CAF Outcome C1.d: Identifying Security Incidents
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
C1.d: Identifying Security Incidents to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.IP-8 | Effectiveness of protection technologies is shared |
| RS.MI-1 | Incidents are contained |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
| DE.DP-5 | Detection processes are continuously improved |
| ID.RA-2 | Cyber threat intelligence is received from information sharing forums and sources |
| DE.DP-4 | Event detection information is communicated |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Threat Intelligence Program
A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Establish and document antivirus/malware management procedure (4.3.4.3.8)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Contact with special interest groups (6.1.4)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1059.006 | Python | Execution |
| T1221 | Template Injection | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1566 | Phishing | Initial Access |
| T1027.002 | Software Packing | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1036 | Masquerading | Defense Evasion |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1656 | Impersonation | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1602 | Data from Configuration Repository | Collection |
| T1008 | Fallback Channels | Command and Control |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1046 | Network Service Discovery | Discovery |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1001 | Data Obfuscation | Command and Control |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1102 | Web Service | Command and Control |
| T1071.001 | Web Protocols | Command and Control |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1104 | Multi-Stage Channels | Command and Control |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1029 | Scheduled Transfer | Exfiltration |
| T1132 | Data Encoding | Command and Control |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1204.003 | Malicious Image | Execution |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1204.001 | Malicious Link | Execution |
| T1102.003 | One-Way Communication | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1090.002 | External Proxy | Command and Control |
| T1571 | Non-Standard Port | Command and Control |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1573 | Encrypted Channel | Command and Control |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1568 | Dynamic Resolution | Command and Control |
| T1001.002 | Steganography | Command and Control |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1090 | Proxy | Command and Control |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1071.004 | DNS | Command and Control |
| T1204 | User Execution | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1132.001 | Standard Encoding | Command and Control |
| T1071 | Application Layer Protocol | Command and Control |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |