CAF Outcome C1.b: Securing Logs

From the UK NCSC's Cyber Assessment Framework (version 3.1):

You hold logging da ta securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

C1.b: Securing Logs to CSF mappings generated from UK Cabinet Office table.

Control ID	Description
DE.AE-3	Event data are collected and correlated from multiple sources and sensors
PR.PT-1	Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
DE.CM-3	Personnel activity is monitored to detect potential cybersecurity events

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Restrict File and Directory Permissions

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

Account Use Policies

Configure features related to account use like login attempt lockouts, specific login times, etc.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

Audit log accessibility (SR 6.1)
ISA/IEC 62443-3-3:2013
Security functionality verification (SR 3.3)
ISA/IEC 62443-3-3:2013
Timestamps (SR 2.11)
ISA/IEC 62443-3-3:2013
Protection of audit information (SR 3.9)
ISA/IEC 62443-3-3:2013

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

Protection of log information (12.4.2)
ISO 27001:2013
Administrator and operator logs (12.4.3)
ISO 27001:2013
Clock synchronisation (12.4.4)
ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
IR-4: Incident Handling
AU-6: Audit Record Review, Analysis, and Reporting
IR-5: Incident Monitoring
CA-7: Continuous Monitoring
SI-4: System Monitoring
IR-8: Incident Response Plan
AU-12: Audit Record Generation
CM-10: Software Usage Restrictions
AC-2: Account Management
CM-11: User-installed Software
AU-13: Monitoring for Information Disclosure

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID	Title	Associated Tactics
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1530	Data from Cloud Storage	Collection
T1037.005	Startup Items	Persistence, Privilege Escalation
T1562.002	Disable Windows Event Logging	Defense Evasion
T1546.013	PowerShell Profile	Persistence, Privilege Escalation
T1563.001	SSH Hijacking	Lateral Movement
T1552.001	Credentials In Files	Credential Access
T1036	Masquerading	Defense Evasion
T1569	System Services	Execution
T1222.001	Windows File and Directory Permissions Modification	Defense Evasion
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1489	Service Stop	Impact
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1037.004	RC Scripts	Persistence, Privilege Escalation
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1055.009	Proc Memory	Defense Evasion, Privilege Escalation
T1562	Impair Defenses	Defense Evasion
T1569.002	Service Execution	Execution
T1037.003	Network Logon Script	Persistence, Privilege Escalation
T1070.003	Clear Command History	Defense Evasion
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1565	Data Manipulation	Impact
T1218.002	Control Panel	Defense Evasion
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1562.006	Indicator Blocking	Defense Evasion
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1574.004	Dylib Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1574.002	DLL Side-Loading	Defense Evasion, Persistence, Privilege Escalation
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1565.003	Runtime Data Manipulation	Impact
T1222.002	Linux and Mac File and Directory Permissions Modification	Defense Evasion
T1037.002	Login Hook	Persistence, Privilege Escalation
T1070.009	Clear Persistence	Defense Evasion
T1565.001	Stored Data Manipulation	Impact
T1070.001	Clear Windows Event Logs	Defense Evasion
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1547.003	Time Providers	Persistence, Privilege Escalation
T1564.004	NTFS File Attributes	Defense Evasion
T1222	File and Directory Permissions Modification	Defense Evasion
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1070	Indicator Removal	Defense Evasion
T1036.003	Rename System Utilities	Defense Evasion
T1543.001	Launch Agent	Persistence, Privilege Escalation
T1562.001	Disable or Modify Tools	Defense Evasion
T1552.004	Private Keys	Credential Access
T1053.006	Systemd Timers	Execution, Persistence, Privilege Escalation
T1552	Unsecured Credentials	Credential Access
T1070.008	Clear Mailbox Data	Defense Evasion
T1080	Taint Shared Content	Lateral Movement
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1621	Multi-Factor Authentication Request Generation	Credential Access
T1110.004	Credential Stuffing	Credential Access
T1110.003	Password Spraying	Credential Access
T1110.001	Password Guessing	Credential Access
T1110	Brute Force	Credential Access
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation

CAF Outcome C1.b: Securing Logs

Cyber Threat Graph Context

NCSC CAF Mapped to NIST CSF

ATT&CK Mitigations

Restrict File and Directory Permissions

Account Use Policies

Related ISA/IEC 62443 Controls

Audit log accessibility (SR 6.1)

Security functionality verification (SR 3.3)

Timestamps (SR 2.11)

Protection of audit information (SR 3.9)

Related ISO 27001 Controls

Protection of log information (12.4.2)

Administrator and operator logs (12.4.3)

Clock synchronisation (12.4.4)

Related SP800-53 Controls

MITRE ATT&CK Techniques