CAF Outcome B4.c: Secure Management

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B4.c: Secure Management to CSF mappings generated from UK Cabinet Office table.

Control ID	Description
PR.DS-5	Protections against data leaks are implemented
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.MA-1	Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
DE.CM-4	Malicious code is detected
PR.PT-4	Communications and control networks are protected
RS.MI-1	Incidents are contained
DE.CM-5	Unauthorized mobile code is detected
PR.IP-1	A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
PR.AC-7	Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
RS.MI-2	Incidents are mitigated
PR.DS-6	Integrity checking mechanisms are used to verify software, firmware, and information integrity

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Malicious code protection (SR 3.2)
ISA/IEC 62443-3-3:2013
Mobile code (SR 2.4)
ISA/IEC 62443-3-3:2013
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013
Establish and document antivirus/malware management procedure (4.3.4.3.8)
ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Network controls (13.1.1)
ISO 27001:2013
Controls against malware (12.2.1)
ISO 27001:2013
Separation of development, testing, and operational environments (12.1.4)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
PE-19: Information Leakage
SC-31: Covert Channel Analysis
AC-5: Separation of Duties
AC-6: Least Privilege
AC-4: Information Flow Enforcement
SI-4: System Monitoring
SC-7: Boundary Protection
PS-6: Access Agreements
SC-13: Cryptographic Protection
SC-8: Transmission Confidentiality and Integrity
PS-3: Personnel Screening
CM-3: Configuration Change Control
CA-7: Continuous Monitoring
PE-3: Physical Access Control
PE-20: Asset Monitoring and Tracking
PE-6: Monitoring Physical Access
AU-12: Audit Record Generation
CM-8: System Component Inventory
MA-3: Maintenance Tools
MA-5: Maintenance Personnel
MA-2: Controlled Maintenance
MA-6: Timely Maintenance
SI-8: Spam Protection
SI-3: Malicious Code Protection
SC-37: Out-of-band Channels
SC-36: Distributed Processing and Storage
SC-40: Wireless Link Protection
SC-25: Thin Nodes
SC-32: System Partitioning
SC-20: Secure Name/address Resolution Service (authoritative Source)
SC-22: Architecture and Provisioning for Name/address Resolution Service
AC-18: Wireless Access
SC-19: Voice Over Internet Protocol
SC-23: Session Authenticity
SC-41: Port and I/O Device Access
SC-39: Process Isolation
AC-17: Remote Access
SC-29: Heterogeneity
SC-21: Secure Name/address Resolution Service (recursive or Caching Resolver)
SC-24: Fail in Known State
CP-8: Telecommunications Services
SC-38: Operations Security
SC-43: Usage Restrictions
IR-4: Incident Handling
SC-18: Mobile Code
SC-44: Detonation Chambers
CM-5: Access Restrictions for Change
CM-4: Impact Analyses
CM-9: Configuration Management Plan
CM-7: Least Functionality
CM-2: Baseline Configuration
SA-10: Developer Configuration Management
CM-6: Configuration Settings
IA-4: Identifier Management
IA-1: Policy and Procedures
AC-14: Permitted Actions Without Identification or Authentication
AC-9: Previous Logon Notification
IA-10: Adaptive Authentication
AC-12: Session Termination
IA-3: Device Identification and Authentication
IA-5: Authenticator Management
AC-8: System Use Notification
IA-9: Service Identification and Authentication
IA-11: Re-authentication
AC-7: Unsuccessful Logon Attempts
IA-2: Identification and Authentication (organizational Users)
AC-11: Device Lock
IA-8: Identification and Authentication (non-organizational Users)
SC-16: Transmission of Security and Privacy Attributes
SI-7: Software, Firmware, and Information Integrity

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID	Title	Associated Tactics
T1212	Exploitation for Credential Access	Credential Access
T1211	Exploitation for Defense Evasion	Defense Evasion
T1203	Exploitation for Client Execution	Execution
T1080	Taint Shared Content	Lateral Movement
T1218	System Binary Proxy Execution	Defense Evasion
T1218.011	Rundll32	Defense Evasion
T1189	Drive-by Compromise	Initial Access
T1190	Exploit Public-Facing Application	Initial Access
T1218.010	Regsvr32	Defense Evasion
T1210	Exploitation of Remote Services	Lateral Movement
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1059.006	Python	Execution
T1072	Software Deployment Tools	Execution, Lateral Movement
T1021.005	VNC	Lateral Movement
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1176	Browser Extensions	Persistence
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1137.005	Outlook Rules	Persistence
T1216.001	PubPrn	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1204.002	Malicious File	Execution
T1027.009	Embedded Payloads	Defense Evasion
T1055.015	ListPlanting	Defense Evasion, Privilege Escalation
T1055.005	Thread Local Storage	Defense Evasion, Privilege Escalation
T1059	Command and Scripting Interpreter	Execution
T1055.002	Portable Executable Injection	Defense Evasion, Privilege Escalation
T1137	Office Application Startup	Persistence
T1003.001	LSASS Memory	Credential Access
T1569.002	Service Execution	Execution
T1559.002	Dynamic Data Exchange	Execution
T1137.004	Outlook Home Page	Persistence
T1137.003	Outlook Forms	Persistence
T1055.004	Asynchronous Procedure Call	Defense Evasion, Privilege Escalation
T1486	Data Encrypted for Impact	Impact
T1204	User Execution	Execution
T1559	Inter-Process Communication	Execution
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1003	OS Credential Dumping	Credential Access
T1137.001	Office Template Macros	Persistence
T1055.001	Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
T1036	Masquerading	Defense Evasion
T1055.012	Process Hollowing	Defense Evasion, Privilege Escalation
T1574.013	KernelCallbackTable	Defense Evasion, Persistence, Privilege Escalation
T1137.002	Office Test	Persistence
T1027.012	LNK Icon Smuggling	Defense Evasion
T1027	Obfuscated Files or Information	Defense Evasion
T1055.003	Thread Execution Hijacking	Defense Evasion, Privilege Escalation
T1546.003	Windows Management Instrumentation Event Subscription	Persistence, Privilege Escalation
T1047	Windows Management Instrumentation	Execution
T1055.011	Extra Window Memory Injection	Defense Evasion, Privilege Escalation
T1091	Replication Through Removable Media	Initial Access, Lateral Movement
T1055.014	VDSO Hijacking	Defense Evasion, Privilege Escalation
T1055.009	Proc Memory	Defense Evasion, Privilege Escalation
T1569	System Services	Execution
T1027.010	Command Obfuscation	Defense Evasion
T1055.008	Ptrace System Calls	Defense Evasion, Privilege Escalation
T1137.006	Add-ins	Persistence
T1106	Native API	Execution
T1036.008	Masquerade File Type	Defense Evasion
T1059.007	JavaScript	Execution
T1059.005	Visual Basic	Execution
T1006	Direct Volume Access	Defense Evasion
T1055.013	Process Doppelgänging	Defense Evasion, Privilege Escalation
T1119	Automated Collection	Collection
T1070.003	Clear Command History	Defense Evasion
T1565	Data Manipulation	Impact
T1565.001	Stored Data Manipulation	Impact
T1070	Indicator Removal	Defense Evasion
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1070.009	Clear Persistence	Defense Evasion
T1070.007	Clear Network Connection History and Configurations	Defense Evasion
T1070.001	Clear Windows Event Logs	Defense Evasion
T1070.008	Clear Mailbox Data	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1530	Data from Cloud Storage	Collection
T1037.005	Startup Items	Persistence, Privilege Escalation
T1562.002	Disable Windows Event Logging	Defense Evasion
T1546.013	PowerShell Profile	Persistence, Privilege Escalation
T1563.001	SSH Hijacking	Lateral Movement
T1552.001	Credentials In Files	Credential Access
T1222.001	Windows File and Directory Permissions Modification	Defense Evasion
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1489	Service Stop	Impact
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1037.004	RC Scripts	Persistence, Privilege Escalation
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1562	Impair Defenses	Defense Evasion
T1037.003	Network Logon Script	Persistence, Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1218.002	Control Panel	Defense Evasion
T1562.006	Indicator Blocking	Defense Evasion
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1574.004	Dylib Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1565.003	Runtime Data Manipulation	Impact
T1222.002	Linux and Mac File and Directory Permissions Modification	Defense Evasion
T1037.002	Login Hook	Persistence, Privilege Escalation
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1547.003	Time Providers	Persistence, Privilege Escalation
T1564.004	NTFS File Attributes	Defense Evasion
T1222	File and Directory Permissions Modification	Defense Evasion
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1036.003	Rename System Utilities	Defense Evasion
T1543.001	Launch Agent	Persistence, Privilege Escalation
T1562.001	Disable or Modify Tools	Defense Evasion
T1552.004	Private Keys	Credential Access
T1053.006	Systemd Timers	Execution, Persistence, Privilege Escalation
T1552	Unsecured Credentials	Credential Access
T1566.001	Spearphishing Attachment	Initial Access
T1102.001	Dead Drop Resolver	Command and Control
T1566	Phishing	Initial Access
T1568	Dynamic Resolution	Command and Control
T1568.002	Domain Generation Algorithms	Command and Control
T1550.001	Application Access Token	Defense Evasion, Lateral Movement
T1567.003	Exfiltration to Text Storage Sites	Exfiltration
T1218.001	Compiled HTML File	Defense Evasion
T1566.003	Spearphishing via Service	Initial Access
T1528	Steal Application Access Token	Credential Access
T1102	Web Service	Command and Control
T1659	Content Injection	Command and Control, Initial Access
T1204.001	Malicious Link	Execution
T1566.002	Spearphishing Link	Initial Access
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1567.001	Exfiltration to Code Repository	Exfiltration
T1567	Exfiltration Over Web Service	Exfiltration
T1102.003	One-Way Communication	Command and Control
T1102.002	Bidirectional Communication	Command and Control
T1127	Trusted Developer Utilities Proxy Execution	Defense Evasion
T1218.014	MMC	Defense Evasion
T1218.012	Verclsid	Defense Evasion
T1547.004	Winlogon Helper DLL	Persistence, Privilege Escalation
T1129	Shared Modules	Execution
T1574.012	COR_PROFILER	Defense Evasion, Persistence, Privilege Escalation
T1220	XSL Script Processing	Defense Evasion
T1219	Remote Access Software	Command and Control
T1127.001	MSBuild	Defense Evasion
T1562.011	Spoof Security Alerting	Defense Evasion
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1546.008	Accessibility Features	Persistence, Privilege Escalation
T1218.013	Mavinject	Defense Evasion
T1548.004	Elevated Execution with Prompt	Defense Evasion, Privilege Escalation
T1059.008	Network Device CLI	Execution
T1059.002	AppleScript	Execution
T1546.009	AppCert DLLs	Persistence, Privilege Escalation
T1547.006	Kernel Modules and Extensions	Persistence, Privilege Escalation
T1059.003	Windows Command Shell	Execution
T1564.003	Hidden Window	Defense Evasion
T1609	Container Administration Command	Execution
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1218.005	Mshta	Defense Evasion
T1574.006	Dynamic Linker Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1218.004	InstallUtil	Defense Evasion
T1553	Subvert Trust Controls	Defense Evasion
T1059.004	Unix Shell	Execution
T1059.009	Cloud API	Execution
T1218.008	Odbcconf	Defense Evasion
T1564.006	Run Virtual Instance	Defense Evasion
T1505.004	IIS Components	Persistence
T1553.001	Gatekeeper Bypass	Defense Evasion
T1216	System Script Proxy Execution	Defense Evasion
T1553.005	Mark-of-the-Web Bypass	Defense Evasion
T1218.009	Regsvcs/Regasm	Defense Evasion
T1611	Escape to Host	Privilege Escalation
T1546.002	Screensaver	Persistence, Privilege Escalation
T1546.010	AppInit DLLs	Persistence, Privilege Escalation
T1059.001	PowerShell	Execution
T1218.003	CMSTP	Defense Evasion
T1547.008	LSASS Driver	Persistence, Privilege Escalation
T1221	Template Injection	Defense Evasion
T1027.002	Software Packing	Defense Evasion

CAF Outcome B4.c: Secure Management

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Exploit Protection

Limit Software Installation

Behavior Prevention on Endpoint

Remote Data Storage

Restrict File and Directory Permissions

Restrict Web-Based Content

Execution Prevention

Restrict Library Loading

Antivirus/Antimalware

Related ISA/IEC 62443 Controls

Malicious code protection (SR 3.2)

Mobile code (SR 2.4)

Authenticator management (SR 1.5)

Establish and document antivirus/malware management procedure (4.3.4.3.8)

Related ISO 27001 Controls

Network controls (13.1.1)

Controls against malware (12.2.1)

Separation of development, testing, and operational environments (12.1.4)

Related SP800-53 Controls

MITRE ATT&CK Techniques