CAF Outcome B4.c: Secure Management
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.c: Secure Management to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.DS-5 | Protections against data leaks are implemented |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| PR.MA-1 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools |
| DE.CM-4 | Malicious code is detected |
| PR.PT-4 | Communications and control networks are protected |
| RS.MI-1 | Incidents are contained |
| DE.CM-5 | Unauthorized mobile code is detected |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| RS.MI-2 | Incidents are mitigated |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.Limit Software Installation
Block users or groups from installing unapproved software.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Restrict Library Loading
Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Malicious code protection (SR 3.2)
ISA/IEC 62443-3-3:2013 -
Mobile code (SR 2.4)
ISA/IEC 62443-3-3:2013 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
Establish and document antivirus/malware management procedure (4.3.4.3.8)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Network controls (13.1.1)
ISO 27001:2013 -
Controls against malware (12.2.1)
ISO 27001:2013 -
Separation of development, testing, and operational environments (12.1.4)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1212 | Exploitation for Credential Access | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1080 | Taint Shared Content | Lateral Movement |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1218.011 | Rundll32 | Defense Evasion |
| T1189 | Drive-by Compromise | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1059.006 | Python | Execution |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1021.005 | VNC | Lateral Movement |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1176 | Browser Extensions | Persistence |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1137.005 | Outlook Rules | Persistence |
| T1216.001 | PubPrn | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1204.002 | Malicious File | Execution |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1055.015 | ListPlanting | Defense Evasion, Privilege Escalation |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1137 | Office Application Startup | Persistence |
| T1003.001 | LSASS Memory | Credential Access |
| T1569.002 | Service Execution | Execution |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1137.004 | Outlook Home Page | Persistence |
| T1137.003 | Outlook Forms | Persistence |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1486 | Data Encrypted for Impact | Impact |
| T1204 | User Execution | Execution |
| T1559 | Inter-Process Communication | Execution |
| T1055 | Process Injection | Defense Evasion, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1137.001 | Office Template Macros | Persistence |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1036 | Masquerading | Defense Evasion |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1574.013 | KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
| T1137.002 | Office Test | Persistence |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |