CAF Outcome B2.a: Identity Verification, Authentication and Authorisation
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B2.a: Identity Verification, Authentication and Authorisation to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.DS-5 | Protections against data leaks are implemented |
| PR.AC-1 | Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes |
| PR.AC-7 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) |
| PR.AC-4 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
| PR.AC-6 | Identities are proofed and bound to credentials and asserted in interactions |
| PR.AC-3 | Remote access is managed |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
| PR.PT-3 | The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
| PR.MA-2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Restrict File and Directory Permissions
Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.Multi-factor Authentication
Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.Environment Variable Permissions
Prevent modification of environment variables by unauthorized users and groups.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Restrict Registry Permissions
Restrict the ability to modify certain hives or keys in the Windows Registry.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Authorization enforcement (SR 2.1)
ISA/IEC 62443-3-3:2013 -
Session lock (SR 2.5)
ISA/IEC 62443-3-3:2013 -
Use control for portable and mobile devices (SR 2.3)
ISA/IEC 62443-3-3:2013 -
Wireless access management (SR 1.6)
ISA/IEC 62443-3-3:2013 -
Session integrity (SR 3.8)
ISA/IEC 62443-3-3:2013 -
Authenticator management (SR 1.5)
ISA/IEC 62443-3-3:2013 -
Identifier management (SR 1.4)
ISA/IEC 62443-3-3:2013 -
Access via untrusted networks (SR 1.13)
ISA/IEC 62443-3-3:2013 -
Human User Identification and Authentication (SR 1.1)
ISA/IEC 62443-3-3:2013 -
Software process and device identification and authentication (SR 1.2)
ISA/IEC 62443-3-3:2013 -
Wireless use control (SR 2.2)
ISA/IEC 62443-3-3:2013 -
Authenticate all remote users at the appropriate level (4.3.3.6.5)
ISA/IEC 62443-2-1:2009 -
Identify individuals (4.3.3.5.2)
ISA/IEC 62443-2-1:2009 -
Suspend or remove unneeded accounts (4.3.3.5.5)
ISA/IEC 62443-2-1:2009 -
Employ multiple authorization methods for critical IACS (4.3.3.7.4)
ISA/IEC 62443-2-1:2009 -
Employ authentication for task-to task communication (4.3.3.6.9)
ISA/IEC 62443-2-1:2009 -
Require strong authentication methods for system administration and application configuration (4.3.3.6.3)
ISA/IEC 62443-2-1:2009 -
Audit account administration (4.3.3.5.8)
ISA/IEC 62443-2-1:2009 -
Authenticate all users before system use (4.3.3.6.2)
ISA/IEC 62443-2-1:2009 -
Review account permissions (4.3.3.5.6)
ISA/IEC 62443-2-1:2009 -
Establish appropriate logical and physical permission methods to access IACS devices (4.3.3.7.2)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Access to networks and network services (9.1.2)
ISO 27001:2013 -
Information access restriction (9.4.1)
ISO 27001:2013 -
Secure log-on procedures (9.4.2)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Review of user access rights (9.2.5)
ISO 27001:2013 -
Physical entry controls (11.1.2)
ISO 27001:2013 -
Securing offices, rooms, and facilities (11.1.3)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1213.003 | Code Repositories | Collection |
| T1552.007 | Container API | Credential Access |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1654 | Log Enumeration | Discovery |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1489 | Service Stop | Impact |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1609 | Container Administration Command | Execution |
| T1566.002 | Spearphishing Link | Initial Access |
| T1490 | Inhibit System Recovery | Impact |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1021.008 | Direct Cloud VM Connections | Lateral Movement |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1199 | Trusted Relationship | Initial Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1087.004 | Cloud Account | Discovery |
| T1053.007 | Container Orchestration Job | Execution, Persistence, Privilege Escalation |
| T1550 | Use Alternate Authentication Material | Defense Evasion, Lateral Movement |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1021 | Remote Services | Lateral Movement |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1213.001 | Confluence | Collection |
| T1548.005 | Temporary Elevated Cloud Access | Defense Evasion, Privilege Escalation |
| T1110.004 | Credential Stuffing | Credential Access |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1047 | Windows Management Instrumentation | Execution |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1569.001 | Launchctl | Execution |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1098.006 | Additional Container Cluster Roles | Persistence, Privilege Escalation |
| T1505.003 | Web Shell | Persistence |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1648 | Serverless Execution | Execution |
| T1134.001 | Token Impersonation/Theft | Defense Evasion, Privilege Escalation |
| T1134.003 | Make and Impersonate Token | Defense Evasion, Privilege Escalation |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1505 | Server Software Component | Persistence |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1580 | Cloud Infrastructure Discovery | Discovery |
| T1110 | Brute Force | Credential Access |
| T1562.008 | Disable or Modify Cloud Logs | Defense Evasion |
| T1538 | Cloud Service Dashboard | Discovery |
| T1059.008 | Network Device CLI | Execution |
| T1528 | Steal Application Access Token | Credential Access |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1569 | System Services | Execution |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
| T1562 | Impair Defenses | Defense Evasion |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1185 | Browser Session Hijacking | Collection |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1619 | Cloud Storage Object Discovery | Discovery |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1543.001 | Launch Agent | Persistence, Privilege Escalation |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1606 | Forge Web Credentials | Credential Access |
| T1657 | Financial Theft | Impact |
| T1562.012 | Disable or Modify Linux Audit System | Defense Evasion |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1530 | Data from Cloud Storage | Collection |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1021.004 | SSH | Lateral Movement |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1213 | Data from Information Repositories | Collection |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1213.002 | Sharepoint | Collection |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1613 | Container and Resource Discovery | Discovery |
| T1578.005 | Modify Cloud Compute Configurations | Defense Evasion |
| T1606.002 | SAML Tokens | Credential Access |
| T1006 | Direct Volume Access | Defense Evasion |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1552.001 | Credentials In Files | Credential Access |
| T1036 | Masquerading | Defense Evasion |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1569.002 | Service Execution | Execution |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
| T1070.003 | Clear Command History | Defense Evasion |
| T1565 | Data Manipulation | Impact |
| T1218.002 | Control Panel | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1037.002 | Login Hook | Persistence, Privilege Escalation |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1565.001 | Stored Data Manipulation | Impact |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1070 | Indicator Removal | Defense Evasion |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1552 | Unsecured Credentials | Credential Access |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1110.002 | Password Cracking | Credential Access |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1601 | Modify System Image | Defense Evasion |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1114 | Email Collection | Collection |
| T1110.001 | Password Guessing | Credential Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1136.001 | Local Account | Persistence |
| T1136.003 | Cloud Account | Persistence |
| T1098.005 | Device Registration | Persistence, Privilege Escalation |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1136 | Create Account | Persistence |
| T1136.002 | Domain Account | Persistence |
| T1110.003 | Password Spraying | Credential Access |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1021.007 | Cloud Services | Lateral Movement |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1114.002 | Remote Email Collection | Collection |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1204.003 | Malicious Image | Execution |
| T1505.004 | IIS Components | Persistence |
| T1560 | Archive Collected Data | Collection |
| T1593.003 | Code Repositories | Reconnaissance |
| T1606.001 | Web Cookies | Credential Access |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1176 | Browser Extensions | Persistence |
| T1505.005 | Terminal Services DLL | Persistence |
| T1059.006 | Python | Execution |
| T1653 | Power Settings | Persistence |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1114.003 | Email Forwarding Rule | Collection |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1612 | Build Image on Host | Defense Evasion |
| T1027.011 | Fileless Storage | Defense Evasion |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1560.001 | Archive via Utility | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1552.008 | Chat Messages | Credential Access |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1482 | Domain Trust Discovery | Discovery |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1552.002 | Credentials in Registry | Credential Access |
| T1021.005 | VNC | Lateral Movement |
| T1556.008 | Network Provider DLL | Credential Access, Defense Evasion, Persistence |
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1087.001 | Local Account | Discovery |
| T1092 | Communication Through Removable Media | Command and Control |
| T1003.002 | Security Account Manager | Credential Access |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1087 | Account Discovery | Discovery |
| T1135 | Network Share Discovery | Discovery |
| T1003 | OS Credential Dumping | Credential Access |
| T1011 | Exfiltration Over Other Network Medium | Exfiltration |
| T1556.002 | Password Filter DLL | Credential Access, Defense Evasion, Persistence |
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1548.001 | Setuid and Setgid | Defense Evasion, Privilege Escalation |
| T1087.002 | Domain Account | Discovery |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.003 | Bash History | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1564.002 | Hidden Users | Defense Evasion |
| T1036.007 | Double File Extension | Defense Evasion |
| T1037.001 | Logon Script (Windows) | Persistence, Privilege Escalation |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1574.011 | Services Registry Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1112 | Modify Registry | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |