CDA Cybersecurity Glossary: Frameworks and Concepts (Batch 3)

Cybersecurity is built on a dense vocabulary of frameworks, standards, attack techniques, and disciplines. This glossary cuts through the jargon and explains ten foundational concepts in plain language, grounding each one in the Cyber Defense Army's Planetary Defense Model (PDM). Whether you are building your first security program or trying to explain these ideas to a non-technical executive, start here.

---

What Is SOC 2?

PDM Domain: Risk Governance and Assurance (RGA)

SOC 2, which stands for System and Organization Controls 2, is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates whether a service organization has adequate controls in place to protect customer data across five categories: security, availability, processing integrity, confidentiality, and privacy. These categories are called the Trust Service Criteria (TSC).

There are two types of SOC 2 reports, and understanding the difference matters. A Type I report is a point-in-time assessment. An auditor reviews the design of your controls as of a specific date and offers an opinion on whether those controls are suitably designed to meet the criteria. A Type II report is far more rigorous. The auditor monitors your controls over a period of at least six months (often twelve) and evaluates whether those controls actually operated effectively throughout that period. Enterprise customers almost universally require Type II, not Type I.

The Security Trust Service Criterion, also called the Common Criteria, is mandatory for every SOC 2 engagement. The remaining four criteria (availability, processing integrity, confidentiality, and privacy) are optional and selected based on what the organization offers. A cloud infrastructure provider might include availability. A company that processes financial transactions might include processing integrity.

The SOC 2 report itself is not a public certification like ISO 27001. It is a detailed report shared under NDA with customers and prospects who request it. The report includes the auditor's opinion, a description of the service organization's system, and a listing of the controls tested along with any exceptions found. A "clean" report with no exceptions is strong evidence of a mature security program.

Every SaaS company that sells to enterprise customers will eventually face the SOC 2 question in a procurement questionnaire. Getting ahead of it means the difference between winning and losing a deal.

For a complete technical deep-dive, see "SOC 2 Type II Compliance."

---

What Is HIPAA?

PDM Domain: Risk Governance and Assurance (RGA)

HIPAA, the Health Insurance Portability and Accountability Act, is a U.S. federal law enacted in 1996 that establishes privacy and security standards for Protected Health Information (PHI). PHI is any information that can be used to identify an individual and relates to their health condition, healthcare services received, or payment for those services. This includes names, birth dates, addresses, Social Security numbers, medical record numbers, and more.

HIPAA applies to two categories of entities. Covered entities include healthcare providers (hospitals, clinics, physicians), health plans (insurance companies, HMOs), and healthcare clearinghouses (organizations that process health data into standardized formats). Business associates are any third parties that create, receive, maintain, or transmit PHI on behalf of a covered entity. If you build software that processes patient data for a hospital, you are a business associate and HIPAA applies to you.

The HIPAA Security Rule is the technical portion most relevant to cybersecurity professionals. It requires covered entities and business associates to implement three categories of safeguards. Administrative safeguards include risk assessments, workforce training, and incident response procedures. Physical safeguards govern workstation security, device controls, and facility access. Technical safeguards address access controls, audit controls, data integrity, and transmission security.

The Breach Notification Rule requires covered entities to notify affected individuals and the Department of Health and Human Services (HHS) within 60 days of discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals in a state must also be reported to prominent media outlets in that state.

Penalties are structured in four tiers based on culpability, ranging from $100 per violation for violations where the entity was unaware, up to $50,000 per violation for willful neglect left uncorrected. Annual penalties per violation category are capped at $1.9 million. Criminal penalties for wrongful disclosure can reach $250,000 and ten years in prison.

For a complete technical deep-dive, see "HIPAA Security Rule Deep-Dive."

---

What Is the MITRE ATT&CK Framework?

PDM Domain: Threat Intelligence and Defense (TID)

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a publicly available knowledge base of adversary behaviors derived from real-world cyberattack observations. It was created by MITRE Corporation and is maintained as a living document, updated continuously as new attack behaviors are documented. The framework is free to use and has become the most widely adopted reference for understanding how attackers actually operate.

The framework is organized as a matrix. The columns represent tactics, which are the adversary's high-level goals during an attack. The Enterprise ATT&CK matrix has 14 tactics, including Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact. Each tactic contains techniques, which are the specific methods an adversary uses to achieve that goal. There are over 200 techniques in the Enterprise matrix, many of which have sub-techniques providing even more granular descriptions. The entire framework currently documents over 400 techniques and sub-techniques.

Defenders use ATT&CK in several ways. Detection engineers map their SIEM rules and EDR detections to ATT&CK techniques to identify coverage gaps. Threat hunters use it to develop hypotheses about what attacker behaviors might exist in an environment that haven't yet been detected. Red teams use it to scope engagements and ensure they are simulating realistic adversary behavior rather than synthetic test cases.

ATT&CK is often compared to the Cyber Kill Chain, but the two are complementary rather than competing. The Kill Chain is high-level and linear, describing seven broad stages from reconnaissance to actions on objectives. ATT&CK is post-intrusion focused and non-linear, describing hundreds of granular behaviors that do not follow a fixed sequence. A mature threat intelligence program uses both.

Beyond the Enterprise matrix (which covers Windows, macOS, Linux, and cloud environments), MITRE also maintains the Mobile ATT&CK matrix for iOS and Android, and the ICS ATT&CK matrix for industrial control systems.

For a complete technical deep-dive, see "MITRE ATT&CK Framework."

---

What Is MFA Fatigue?

PDM Domain: Identity Access and Trust (IAT)

MFA fatigue, also called MFA bombing or push notification spam, is a social engineering attack that exploits the convenience design of push-based multi-factor authentication (MFA). The attacker already has the target's username and password, typically obtained through phishing or credential theft. The only remaining barrier is the MFA approval. To defeat it, the attacker sends dozens or even hundreds of push notification approval requests in rapid succession, hoping the target approves one out of frustration, confusion, or a mistaken belief that it is a technical glitch.

The attack is deceptively simple. Many MFA applications present the user with an "Approve" or "Deny" button and little else. There is no contextual information about where the request originated, what device sent it, or what action it is approving. A target who receives 30 push notifications late at night may simply tap "Approve" to make them stop, never realizing they just handed an attacker access to their account.

Two high-profile incidents illustrated just how effective this attack is. In the Uber breach of 2022, an attacker obtained an Uber contractor's credentials, bombarded them with MFA push requests, and then sent a WhatsApp message claiming to be Uber IT support, advising them to accept the prompt. The contractor complied. In the Cisco breach of 2022, a similar push-bombing campaign succeeded after persistent social engineering. Neither attack required any exploitation of technical vulnerabilities. Both were pure human manipulation.

The fix is architectural. Push-based MFA that only asks for approval is inherently vulnerable because it provides no binding between the authentication request and a specific user action. FIDO2 and WebAuthn are immune to MFA fatigue by design. FIDO2 credentials are cryptographically bound to the specific origin (the domain of the legitimate site), which means a FIDO2 credential generated for a real website cannot be used on a phishing site, and the authentication ceremony cannot be triggered remotely by an attacker.

For a complete technical deep-dive, see "MFA Fatigue Attacks," "FIDO2 and WebAuthn: Passwordless Authentication," and "Uber Breach 2022."

---

What Is a Kill Chain?

PDM Domain: Threat Intelligence and Defense (TID)

The Cyber Kill Chain is a model developed by Lockheed Martin in 2011 to describe the sequential stages of a targeted cyberattack. The model was adapted from military targeting concepts and applies the same logic to cyber intrusions: an attacker must complete a series of steps to achieve their objective, and disrupting any step breaks the chain and defeats the attack.

The seven stages are: Reconnaissance (the attacker gathers information about the target), Weaponization (the attacker pairs an exploit with a delivery mechanism, such as embedding malware in a document), Delivery (the weapon is transmitted to the target, typically via email, web, or removable media), Exploitation (the exploit triggers on the target's system), Installation (the attacker establishes a persistent foothold), Command and Control (the attacker establishes a channel to remotely operate the implant), and Actions on Objectives (the attacker achieves their goal: data exfiltration, ransomware deployment, sabotage).

The most important implication of the Kill Chain model for defenders is this: you do not need to stop every stage to win. You need to stop the attacker at any one stage. This is why layered defenses exist. Email security stops delivery. Endpoint detection stops exploitation and installation. Network monitoring stops command and control. Data loss prevention stops exfiltration. No single control is sufficient, but each layer increases the probability of stopping the attack.

Defenders also use the Kill Chain to reason about "left of boom" versus "right of boom" detection. "Left of boom" means detecting the attack before the detonation point (exploitation). This is preferable because the attacker has not yet caused harm, and eviction is cleaner. "Right of boom" means detecting the attack after exploitation, during installation, command and control, or exfiltration. Detection is still valuable at these stages, but the cost of response increases significantly.

The Kill Chain's main limitation is that it was designed for targeted intrusion campaigns and is less useful for insider threats, web application attacks, or non-linear attack paths. This is where the MITRE ATT&CK framework complements it: ATT&CK provides granular, non-linear technique coverage for post-exploitation behaviors that the Kill Chain abstracts away.

For a complete technical deep-dive, see "MITRE ATT&CK Framework" and "Initial Access Techniques."

---

What Is Social Engineering?

PDM Domain: Threat Intelligence and Defense (TID)

Social engineering is the manipulation of people into performing actions or disclosing information that they otherwise would not. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits human psychology. It is consistently the most reliable initial access vector in sophisticated attacks because human judgment is harder to patch than software.

The major social engineering techniques include several well-documented methods. Phishing uses fraudulent emails, messages, or websites to trick targets into revealing credentials or executing malware. Pretexting involves constructing a fabricated scenario to gain trust before making a request, such as impersonating an IT support technician. Baiting leaves physical or digital lures (malicious USB drives, pirated software downloads) that targets pick up and use. Quid pro quo offers something of value, such as free IT help, in exchange for credentials or access. Tailgating (also called piggybacking) involves physically following an authorized person through a secured door.

Attackers exploit well-documented psychological principles. Authority causes people to comply with requests from figures perceived as legitimate (IT security, the CEO, law enforcement). Urgency forces hasty decisions by creating time pressure ("Your account will be locked in 10 minutes"). Fear bypasses rational thinking ("Your computer is infected and we need your credentials to fix it"). Reciprocity exploits the social obligation to return favors. Social proof leverages the tendency to follow what others appear to be doing.

Social engineering is effective because technology improvements do not change human psychology. An organization can have state-of-the-art email filtering and still be compromised because an attacker called the help desk and convinced an analyst to reset a password. This is why security awareness training is necessary but not sufficient. Training reduces susceptibility at the margins. Process controls such as callback verification procedures, out-of-band authentication requirements, and strict privilege management reduce the damage any successful social engineering attempt can cause, regardless of how convincing the attacker is.

For a complete technical deep-dive, see "Social Engineering and Phishing" and "Business Email Compromise (BEC) Deep-Dive."

---

What Is Patch Management?

PDM Domain: Vulnerability and Surface Defense (VSD)

Patch management is the process of identifying, acquiring, testing, and deploying software updates, called patches, to fix known security vulnerabilities in operating systems, applications, and firmware. It is one of the most operationally demanding and critically important functions in cybersecurity, and it is one of the most commonly neglected.

The patch management lifecycle follows a repeatable sequence. First, the organization inventories what software and systems it runs. Without an accurate inventory, you cannot know what needs patching. Second, the organization monitors vulnerability feeds (the National Vulnerability Database, vendor advisories, and threat intelligence sources) to learn about newly disclosed vulnerabilities affecting its software. Third, each vulnerability is assessed for risk: How severe is it? Is there a known exploit in the wild? Is the vulnerable system exposed to the internet or isolated? Fourth, patches are tested in a staging environment to verify they do not break production systems before deployment. Fifth, patches are deployed to production on a schedule that reflects the assessed risk.

The scale of the problem is significant. The NVD disclosed more than 29,000 new CVEs (Common Vulnerabilities and Exposures) in 2023 alone. No organization can patch everything immediately, which is why prioritization frameworks such as CVSS scores and the CISA Known Exploited Vulnerabilities (KEV) catalog exist.

For critical vulnerabilities being actively exploited in the wild, the standard testing cycle is abbreviated. Emergency deployment procedures allow patches to be applied within 24 to 72 hours rather than the standard 30-day window. The calculus is simple: the risk of a known exploit is higher than the risk of an untested patch causing an outage.

The canonical example of unpatched vulnerability exploitation is the 2017 Equifax breach. Attackers exploited CVE-2017-5638, a critical vulnerability in Apache Struts, to exfiltrate the personal data of 147 million Americans. A patch for that vulnerability had been available for two months before the breach. Equifax simply had not applied it.

For a complete technical deep-dive, see "Patch Management Program."

---

What Is Incident Response?

PDM Domain: Threat Intelligence and Defense (TID)

Incident response (IR) is the structured process organizations use to detect, contain, eradicate, recover from, and learn from security incidents. The goal is to minimize damage, reduce recovery time and costs, and prevent recurrence. Without a defined incident response process, organizations improvise during their worst moments, which reliably produces worse outcomes.

The NIST incident response lifecycle defines six phases. Preparation is the work done before an incident occurs: building an IR plan, assembling an IR team, deploying detection tools, and establishing communication protocols. This is the most important phase because decisions made in preparation determine the speed and quality of everything that follows. Identification is the process of determining whether an event is actually a security incident, and if so, what is affected and how severe it is. Containment limits the spread of the incident by isolating affected systems, changing credentials, or blocking network segments. Short-term containment stops the bleeding; long-term containment provides a stable environment for investigation. Eradication removes the threat from the environment: deleting malware, closing exploited vulnerabilities, and removing unauthorized access. Recovery restores systems to normal operations, validates that the threat is gone, and monitors for recurrence. Lessons Learned is a structured post-incident review that documents what happened, what worked, what failed, and what changes need to be made.

Two metrics define the cost of poor incident response. The mean time to detect (MTTD) measures how long an attacker dwells in your environment before you notice them. According to IBM's annual Cost of a Data Breach report, the average dwell time before detection is 194 days. Every additional day of attacker access increases the scope of data accessed, the number of systems compromised, and the eventual cost of the incident. The mean time to respond (MTTR) measures how long it takes to contain and eradicate the threat after detection.

Organizations that want to close the gap between preparation and performance use tabletop exercises (structured discussion-based simulations of incident scenarios) and IR retainers (contracts with external IR firms that guarantee response capacity when an incident occurs).

For a complete technical deep-dive, see "Incident Response Lifecycle."

---

What Is Cloud Security?

PDM Domain: All six PDM domains (DPS, VSD, SPH, IAT, TID, RGA)

Cloud security is the set of policies, technologies, controls, and practices that protect cloud-based systems, data, and infrastructure. As organizations have migrated workloads from on-premises data centers to cloud environments, their attack surface has changed fundamentally. Cloud security is not a single discipline but a cross-cutting concern that spans every domain of the Planetary Defense Model.

The most important concept in cloud security is the shared responsibility model. Cloud providers (AWS, Azure, Google Cloud) are responsible for the security of the cloud: the physical infrastructure, the hypervisor, the networking, and the managed services they offer. Customers are responsible for security in the cloud: the data they store, the access controls they configure, the applications they build, and the operating systems they run. The boundary shifts depending on the service model. In Infrastructure as a Service (IaaS), where customers provision virtual machines, customers own more responsibility. In Platform as a Service (PaaS), where customers deploy applications on managed platforms, providers handle more of the stack. In Software as a Service (SaaS), where customers consume a finished application, the provider owns nearly everything except data governance and user access.

The top cloud security risks are consistent across all major cloud environments. Misconfiguration is the leading cause of cloud breaches. An S3 bucket left publicly accessible, a storage account with no encryption, a firewall rule that allows unrestricted inbound access to port 22: these misconfigurations are trivial to exploit and common in practice. Insecure APIs expose cloud management surfaces to attackers who obtain API keys or exploit poorly designed authentication. Account compromise through phishing or credential theft gives attackers the keys to an entire cloud environment. Insider threats are amplified in cloud environments because authorized users can exfiltrate massive datasets with a single API call.

All six PDM domains apply directly in cloud environments. DPS governs where data is stored and whether it is encrypted at rest and in transit. VSD governs vulnerability management of cloud workloads and reduction of exposed attack surfaces. SPH governs cloud security posture management (CSPM) tools that continuously monitor configuration drift. IAT governs identity and access management for cloud services, including least privilege and just-in-time access. TID governs cloud-native threat detection and log analysis. RGA governs compliance with cloud-specific frameworks such as the CSA Cloud Controls Matrix and FedRAMP.

For a complete technical deep-dive, see "Cloud Security Fundamentals," "AWS Security Fundamentals," "Azure Security Fundamentals," and "Google Cloud Security Fundamentals."

---

What Is the Dark Web?

PDM Domain: Threat Intelligence and Defense (TID)

The dark web is a portion of the internet that is accessible only through specialized software, primarily the Tor (The Onion Router) network, which provides anonymity for both users and site operators by routing traffic through multiple encrypted relays before reaching its destination. Understanding what the dark web is and what it is not is important for practitioners, because both popular culture and media coverage tend to either sensationalize it or conflate it with concepts it does not represent.

The first distinction to make is between the deep web and the dark web. The deep web refers to any internet content that is not indexed by standard search engines. This includes your email inbox, your online banking portal, private social media content, and any page behind a login. The deep web is vast and almost entirely benign. The dark web is a small subset of the deep web that requires Tor or similar anonymizing software to access. The two terms are not interchangeable.

What actually exists on the dark web is more varied than its reputation suggests. Legitimate uses include privacy-focused communications tools for journalists and activists in authoritarian environments, the official Facebook onion address for users in countries where Facebook is censored, and SecureDrop installations maintained by major news outlets for whistleblowers. Criminal uses are real and well-documented: markets for stolen credentials, full identity packages (called "fullz"), credit card data, malware-as-a-service offerings, ransomware affiliate programs, and access brokers selling initial access to already-compromised corporate networks. The latter category is directly relevant to enterprise threat intelligence.

For organizations, the dark web is a threat intelligence source rather than a destination. Credential data from breaches appears on dark web markets and paste sites, often before the breached organization is even aware of the incident. Threat actor forums discuss targets, tradecraft, and tooling that defenders can monitor for early warning. Ransomware groups maintain dark web leak sites where they publish stolen data from victims who refuse to pay.

CDA's Predictive Defense Intelligence (PDI) methodology, the operational framework under the TID domain, incorporates dark web monitoring as a primary source for credential exposure detection and threat actor activity tracking. PDI's core principle is "See the threat before it sees you." Monitoring dark web sources for mentions of your organization, your employees' credentials, and your infrastructure is one of the most direct ways to operationalize that principle.

For a complete technical deep-dive, see "Threat Intelligence Operations."