CAF Outcome C1.a: Monitoring Coverage
From the UK NCSC's Cyber Assessment Framework (version 3.1):
The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
C1.a: Monitoring Coverage to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-4 | Malicious code is detected |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.CM-5 | Unauthorized mobile code is detected |
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| RS.MI-1 | Incidents are contained |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.SSL/TLS Inspection
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Continuous monitoring (SR 6.2)
ISA/IEC 62443-3-3:2013 -
Auditable events (SR 2.8)
ISA/IEC 62443-3-3:2013 -
Establish procedures for monitoring and alarming (4.3.3.3.8)
ISA/IEC 62443-2-1:2009 -
Log and review all access attempts to critical systems (4.3.3.6.4)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Controls against malware (12.2.1)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Administrator and operator logs (12.4.3)
ISO 27001:2013 -
Event Logging (12.4.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1212 | Exploitation for Credential Access | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1080 | Taint Shared Content | Lateral Movement |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1218.011 | Rundll32 | Defense Evasion |
| T1189 | Drive-by Compromise | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1573 | Encrypted Channel | Command and Control |
| T1090.004 | Domain Fronting | Command and Control |
| T1090 | Proxy | Command and Control |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1602 | Data from Configuration Repository | Collection |
| T1008 | Fallback Channels | Command and Control |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1046 | Network Service Discovery | Discovery |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1001 | Data Obfuscation | Command and Control |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1102 | Web Service | Command and Control |
| T1071.001 | Web Protocols | Command and Control |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1104 | Multi-Stage Channels | Command and Control |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1029 | Scheduled Transfer | Exfiltration |
| T1132 | Data Encoding | Command and Control |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1204.003 | Malicious Image | Execution |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1204.001 | Malicious Link | Execution |
| T1102.003 | One-Way Communication | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1090.002 | External Proxy | Command and Control |
| T1571 | Non-Standard Port | Command and Control |
| T1568.002 | Domain Generation Algorithms | Command and Control |