CAF Outcome B4.d: Vulnerability Management
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.d: Vulnerability Management to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| DE.CM-4 | Malicious code is detected |
| DE.CM-8 | Vulnerability scans are performed |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| RS.MI-2 | Incidents are mitigated |
| RS.MI-1 | Incidents are contained |
| ID.RA-3 | Threats, both internal and external, are identified and documented |
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| PR.PT-4 | Communications and control networks are protected |
| PR.IP-3 | Configuration change control processes are in place |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| PR.DS-8 | Integrity checking mechanisms are used to verify hardware integrity |
| ID.RA-5 | Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| RS.AN-5 | Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) |
| DE.DP-3 | Detection processes are tested |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Active Directory Configuration
Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Vulnerability Scanning
Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.Application Isolation and Sandboxing
Restrict execution of code to a virtual environment on or in transit to an endpoint system.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Boot Integrity
Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.Update Software
Perform regular software updates to mitigate exploitation risk.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Security functionality verification (SR 3.3)
ISA/IEC 62443-3-3:2013 -
Denial of service protection (SR 7.1)
ISA/IEC 62443-3-3:2013 -
Perform a detailed vulnerability assessment (4.2.3.7)
ISA/IEC 62443-2-1:2009 -
Identify a detailed risk assessment methodology (4.2.3.8)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Installation of software on operational systems (12.5.1)
ISO 27001:2013 -
Controls against malware (12.2.1)
ISO 27001:2013 -
Technical compliance review (18.2.3)
ISO 27001:2013 -
Management of technical vulnerabilities (12.6.1)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1556.008 | Network Provider DLL | Credential Access, Defense Evasion, Persistence |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1087.001 | Local Account | Discovery |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1092 | Communication Through Removable Media | Command and Control |
| T1136 | Create Account | Persistence |
| T1003.002 | Security Account Manager | Credential Access |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1087 | Account Discovery | Discovery |
| T1135 | Network Share Discovery | Discovery |
| T1003 | OS Credential Dumping | Credential Access |
| T1490 | Inhibit System Recovery | Impact |
| T1011 | Exfiltration Over Other Network Medium | Exfiltration |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1556.002 | Password Filter DLL | Credential Access, Defense Evasion, Persistence |
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1552 | Unsecured Credentials | Credential Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1548.001 | Setuid and Setgid | Defense Evasion, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1562.003 | Impair Command History Logging | Defense Evasion |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1136.002 | Domain Account | Persistence |
| T1087.002 | Domain Account | Discovery |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1552.003 | Bash History | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1564.002 | Hidden Users | Defense Evasion |
| T1036.007 | Double File Extension | Defense Evasion |
| T1003.006 | DCSync | Credential Access |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1558.001 | Golden Ticket | Credential Access |
| T1606.002 | SAML Tokens | Credential Access |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1649 | Steal or Forge Authentication Certificates | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |