CAF Outcome B5.c: Backups
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You hold accessible and secured current backups of data and information needed to recover operation of your essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B5.c: Backups to CSF mappings generated from UK Cabinet Office table.
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Data Backup
Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.Encrypt Sensitive Information
Protect sensitive information with strong encryption.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Control system backup (SR 7.3)
ISA/IEC 62443-3-3:2013 -
Create the backup procedures that support business continuity plan (4.3.2.5.6)
ISA/IEC 62443-2-1:2009 -
Establish backup and restoration procedure (4.3.4.3.9)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Capacity management (12.1.3)
ISO 27001:2013 -
Information backup (12.3.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1119 | Automated Collection | Collection |
| T1070.003 | Clear Command History | Defense Evasion |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1565 | Data Manipulation | Impact |
| T1565.001 | Stored Data Manipulation | Impact |
| T1070 | Indicator Removal | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1490 | Inhibit System Recovery | Impact |
| T1485 | Data Destruction | Impact |
| T1561.002 | Disk Structure Wipe | Impact |
| T1491.002 | External Defacement | Impact |
| T1561.001 | Disk Content Wipe | Impact |
| T1486 | Data Encrypted for Impact | Impact |
| T1491.001 | Internal Defacement | Impact |
| T1561 | Disk Wipe | Impact |
| T1491 | Defacement | Impact |
| T1114.002 | Remote Email Collection | Collection |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1003 | OS Credential Dumping | Credential Access |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1659 | Content Injection | Command and Control, Initial Access |
| T1114 | Email Collection | Collection |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1552 | Unsecured Credentials | Credential Access |
| T1602 | Data from Configuration Repository | Collection |
| T1558.002 | Silver Ticket | Credential Access |
| T1114.001 | Local Email Collection | Collection |
| T1114.003 | Email Forwarding Rule | Collection |
| T1003.003 | NTDS | Credential Access |
| T1552.004 | Private Keys | Credential Access |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1530 | Data from Cloud Storage | Collection |
| T1558.003 | Kerberoasting | Credential Access |