CAF Outcome B4.d: Vulnerability Management
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.d: Vulnerability Management to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| DE.CM-4 | Malicious code is detected |
| DE.CM-8 | Vulnerability scans are performed |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| RS.MI-2 | Incidents are mitigated |
| RS.MI-1 | Incidents are contained |
| ID.RA-3 | Threats, both internal and external, are identified and documented |
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| PR.PT-4 | Communications and control networks are protected |
| PR.IP-3 | Configuration change control processes are in place |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity |
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
| DE.DP-3 | Detection processes are tested |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Boot Integrity
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.Update Software
Perform regular software updates to mitigate exploitation risk.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Security functionality verification (SR 3.3)
ISA/IEC 62443-3-3:2013 -
Denial of service protection (SR 7.1)
ISA/IEC 62443-3-3:2013 -
Perform a detailed vulnerability assessment (4.2.3.7)
ISA/IEC 62443-2-1:2009 -
Identify a detailed risk assessment methodology (4.2.3.8)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Installation of software on operational systems (12.5.1)
ISO 27001:2013 -
Controls against malware (12.2.1)
ISO 27001:2013 -
Technical compliance review (18.2.3)
ISO 27001:2013 -
Management of technical vulnerabilities (12.6.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1556.008 | Network Provider DLL | Credential Access, Defense Evasion, Persistence |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1087.001 | Local Account | Discovery |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1092 | Communication Through Removable Media | Command and Control |
| T1136 | Create Account | Persistence |
| T1003.002 | Security Account Manager | Credential Access |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1087 | Account Discovery | Discovery |
| T1135 | Network Share Discovery | Discovery |
| T1003 | OS Credential Dumping | Credential Access |
| T1490 | Inhibit System Recovery | Impact |
| T1011 | Exfiltration Over Other Network Medium | Exfiltration |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1556.002 | Password Filter DLL | Credential Access, Defense Evasion, Persistence |
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1552 | Unsecured Credentials | Credential Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1548.001 | Setuid and Setgid | Defense Evasion, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1136.002 | Domain Account | Persistence |
| T1087.002 | Domain Account | Discovery |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.003 | Bash History | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1564.002 | Hidden Users | Defense Evasion |
| T1036.007 | Double File Extension | Defense Evasion |
| T1003.006 | DCSync | Credential Access |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1558.001 | Golden Ticket | Credential Access |
| T1606.002 | SAML Tokens | Credential Access |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1218.005 | Mshta | Defense Evasion |
| T1127.001 | MSBuild | Defense Evasion |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1595.003 | Wordlist Scanning | Reconnaissance |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1218.004 | InstallUtil | Defense Evasion |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1505 | Server Software Component | Persistence |
| T1553.005 | Mark-of-the-Web Bypass | Defense Evasion |
| T1218.007 | Msiexec | Defense Evasion |
| T1564.007 | VBA Stomping | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1218.013 | Mavinject | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1546.014 | Emond | Persistence, Privilege Escalation |
| T1611 | Escape to Host | Privilege Escalation |
| T1221 | Template Injection | Defense Evasion |
| T1137 | Office Application Startup | Persistence |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1059.007 | JavaScript | Execution |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1021.004 | SSH | Lateral Movement |
| T1021.005 | VNC | Lateral Movement |
| T1609 | Container Administration Command | Execution |
| T1555.004 | Windows Credential Manager | Credential Access |
| T1059 | Command and Scripting Interpreter | Execution |
| T1021 | Remote Services | Lateral Movement |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1218.014 | MMC | Defense Evasion |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1559 | Inter-Process Communication | Execution |
| T1137.001 | Office Template Macros | Persistence |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1218.003 | CMSTP | Defense Evasion |
| T1021.008 | Direct Cloud VM Connections | Lateral Movement |
| T1218.012 | Verclsid | Defense Evasion |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1046 | Network Service Discovery | Discovery |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1562.010 | Downgrade Attack | Defense Evasion |
| T1505.003 | Web Shell | Persistence |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1114.003 | Email Forwarding Rule | Collection |
| T1218.008 | Odbcconf | Defense Evasion |
| T1564.006 | Run Virtual Instance | Defense Evasion |
| T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1195.002 | Compromise Software Supply Chain | Initial Access |
| T1195 | Supply Chain Compromise | Initial Access |
| T1203 | Exploitation for Client Execution | Execution |
| T1189 | Drive-by Compromise | Initial Access |
| T1559.001 | Component Object Model | Execution |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1027.006 | HTML Smuggling | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1059.006 | Python | Execution |
| T1027.010 | Command Obfuscation | Defense Evasion |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1566 | Phishing | Initial Access |
| T1027.002 | Software Packing | Defense Evasion |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1036.008 | Masquerade File Type | Defense Evasion |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1036 | Masquerading | Defense Evasion |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1525 | Implant Internal Image | Persistence |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1204.003 | Malicious Image | Execution |
| T1562.007 | Disable or Modify Cloud Firewall | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1560 | Archive Collected Data | Collection |
| T1593.003 | Code Repositories | Reconnaissance |
| T1552.001 | Credentials In Files | Credential Access |
| T1606.001 | Web Cookies | Credential Access |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1578.005 | Modify Cloud Compute Configurations | Defense Evasion |
| T1087.004 | Cloud Account | Discovery |
| T1176 | Browser Extensions | Persistence |
| T1562.012 | Disable or Modify Linux Audit System | Defense Evasion |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1505.005 | Terminal Services DLL | Persistence |
| T1653 | Power Settings | Persistence |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1612 | Build Image on Host | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1114 | Email Collection | Collection |
| T1213.002 | Sharepoint | Collection |
| T1566.002 | Spearphishing Link | Initial Access |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1528 | Steal Application Access Token | Credential Access |
| T1543.004 | Launch Daemon | Persistence, Privilege Escalation |
| T1027.011 | Fileless Storage | Defense Evasion |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1606 | Forge Web Credentials | Credential Access |
| T1560.001 | Archive via Utility | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1530 | Data from Cloud Storage | Collection |
| T1552.008 | Chat Messages | Credential Access |
| T1562 | Impair Defenses | Defense Evasion |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1213.003 | Code Repositories | Collection |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1556.007 | Hybrid Identity | Credential Access, Defense Evasion, Persistence |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1482 | Domain Trust Discovery | Discovery |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1213.001 | Confluence | Collection |
| T1552.002 | Credentials in Registry | Credential Access |
| T1556.006 | Multi-Factor Authentication | Credential Access, Defense Evasion, Persistence |
| T1484.001 | Group Policy Modification | Defense Evasion, Privilege Escalation |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1495 | Firmware Corruption | Impact |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1601 | Modify System Image | Defense Evasion |
| T1601.001 | Patch System Image | Defense Evasion |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1546.011 | Application Shimming | Persistence, Privilege Escalation |
| T1542.002 | Component Firmware | Defense Evasion, Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1546.010 | AppInit DLLs | Persistence, Privilege Escalation |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1137.003 | Outlook Forms | Persistence |
| T1555.005 | Password Managers | Credential Access |
| T1137.005 | Outlook Rules | Persistence |
| T1550.002 | Pass the Hash | Defense Evasion, Lateral Movement |
| T1137.004 | Outlook Home Page | Persistence |
| T1110.001 | Password Guessing | Credential Access |