CAF Outcome B2.c: Privileged User Management

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You closely manage privileged user access to networks and information systems supporting the essential function.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B2.c: Privileged User Management to CSF mappings generated from UK Cabinet Office table.

Control ID	Description
DE.CM-3	Personnel activity is monitored to detect potential cybersecurity events
PR.MA-2	Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
PR.AC-5	Network integrity is protected (e.g., network segregation, network segmentation)
DE.CM-6	External service provider activity is monitored to detect potential cybersecurity events
RS.AN-1	Notifications from detection systems are investigated
PR.AC-3	Remote access is managed
PR.PT-3	The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
PR.AC-6	Identities are proofed and bound to credentials and asserted in interactions
PR.PT-1	Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
PR.AC-1	Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
PR.AC-7	Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
PR.DS-5	Protections against data leaks are implemented
PR.AC-4	Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Remote session termination (SR 2.6)
ISA/IEC 62443-3-3:2013
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013
General purpose person-to-person communication restrictions (SR 5.3)
ISA/IEC 62443-3-3:2013
Human User Identification and Authentication (SR 1.1)
ISA/IEC 62443-3-3:2013
Software process and device identification and authentication (SR 1.2)
ISA/IEC 62443-3-3:2013
Identifier management (SR 1.4)
ISA/IEC 62443-3-3:2013
Audit account administration (4.3.3.5.8)
ISA/IEC 62443-2-1:2009
Record access accounts (4.3.3.5.4)
ISA/IEC 62443-2-1:2009
Suspend or remove unneeded accounts (4.3.3.5.5)
ISA/IEC 62443-2-1:2009
Employ multiple authorization methods for critical IACS (4.3.3.7.4)
ISA/IEC 62443-2-1:2009
Identify individuals (4.3.3.5.2)
ISA/IEC 62443-2-1:2009
Provide entry controls (4.3.3.3.3)
ISA/IEC 62443-2-1:2009
Review account permissions (4.3.3.5.6)
ISA/IEC 62443-2-1:2009
Establish appropriate logical and physical permission methods to access IACS devices (4.3.3.7.2)
ISA/IEC 62443-2-1:2009
Establish physical security perimeters (4.3.3.3.2)
ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Physical security perimeter (11.1.1)
ISO 27001:2013
Management of privileged access rights (9.2.3)
ISO 27001:2013
Physical entry controls (11.1.2)
ISO 27001:2013
Secure log-on procedures (9.4.2)
ISO 27001:2013
Access to networks and network services (9.1.2)
ISO 27001:2013
Administrator and operator logs (12.4.3)
ISO 27001:2013
Review of user access rights (9.2.5)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
AU-12: Audit Record Generation
CM-10: Software Usage Restrictions
CA-7: Continuous Monitoring
AC-2: Account Management
CM-11: User-installed Software
AU-13: Monitoring for Information Disclosure
MA-4: Nonlocal Maintenance
SC-7: Boundary Protection
AC-4: Information Flow Enforcement
AC-10: Concurrent Session Control
SA-9: External System Services
PS-7: External Personnel Security
SA-4: Acquisition Process
SI-4: System Monitoring
IR-5: Incident Monitoring
PE-6: Monitoring Physical Access
IR-4: Incident Handling
AU-6: Audit Record Review, Analysis, and Reporting
SC-15: Collaborative Computing Devices and Applications
AC-1: Policy and Procedures
AC-20: Use of External Systems
AC-17: Remote Access
AC-19: Access Control for Mobile Devices
CM-7: Least Functionality
AC-3: Access Enforcement
IA-5: Authenticator Management
IA-2: Identification and Authentication (organizational Users)
IA-4: Identifier Management
PE-2: Physical Access Authorizations
PS-3: Personnel Screening
AC-24: Access Control Decisions
AC-16: Security and Privacy Attributes
IA-1: Policy and Procedures
IA-8: Identification and Authentication (non-organizational Users)
IA-7: Cryptographic Module Authentication
IA-11: Re-authentication
IA-6: Authentication Feedback
IA-9: Service Identification and Authentication
IA-3: Device Identification and Authentication
IA-10: Adaptive Authentication
AC-14: Permitted Actions Without Identification or Authentication
AC-9: Previous Logon Notification
AC-12: Session Termination
AC-8: System Use Notification
AC-7: Unsuccessful Logon Attempts
AC-11: Device Lock
PE-19: Information Leakage
SC-31: Covert Channel Analysis
AC-5: Separation of Duties
AC-6: Least Privilege
PS-6: Access Agreements
SC-13: Cryptographic Protection
SC-8: Transmission Confidentiality and Integrity
CM-3: Configuration Change Control
PE-3: Physical Access Control
PE-20: Asset Monitoring and Tracking
CM-8: System Component Inventory

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID	Title	Associated Tactics
T1098.002	Additional Email Delegate Permissions	Persistence, Privilege Escalation
T1110.002	Password Cracking	Credential Access
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098.003	Additional Cloud Roles	Persistence, Privilege Escalation
T1110	Brute Force	Credential Access
T1539	Steal Web Session Cookie	Credential Access
T1601.002	Downgrade System Image	Defense Evasion
T1133	External Remote Services	Initial Access, Persistence
T1021.001	Remote Desktop Protocol	Lateral Movement
T1098.001	Additional Cloud Credentials	Persistence, Privilege Escalation
T1556.006	Multi-Factor Authentication	Credential Access, Defense Evasion, Persistence
T1530	Data from Cloud Storage	Collection
T1556.001	Domain Controller Authentication	Credential Access, Defense Evasion, Persistence
T1601	Modify System Image	Defense Evasion
T1021.004	SSH	Lateral Movement
T1078.002	Domain Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1599.001	Network Address Translation Traversal	Defense Evasion
T1021	Remote Services	Lateral Movement
T1114	Email Collection	Collection
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1110.001	Password Guessing	Credential Access
T1098.006	Additional Container Cluster Roles	Persistence, Privilege Escalation
T1599	Network Boundary Bridging	Defense Evasion
T1072	Software Deployment Tools	Execution, Lateral Movement
T1136.001	Local Account	Persistence
T1136.003	Cloud Account	Persistence
T1098.005	Device Registration	Persistence, Privilege Escalation
T1098	Account Manipulation	Persistence, Privilege Escalation
T1040	Network Sniffing	Credential Access, Discovery
T1621	Multi-Factor Authentication Request Generation	Credential Access
T1136	Create Account	Persistence
T1136.002	Domain Account	Persistence
T1110.003	Password Spraying	Credential Access
T1556.003	Pluggable Authentication Modules	Credential Access, Defense Evasion, Persistence
T1199	Trusted Relationship	Initial Access
T1021.007	Cloud Services	Lateral Movement
T1556.004	Network Device Authentication	Credential Access, Defense Evasion, Persistence
T1556.007	Hybrid Identity	Credential Access, Defense Evasion, Persistence
T1601.001	Patch System Image	Defense Evasion
T1110.004	Credential Stuffing	Credential Access
T1213.003	Code Repositories	Collection
T1114.002	Remote Email Collection	Collection
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation
T1525	Implant Internal Image	Persistence
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1574.010	Services File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1027	Obfuscated Files or Information	Defense Evasion
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1574.005	Executable Installer File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1204.003	Malicious Image	Execution
T1562.007	Disable or Modify Cloud Firewall	Defense Evasion
T1552.004	Private Keys	Credential Access
T1505.004	IIS Components	Persistence
T1560	Archive Collected Data	Collection
T1563.002	RDP Hijacking	Lateral Movement
T1593.003	Code Repositories	Reconnaissance
T1552.001	Credentials In Files	Credential Access
T1606.001	Web Cookies	Credential Access
T1564.008	Email Hiding Rules	Defense Evasion
T1578.005	Modify Cloud Compute Configurations	Defense Evasion
T1552	Unsecured Credentials	Credential Access
T1053.002	At	Execution, Persistence, Privilege Escalation
T1087.004	Cloud Account	Discovery
T1176	Browser Extensions	Persistence
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1562.012	Disable or Modify Linux Audit System	Defense Evasion
T1562.002	Disable Windows Event Logging	Defense Evasion
T1505.005	Terminal Services DLL	Persistence
T1059.006	Python	Execution
T1653	Power Settings	Persistence
T1505	Server Software Component	Persistence
T1610	Deploy Container	Defense Evasion, Execution
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1114.003	Email Forwarding Rule	Collection
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1612	Build Image on Host	Defense Evasion
T1213	Data from Information Repositories	Collection
T1053.003	Cron	Execution, Persistence, Privilege Escalation
T1213.002	Sharepoint	Collection
T1566.002	Spearphishing Link	Initial Access
T1578	Modify Cloud Compute Infrastructure	Defense Evasion
T1528	Steal Application Access Token	Credential Access
T1543.004	Launch Daemon	Persistence, Privilege Escalation
T1027.011	Fileless Storage	Defense Evasion
T1543.003	Windows Service	Persistence, Privilege Escalation
T1550.001	Application Access Token	Defense Evasion, Lateral Movement
T1070.008	Clear Mailbox Data	Defense Evasion
T1593	Search Open Websites/Domains	Reconnaissance
T1606.002	SAML Tokens	Credential Access
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1606	Forge Web Credentials	Credential Access
T1560.001	Archive via Utility	Collection
T1505.002	Transport Agent	Persistence
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1552.008	Chat Messages	Credential Access
T1562	Impair Defenses	Defense Evasion
T1484	Domain Policy Modification	Defense Evasion, Privilege Escalation
T1578.003	Delete Cloud Instance	Defense Evasion
T1505.001	SQL Stored Procedures	Persistence
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1552.006	Group Policy Preferences	Credential Access
T1578.002	Create Cloud Instance	Defense Evasion
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1482	Domain Trust Discovery	Discovery
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1649	Steal or Forge Authentication Certificates	Credential Access
T1558.004	AS-REP Roasting	Credential Access
T1542.004	ROMMONkit	Defense Evasion, Persistence
T1213.001	Confluence	Collection
T1552.002	Credentials in Registry	Credential Access
T1484.001	Group Policy Modification	Defense Evasion, Privilege Escalation
T1021.005	VNC	Lateral Movement
T1556.008	Network Provider DLL	Credential Access, Defense Evasion, Persistence
T1578.001	Create Snapshot	Defense Evasion
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1552.007	Container API	Credential Access
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1654	Log Enumeration	Discovery
T1489	Service Stop	Impact
T1609	Container Administration Command	Execution
T1490	Inhibit System Recovery	Impact
T1021.008	Direct Cloud VM Connections	Lateral Movement
T1053.007	Container Orchestration Job	Execution, Persistence, Privilege Escalation
T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement
T1537	Transfer Data to Cloud Account	Exfiltration
T1562.001	Disable or Modify Tools	Defense Evasion
T1548.005	Temporary Elevated Cloud Access	Defense Evasion, Privilege Escalation
T1047	Windows Management Instrumentation	Execution
T1547.004	Winlogon Helper DLL	Persistence, Privilege Escalation
T1569.001	Launchctl	Execution
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1574.012	COR_PROFILER	Defense Evasion, Persistence, Privilege Escalation
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1505.003	Web Shell	Persistence
T1020.001	Traffic Duplication	Exfiltration
T1648	Serverless Execution	Execution
T1134.001	Token Impersonation/Theft	Defense Evasion, Privilege Escalation
T1134.003	Make and Impersonate Token	Defense Evasion, Privilege Escalation
T1197	BITS Jobs	Defense Evasion, Persistence
T1053.006	Systemd Timers	Execution, Persistence, Privilege Escalation
T1580	Cloud Infrastructure Discovery	Discovery
T1562.008	Disable or Modify Cloud Logs	Defense Evasion
T1538	Cloud Service Dashboard	Discovery
T1059.008	Network Device CLI	Execution
T1550.003	Pass the Ticket	Defense Evasion, Lateral Movement
T1569	System Services	Execution
T1562.006	Indicator Blocking	Defense Evasion
T1134	Access Token Manipulation	Defense Evasion, Privilege Escalation
T1547.009	Shortcut Modification	Persistence, Privilege Escalation
T1185	Browser Session Hijacking	Collection
T1619	Cloud Storage Object Discovery	Discovery
T1547.006	Kernel Modules and Extensions	Persistence, Privilege Escalation
T1543.001	Launch Agent	Persistence, Privilege Escalation
T1547.012	Print Processors	Persistence, Privilege Escalation
T1657	Financial Theft	Impact
T1134.002	Create Process with Token	Defense Evasion, Privilege Escalation
T1563	Remote Service Session Hijacking	Lateral Movement
T1546.003	Windows Management Instrumentation Event Subscription	Persistence, Privilege Escalation
T1550.002	Pass the Hash	Defense Evasion, Lateral Movement
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1613	Container and Resource Discovery	Discovery
T1006	Direct Volume Access	Defense Evasion
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1037.005	Startup Items	Persistence, Privilege Escalation
T1546.013	PowerShell Profile	Persistence, Privilege Escalation
T1563.001	SSH Hijacking	Lateral Movement
T1036	Masquerading	Defense Evasion
T1222.001	Windows File and Directory Permissions Modification	Defense Evasion
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1037.004	RC Scripts	Persistence, Privilege Escalation
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1055.009	Proc Memory	Defense Evasion, Privilege Escalation
T1569.002	Service Execution	Execution
T1037.003	Network Logon Script	Persistence, Privilege Escalation
T1070.003	Clear Command History	Defense Evasion
T1565	Data Manipulation	Impact
T1218.002	Control Panel	Defense Evasion
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1574.004	Dylib Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1565.003	Runtime Data Manipulation	Impact
T1222.002	Linux and Mac File and Directory Permissions Modification	Defense Evasion
T1037.002	Login Hook	Persistence, Privilege Escalation
T1070.009	Clear Persistence	Defense Evasion
T1565.001	Stored Data Manipulation	Impact
T1070.001	Clear Windows Event Logs	Defense Evasion
T1547.003	Time Providers	Persistence, Privilege Escalation
T1564.004	NTFS File Attributes	Defense Evasion
T1222	File and Directory Permissions Modification	Defense Evasion
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1070	Indicator Removal	Defense Evasion
T1036.003	Rename System Utilities	Defense Evasion
T1080	Taint Shared Content	Lateral Movement
T1059.009	Cloud API	Execution
T1059.001	PowerShell	Execution
T1556.005	Reversible Encryption	Credential Access, Defense Evasion, Persistence
T1611	Escape to Host	Privilege Escalation
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1555.006	Cloud Secrets Management Stores	Credential Access
T1056.003	Web Portal Capture	Collection, Credential Access
T1651	Cloud Administration Command	Execution
T1542.001	System Firmware	Defense Evasion, Persistence
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1558.003	Kerberoasting	Credential Access
T1003.003	NTDS	Credential Access
T1218	System Binary Proxy Execution	Defense Evasion
T1484.002	Domain Trust Modification	Defense Evasion, Privilege Escalation
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1558.002	Silver Ticket	Credential Access
T1555	Credentials from Password Stores	Credential Access
T1558.001	Golden Ticket	Credential Access
T1003.006	DCSync	Credential Access
T1559.001	Component Object Model	Execution
T1542.003	Bootkit	Defense Evasion, Persistence
T1003.001	LSASS Memory	Credential Access
T1542	Pre-OS Boot	Defense Evasion, Persistence
T1559	Inter-Process Communication	Execution
T1190	Exploit Public-Facing Application	Initial Access
T1218.007	Msiexec	Defense Evasion
T1021.006	Windows Remote Management	Lateral Movement
T1562.009	Safe Mode Boot	Defense Evasion
T1210	Exploitation of Remote Services	Lateral Movement
T1003.007	Proc Filesystem	Credential Access
T1003.008	/etc/passwd and /etc/shadow	Credential Access
T1003.005	Cached Domain Credentials	Credential Access
T1495	Firmware Corruption	Impact
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1021.003	Distributed Component Object Model	Lateral Movement
T1553.006	Code Signing Policy Modification	Defense Evasion
T1003.002	Security Account Manager	Credential Access
T1003.004	LSA Secrets	Credential Access
T1003	OS Credential Dumping	Credential Access
T1055.008	Ptrace System Calls	Defense Evasion, Privilege Escalation
T1059	Command and Scripting Interpreter	Execution
T1546.011	Application Shimming	Persistence, Privilege Escalation
T1037.001	Logon Script (Windows)	Persistence, Privilege Escalation
T1574.011	Services Registry Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1553	Subvert Trust Controls	Defense Evasion
T1112	Modify Registry	Defense Evasion
T1070.007	Clear Network Connection History and Configurations	Defense Evasion

CAF Outcome B2.c: Privileged User Management

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Multi-factor Authentication

Audit

User Account Management

Restrict File and Directory Permissions

Privileged Account Management

User Account Control

Restrict Registry Permissions

Related ISA/IEC 62443 Controls

Remote session termination (SR 2.6)

Authenticator management (SR 1.5)

General purpose person-to-person communication restrictions (SR 5.3)

Human User Identification and Authentication (SR 1.1)

Software process and device identification and authentication (SR 1.2)

Identifier management (SR 1.4)

Audit account administration (4.3.3.5.8)

Record access accounts (4.3.3.5.4)

Suspend or remove unneeded accounts (4.3.3.5.5)

Employ multiple authorization methods for critical IACS (4.3.3.7.4)

Identify individuals (4.3.3.5.2)

Provide entry controls (4.3.3.3.3)

Review account permissions (4.3.3.5.6)

Establish appropriate logical and physical permission methods to access IACS devices (4.3.3.7.2)

Establish physical security perimeters (4.3.3.3.2)

Related ISO 27001 Controls

Physical security perimeter (11.1.1)

Management of privileged access rights (9.2.3)

Physical entry controls (11.1.2)

Secure log-on procedures (9.4.2)

Access to networks and network services (9.1.2)

Administrator and operator logs (12.4.3)

Review of user access rights (9.2.5)

Related SP800-53 Controls

MITRE ATT&CK Techniques