CAF Outcome B5.b: Design for Resilience
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B5.b: Design for Resilience to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
| PR.DS-4 | Adequate capacity to ensure availability is maintained |
| PR.IP-5 | Policy and regulations regarding the physical operating environment for organizational assets are met |
| PR.DS-5 | Protections against data leaks are implemented |
| PR.DS-7 | The development and testing environment(s) are separate from the production environment |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
| ID.BE-4 | Dependencies and critical functions for delivery of critical services are established |
| PR.DS-2 | Data-in-transit is protected |
| RS.MI-1 | Incidents are contained |
| PR.AC-2 | Physical access to assets is managed and protected |
| RS.MI-2 | Incidents are mitigated |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Specify recovery objectives (4.3.2.5.1)
ISA/IEC 62443-2-1:2009 -
Protect connections (4.3.3.3.6)
ISA/IEC 62443-2-1:2009 -
Develop the network segmentation architecture (4.3.3.4.1)
ISA/IEC 62443-2-1:2009 -
Block non-essential communications with barrier devices (4.3.3.4.3)
ISA/IEC 62443-2-1:2009 -
Employ isolation or segmentation on high-risk IACS (4.3.3.4.2)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Segregation in networks (13.1.3)
ISO 27001:2013 -
Availability of information processing facilities (17.2.1)
ISO 27001:2013 -
Capacity management (12.1.3)
ISO 27001:2013 -
Supporting utilities (11.2.2)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1133 | External Remote Services | Initial Access, Persistence |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1565 | Data Manipulation | Impact |
| T1552.007 | Container API | Credential Access |
| T1613 | Container and Resource Discovery | Discovery |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1571 | Non-Standard Port | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1199 | Trusted Relationship | Initial Access |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1136.003 | Cloud Account | Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1136 | Create Account | Persistence |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1482 | Domain Trust Discovery | Discovery |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1612 | Build Image on Host | Defense Evasion |
| T1046 | Network Service Discovery | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1489 | Service Stop | Impact |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1136.002 | Domain Account | Persistence |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1219 | Remote Access Software | Command and Control |
| T1205.002 | Socket Filters | Command and Control, Defense Evasion, Persistence |
| T1021.005 | VNC | Lateral Movement |
| T1498.001 | Direct Network Flood | Impact |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1498 | Network Denial of Service | Impact |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1071.004 | DNS | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1498.002 | Reflection Amplification | Impact |
| T1552 | Unsecured Credentials | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1187 | Forced Authentication | Credential Access |
| T1499.004 | Application or System Exploitation | Impact |
| T1499 | Endpoint Denial of Service | Impact |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1090 | Proxy | Command and Control |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1530 | Data from Cloud Storage | Collection |