CAF Outcome B2.c: Privileged User Management
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You closely manage privileged user access to networks and information systems supporting the essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B2.c: Privileged User Management to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| RS.AN-1 | Notifications from detection systems are investigated |
| PR.AC-3 | Remote access is managed |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| PR.DS-5 | Protections against data leaks are implemented |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.User Account Control
Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Remote session termination (SR 2.6)
ISA/IEC 62443-3-3:2013 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
General purpose person-to-person communication restrictions (SR 5.3)
ISA/IEC 62443-3-3:2013 -
Human User Identification and Authentication (SR 1.1)
ISA/IEC 62443-3-3:2013 -
Software process and device identification and authentication (SR 1.2)
ISA/IEC 62443-3-3:2013 -
Identifier management (SR 1.4)
ISA/IEC 62443-3-3:2013 -
Audit account administration (4.3.3.5.8)
ISA/IEC 62443-2-1:2009 -
Record access accounts (4.3.3.5.4)
ISA/IEC 62443-2-1:2009 -
Suspend or remove unneeded accounts (4.3.3.5.5)
ISA/IEC 62443-2-1:2009 -
Employ multiple authorization methods for critical IACS (4.3.3.7.4)
ISA/IEC 62443-2-1:2009 -
Identify individuals (4.3.3.5.2)
ISA/IEC 62443-2-1:2009 -
Provide entry controls (4.3.3.3.3)
ISA/IEC 62443-2-1:2009 -
Review account permissions (4.3.3.5.6)
ISA/IEC 62443-2-1:2009 -
Establish appropriate logical and physical permission methods to access IACS devices (4.3.3.7.2)
ISA/IEC 62443-2-1:2009 -
Establish physical security perimeters (4.3.3.3.2)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Physical security perimeter (11.1.1)
ISO 27001:2013 -
Management of privileged access rights (9.2.3)
ISO 27001:2013 -
Physical entry controls (11.1.2)
ISO 27001:2013 -
Secure log-on procedures (9.4.2)
ISO 27001:2013 -
Access to networks and network services (9.1.2)
ISO 27001:2013 -
Administrator and operator logs (12.4.3)
ISO 27001:2013 -
Review of user access rights (9.2.5)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1110.002 | Password Cracking | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1110 | Brute Force | Credential Access |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1530 | Data from Cloud Storage | Collection |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1601 | Modify System Image | Defense Evasion |
| T1021.004 | SSH | Lateral Movement |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1021 | Remote Services | Lateral Movement |
| T1114 | Email Collection | Collection |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1110.001 | Password Guessing | Credential Access |
| T1098.006 | Additional Container Cluster Roles | Persistence, Privilege Escalation |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1136.001 | Local Account | Persistence |
| T1136.003 | Cloud Account | Persistence |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1136 | Create Account | Persistence |
| T1136.002 | Domain Account | Persistence |
| T1110.003 | Password Spraying | Credential Access |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1199 | Trusted Relationship | Initial Access |
| T1021.007 | Cloud Services | Lateral Movement |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1110.004 | Credential Stuffing | Credential Access |
| T1213.003 | Code Repositories | Collection |
| T1114.002 | Remote Email Collection | Collection |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |