CAF Outcome C1.c: Generating Alerts
From the UK NCSC's Cyber Assessment Framework (version 3.1):
Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
C1.c: Generating Alerts to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| RS.AN-1 | Notifications from detection systems are investigated |
| DE.AE-5 | Incident alert thresholds are established |
| RS.MI-1 | Incidents are contained |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.DP-3 | Detection processes are tested |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| PR.PT-1 | Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Response to audit processing failures (SR 2.10)
ISA/IEC 62443-3-3:2013 -
Establish procedures for monitoring and alarming (4.3.3.3.8)
ISA/IEC 62443-2-1:2009 -
Identify failed and successful cyber security breaches (4.3.4.5.7)
ISA/IEC 62443-2-1:2009 -
Establish and document antivirus/malware management procedure (4.3.4.3.8)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Event Logging (12.4.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1572 | Protocol Tunneling | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1602 | Data from Configuration Repository | Collection |
| T1008 | Fallback Channels | Command and Control |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1046 | Network Service Discovery | Discovery |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1001 | Data Obfuscation | Command and Control |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1102 | Web Service | Command and Control |
| T1071.001 | Web Protocols | Command and Control |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1104 | Multi-Stage Channels | Command and Control |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1029 | Scheduled Transfer | Exfiltration |
| T1132 | Data Encoding | Command and Control |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1204.003 | Malicious Image | Execution |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1204.001 | Malicious Link | Execution |
| T1102.003 | One-Way Communication | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1090.002 | External Proxy | Command and Control |
| T1571 | Non-Standard Port | Command and Control |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1573 | Encrypted Channel | Command and Control |
| T1221 | Template Injection | Defense Evasion |
| T1566 | Phishing | Initial Access |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1568 | Dynamic Resolution | Command and Control |
| T1001.002 | Steganography | Command and Control |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1090 | Proxy | Command and Control |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1071.004 | DNS | Command and Control |
| T1204 | User Execution | Execution |
| T1219 | Remote Access Software | Command and Control |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1132.001 | Standard Encoding | Command and Control |
| T1071 | Application Layer Protocol | Command and Control |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1059.006 | Python | Execution |
| T1059.005 | Visual Basic | Execution |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1027.002 | Software Packing | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1036 | Masquerading | Defense Evasion |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1090.004 | Domain Fronting | Command and Control |