Detection 2 22 threats.
Threat Detection 3 29 The process of identifying suspicious activities within an ICS environment

Threat Hunt 3 26 Perform systematic searches to detect threats within an Industrial Control System environment.
A proactive search through networks to detect and isolate advanced threats that evade existing
Threat Hunt 2 41 security solutions.
Threat Hunting 3 16, 17, 19 A human-driven process of proactively searching for threats in an organization.
Importance of identifying malware campaigns and understanding attacker motives without
Threat Identification 2 119 focusing on specific attribution
Information that is collected, processed, and analyzed to understand a threat actor’s
Threat Intelligence 5 19, 78 motives, targets, and attack behaviors.
Threat Intelligence 1 51, 94, 103 A method to prioritize security issues by assessing known threats and their capabilities.
Information collected, processed, and analyzed to understand a threat actor's motives, targets,
Threat intelligence 1 93 and attack behaviors.
Threat Intelligence Consumption 4 14 The process of analyzing and using threat data to enhance security posture

Threat Intelligence Reports 1 54 Compiled information that is analyzed and refined to provide context on potential cyber threats.
Altering threat behavior or environment to neutralize or analyze threats without direct
Threat Manipulation 5 6 confrontation.
Threat Mitigation Recommendations 1 24 Suggestions for improving defenses against identified threats.

Threat Modeling 2 38 The process of evaluating what adversaries are doing that is relevant and could pose a threat.
Threat Proliferation 1 64 Explanation: The growing realization of ICS threats expanding to other industries.
Threat Sharing 3 14 Sharing information about threats enhances overall defense against cyber attacks.
Threat Triage 3 101 Process for analyzing suspicious files to determine if they pose a threat.
Threat-centric Approach 3 54 Focuses on detecting and responding to threats rather than just patching vulnerabilities.
Outlines the foundational rules for active defense according to Mao: no provocation, no foreign
Three guiding principles of active defense 1 22 bases, no land seizure.

Tier 2 ICS specific function 3 91 A dedicated team with ICS expertise responsible for advanced threat analysis and escalation.
Quick methods to assess the overall impact and determine the nature of the threat for immediate
Time Critical Analysis 4 26 action.
Time-Critical Analysis 4 41 A process aimed at quick understanding of an incident's scope and gathering forensic data.

Timeline analysis 4 90 A method of investigating security incidents by organizing and examining activity chronologically.

Page 20
Timeline Analysis 3 99 Reconstructing events to understand the sequence and timing of actions within a cyber incident.
Developing a chronological sequence of actions to trace the origin and impact of a security
Timeline of Activities 4 43 incident.
Information that should be shared on a need-to-know basis within specific teams or
TLP Amber 1 91 organizations.
TLP Green 1 91 Information that can be shared within the community but not publicly online.
TLP Red 1 91 Information that should be shared with specific personnel only.
TLP White 1 91 Information that can be freely shared with no restrictions.
Encryption that secures HTTPS sessions, can reveal metadata through headers and key
TLS encryption 2 75 associations.
The arrangement of a network, including devices and connections, crucial for understanding and
Topology 2 129 validating network activity against operational expectations.
Topology Maps 2 137 Create network drawings to visualize and understand network architecture and data flows.
Total Generation Load 1 36 A measurement of the energy output required to support industrial and residential demands.
TPKT 2 94 A protocol that encapsulates COTP to enable it over TCP networks.
Tradecraft in cyber attacks 1 101 The techniques and practices used by attackers, focusing beyond just technical indicators.

Traditional Ransomware 2 81 A nuisance for decades involving phishing emails leading to encrypted files and small ransoms
Traffic Analysis 2 23, 64 Safest and least time-consuming method for asset identification in ICS environments.
Traffic analysis 2 28 Passive analysis of network traffic for inventory, topology, and threat detection.
Traffic Analysis 3 99 Monitoring network traffic to identify suspicious activities or anomalies.
A standard for categorizing sensitive information based on its level of sensitivity and distribution
Traffic Light Protocol 1 91 restrictions.
Emphasizes the importance of skilled analysts over merely having the right tools in incident
Training Over Tools 4 54 response.

Transmission Relay 1 36 A protective device that acts to control or alert to irregularities in power transmission systems.
Transmission System 2 48 Long distance electrical energy transport
An alert for changes in Triconex safety system logic without updating the version, potentially
Triconex logic changes 3 36 indicating malicious activity.
TRISIS 5 10, 17, 78 A malware targeting Safety Instrumented Systems (SIS) in the petrochemical industry.
The fifth family of ICS-tailored malware, targeting a safety instrumented system (SIS) for human
TRISIS/TRITON 5 8 harm.
Trojanized Applications 3 24, 25 Malicious applications installed to gain unauthorized access to systems.
Trojanized ICS software 2 121 Providing modified ICS software installers that contain malware.
True Attribution 2 119 Understanding threat actors' TTPs, motives, and targets improves security practices
Trusted communication flows 3 118 Identifying established system-to-system communication is key for securing ICS.
Trusted Zones 3 12 Network segments considered secure within an organization's network architecture.
Tshark 2 140 Command line version of Wireshark used for capturing and analyzing network packets.
Techniques, and Procedures), Identifying and understanding adversaries' TTPs is crucial for
TTPs (Tactics 2 119 effective defense
TTPs (Tactics 4 44 Techniques, and Procedures), Describes how adversaries conduct their operations
Two-form authentication 4 14 A security measure requiring two different forms of identification to access systems
UDP port 2222 2 98 For EtherNet/IP implicit messaging, commonly transferring I/O data
UDP port 47808 2 97 The default network port for BACnet communications.
Unauthenticated connections 1 111 Network connections that do not require authentication, posing a security risk.
Undocumented Backdoors 3 90 Hidden access methods within software that bypass normal authentication.
Unit Identifier 2 89 Identifies whether serial devices are connected to an IP-connected device in Modbus TCP.
Unpatched version 1 133 Refers to software that hasn't received necessary updates to mitigate known vulnerabilities
Untrained IT Security Teams 5 15 Highlighting the risks associated with improper handling of sensitive ICS files by IT staff.
Update Collection Plan 2 37, 42 Adjusting the CMF based on test outcomes or new requirements.
USB as infection vector 4 45 Initial infection route for malware into an ICS environment
USB Jumping 1 14 Technique used by malware like Stuxnet for spreading through USB devices.
USB method 1 86 A common delivery mechanism for malware in ICS environments.
Monitoring USB usage is vital to prevent unauthorized data transfer and potential infections in
USB Security 4 116 ICS environments.
Clean, approved, and tested USBs or LiveCDs are advisable for running digital imaging software
USBs and LiveCDs 4 35 without installing it on the victim machine.
User access changes 3 111 Changes to user account access rights or permissions.
Validate Known Information 2 20 Always verify the accuracy and existence of assets listed in documentation or maps
The process of ensuring that IOCs are accurately identifying real threats, reducing false
Validation 5 50 positives.
Validation of Information 2 21 A critical process of assessing the detail, update frequency, and credibility of data received.
Store project files and logic information securely off-network for comparison against potential
Vault Known Good 4 117 alterations.
Vendor Choices and Interdependencies 1 131 Highlights reliance on specific vendors/products and its impact on system security.
Vendor Connections 1 114 Secure and validate vendor remote connections through DMZs or chokepoints.
Vent Gas Scrubber 2 11 A safety device used to remove or neutralize hazardous compounds from waste gases.

Verify digital hashes 1 26 Description: Ensuring the integrity of software and files by comparing to known good hashes.
Vibration Monitoring 2 51 Technique to detect equipment anomalies through vibration analysis.
Page 21
 Cost-effective method to replicate expensive or difficult-to-implement ICS systems in a lab
Virtual Machines 4 55, 97 setting.
Space on physical storage acting as extra RAM that is managed by the operating system to
Virtual Memory 4 100 expand available memory resources.
VirusTotal 5 40 Online service to analyze suspicious files and URLs.
VirusTotal Intelligence 5 51 A service for advanced searches and creating YARA signatures against malware samples
Visibility Asset Inventory and Topologies 2 85 A method to ensure accurate architecture and connections within an ICS environment.
A method for dividing a network into smaller, logical segments for better management and
VLANs 3 70 security.
VM defeating malware 5 41 Malware that detects it's running in a VM to avoid analysis.
A utility in VMware for creating a single memory dump file from .vmem and .vmss files for
vmss2core 4 99 analysis.
Volatility 4 99 A memory forensic tool used to analyze memory dumps.
Volatility Framework 4 101, 102 A comprehensive tool that assists in the analysis of volatile memory data.
VPN Access 3 25 Utilizing a Virtual Private Network to gain access or move laterally within a target network
VPN logs 2 113 Logs of VPN sessions that can reveal malicious communications.
VPN logs 4 94 Indicators for monitoring unauthorized access or malware transfers
VPN Pivoting 4 12 Technique used to tunnel through a network to gain deeper access.
VPNs 4 94 Virtual private networks critical for secure ICS remote access

VSAT 2 138 Satellite communication system used for remote access to the offshore oil rig's control systems.
Specific frequencies used for very-small-aperture terminal connections can indicate
VSAT frequency bands 1 125 communication methods for remote facilities.
The process of identifying, evaluating, treating, and reporting on security vulnerabilities in
Vulnerability Management 2 22 systems.

War Dialing 1 50 The process of calling numbers in a target area to find modems connected to computer systems.
War Room 4 57 A central operations center for coordinating incident response activities.

Waterhole Attack 2 109 Attack involving compromised websites to redirect victims and infect machines with malware
Watering hole technique 2 121 Infecting websites frequented by the target audience to distribute malware.
Weaponization 1 58 Preparation of a deliverable payload that exploits a vulnerability.
Weaponization and/or Targeting 4 11 The process of creating and directing cyber weapons or malware towards specific targets.

Whitelists 4 42 Lists of approved processes, files, and applications, essential for security in ICS environments.
WinCC SCADA system 1 25 Supervisory Control And Data Acquisition system used for controlling industrial processes
Logs generated by Windows systems detailing various system events including security
Windows Event Logs 3 62 incidents.
Critical for collecting system and application logs for monitoring and forensics in Windows-based
Windows Events 4 114 HMI systems.
A human-machine interface running on Windows, used in control centers to manage industrial
Windows HMI 2 35 processes.
Windows Logs 3 69 System logs generated by the Windows operating system that track events
Windows Sysinternals 5 30 A suite of tools for system analysis during interactive behavior analysis.
windows.info command 4 104 A command in Volatility for retrieving system information from a memory dump.
Winexe 5 61 A command-line utility used for executing commands on remote Windows systems.
Wireshark 1 13 A tool used for network protocol analysis.
Wireshark 5 30, 79 A tool to monitor network communication during malware analysis.
Wireshark 4 37, 88 A network protocol analyzer for capturing and interpreting network traffic.
A network protocol analyzer that can capture and display the data traveling back and forth on a
Wireshark 3 71 network.
Wireshark 2 88, 140 A tool for network protocol analysis, identifying and filtering specific ICS protocols.
Wireshark Conversations 2 65, 67 Quickly view connections taking place on the network (OSI 2-7)
Wireshark Dissector for BACnet 2 97 A tool for analyzing BACnet traffic and extracting detailed information.
Wireshark Dissectors 2 87 Tools within Wireshark that break down network protocols for analysis.
Wireshark Endpoints 2 64 Quickly view network endpoints including Ethernet, IP, and port numbers
A Wireshark feature that helps analysts trace and inspect individual communication streams,
Wireshark Follow Stream 3 100 facilitating detailed analysis.
Wireshark Protocol Hierarchy 2 67 Quickly identify dissected protocols through Wireshark's functionality
A tool used in Wireshark for analyzing network traffic by inspecting endpoints, conversations,
Wireshark Statistics 2 66 and protocol hierarchy.
WNet Functions 2 114 Windows Network (WNet) API used for enumerating and mapping network resources.
XENOTIME 5 10 The activity group behind the TRISIS malware.
XOR key 5 57 A method used in malware for obfuscation.
YARA 1 29 A tool for identifying and classifying malware based on pattern matching.
47, 48, 51, 53,
YARA 5 79 A tool for identifying and classifying malware samples.
YARA executable 5 52 Used by ICS asset owners to detect BlackEnergy2 infection.
YARA Rule 5 56, 58, 60 A mechanism for identifying and categorizing malware samples effectively.
A rule-based approach for creating description of malware families based on textual or binary
YARA rule 4 89 patterns.
YARA Rules 5 46 A tool used for malware identification and classification based on textual or binary patterns.

Page 22
YARA rules 4 85 A pattern-matching technique used for malware detection and analysis.
YARA signatures 5 39 Used for identifying and classifying malware based on textual or binary patterns.
Zeek 3 83, 84, 93 Open-source Unix-based network monitoring framework with IDS and scripting capabilities
Zero-access botnet 5 14 A specific malware example as first-stage access to networks.
A software vulnerability unknown to those interested in mitigating the vulnerability, notably used
Zero-day vulnerability 1 11 by Stuxnet.

Page 23