CAF Outcome B4.a: Secure by Design
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.a: Secure by Design to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.PT-4 | Communications and control networks are protected |
| PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
| DE.CM-4 | Malicious code is detected |
| RS.MI-2 | Incidents are mitigated |
| PR.DS-5 | Protections against data leaks are implemented |
| PR.DS-1 | Data-at-rest is protected |
| PR.DS-2 | Data-in-transit is protected |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| PR.DS-7 | The development and testing environment(s) are separate from the production environment |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| RS.MI-1 | Incidents are contained |
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Application partitioning (SR 5.4)
ISA/IEC 62443-3-3:2013 -
Zone boundary protection (SR 5.2)
ISA/IEC 62443-3-3:2013 -
Authenticator feedback (SR 1.10)
ISA/IEC 62443-3-3:2013 -
Malicious code protection (SR 3.2)
ISA/IEC 62443-3-3:2013 -
Network segmentation (SR 5.1)
ISA/IEC 62443-3-3:2013 -
Employ isolation or segmentation on high-risk IACS (4.3.3.4.2)
ISA/IEC 62443-2-1:2009 -
Develop the network segmentation architecture (4.3.3.4.1)
ISA/IEC 62443-2-1:2009 -
Develop Simple Network Diagrams (4.2.3.5)
ISA/IEC 62443-2-1:2009 -
Block non-essential communications with barrier devices (4.3.3.4.3)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Segregation in networks (13.1.3)
ISO 27001:2013 -
Information security in project management (6.1.5)
ISO 27001:2013 -
Separation of development, testing, and operational environments (12.1.4)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1119 | Automated Collection | Collection |
| T1070.003 | Clear Command History | Defense Evasion |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1565 | Data Manipulation | Impact |
| T1565.001 | Stored Data Manipulation | Impact |
| T1070 | Indicator Removal | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1219 | Remote Access Software | Command and Control |
| T1205.002 | Socket Filters | Command and Control, Defense Evasion, Persistence |
| T1021.005 | VNC | Lateral Movement |
| T1498.001 | Direct Network Flood | Impact |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1498 | Network Denial of Service | Impact |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1071.004 | DNS | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1498.002 | Reflection Amplification | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1552 | Unsecured Credentials | Credential Access |
| T1602 | Data from Configuration Repository | Collection |
| T1218.012 | Verclsid | Defense Evasion |
| T1187 | Forced Authentication | Credential Access |
| T1499.004 | Application or System Exploitation | Impact |
| T1499 | Endpoint Denial of Service | Impact |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1090 | Proxy | Command and Control |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |