CAF Outcome C1.a: Monitoring Coverage
From the UK NCSC's Cyber Assessment Framework (version 3.1):
The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
C1.a: Monitoring Coverage to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-4 | Malicious code is detected |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.CM-5 | Unauthorized mobile code is detected |
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| RS.MI-1 | Incidents are contained |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Exploit Protection
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.SSL/TLS Inspection
Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Continuous monitoring (SR 6.2)
ISA/IEC 62443-3-3:2013 -
Auditable events (SR 2.8)
ISA/IEC 62443-3-3:2013 -
Establish procedures for monitoring and alarming (4.3.3.3.8)
ISA/IEC 62443-2-1:2009 -
Log and review all access attempts to critical systems (4.3.3.6.4)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Controls against malware (12.2.1)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Administrator and operator logs (12.4.3)
ISO 27001:2013 -
Event Logging (12.4.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1212 | Exploitation for Credential Access | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1080 | Taint Shared Content | Lateral Movement |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1218.011 | Rundll32 | Defense Evasion |
| T1189 | Drive-by Compromise | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1573 | Encrypted Channel | Command and Control |
| T1090.004 | Domain Fronting | Command and Control |
| T1090 | Proxy | Command and Control |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1602 | Data from Configuration Repository | Collection |
| T1008 | Fallback Channels | Command and Control |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1046 | Network Service Discovery | Discovery |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1001 | Data Obfuscation | Command and Control |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1102 | Web Service | Command and Control |
| T1071.001 | Web Protocols | Command and Control |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1104 | Multi-Stage Channels | Command and Control |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1029 | Scheduled Transfer | Exfiltration |
| T1132 | Data Encoding | Command and Control |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1204.003 | Malicious Image | Execution |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1204.001 | Malicious Link | Execution |
| T1102.003 | One-Way Communication | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1090.002 | External Proxy | Command and Control |
| T1571 | Non-Standard Port | Command and Control |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1221 | Template Injection | Defense Evasion |
| T1566 | Phishing | Initial Access |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1568 | Dynamic Resolution | Command and Control |
| T1001.002 | Steganography | Command and Control |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1071.004 | DNS | Command and Control |
| T1204 | User Execution | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1132.001 | Standard Encoding | Command and Control |
| T1071 | Application Layer Protocol | Command and Control |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1059.006 | Python | Execution |
| T1059.005 | Visual Basic | Execution |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1027.002 | Software Packing | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1036 | Masquerading | Defense Evasion |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1560 | Archive Collected Data | Collection |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1593.003 | Code Repositories | Reconnaissance |
| T1552.001 | Credentials In Files | Credential Access |
| T1606.001 | Web Cookies | Credential Access |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1578.005 | Modify Cloud Compute Configurations | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1087.004 | Cloud Account | Discovery |
| T1176 | Browser Extensions | Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1562.012 | Disable or Modify Linux Audit System | Defense Evasion |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1653 | Power Settings | Persistence |
| T1505 | Server Software Component | Persistence |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1114.003 | Email Forwarding Rule | Collection |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1612 | Build Image on Host | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1213.002 | Sharepoint | Collection |
| T1566.002 | Spearphishing Link | Initial Access |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1528 | Steal Application Access Token | Credential Access |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1027.011 | Fileless Storage | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1606.002 | SAML Tokens | Credential Access |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1606 | Forge Web Credentials | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1530 | Data from Cloud Storage | Collection |
| T1552.008 | Chat Messages | Credential Access |
| T1562 | Impair Defenses | Defense Evasion |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1482 | Domain Trust Discovery | Discovery |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1213.001 | Confluence | Collection |
| T1552.002 | Credentials in Registry | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1021.005 | VNC | Lateral Movement |
| T1556.008 | Network Provider DLL | Credential Access, Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |