CAF Outcome B4.a: Secure by Design
From the UK NCSC's Cyber Assessment Framework (version 3.1):
You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B4.a: Secure by Design to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| PR.PT-4 | Communications and control networks are protected |
| PR.PT-5 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations |
| DE.CM-4 | Malicious code is detected |
| RS.MI-2 | Incidents are mitigated |
| PR.DS-5 | Protections against data leaks are implemented |
| PR.DS-1 | Data-at-rest is protected |
| PR.DS-2 | Data-in-transit is protected |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| PR.DS-7 | The development and testing environment(s) are separate from the production environment |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| RS.MI-1 | Incidents are contained |
| PR.IP-2 | A System Development Life Cycle to manage systems is implemented |
| PR.DS-6 | Integrity checking mechanisms are used to verify software, firmware, and information integrity |
| PR.AC-5 | Network integrity is protected (e.g., network segregation, network segmentation) |
| DE.AE-1 | A baseline of network operations and expected data flows for users and systems is established and managed |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Remote Data Storage
Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.Filter Network Traffic
Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.Limit Access to Resource Over Network
Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.Network Segmentation
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services...Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Application partitioning (SR 5.4)
ISA/IEC 62443-3-3:2013 -
Zone boundary protection (SR 5.2)
ISA/IEC 62443-3-3:2013 -
Authenticator feedback (SR 1.10)
ISA/IEC 62443-3-3:2013 -
Malicious code protection (SR 3.2)
ISA/IEC 62443-3-3:2013 -
Network segmentation (SR 5.1)
ISA/IEC 62443-3-3:2013 -
Employ isolation or segmentation on high-risk IACS (4.3.3.4.2)
ISA/IEC 62443-2-1:2009 -
Develop the network segmentation architecture (4.3.3.4.1)
ISA/IEC 62443-2-1:2009 -
Develop Simple Network Diagrams (4.2.3.5)
ISA/IEC 62443-2-1:2009 -
Block non-essential communications with barrier devices (4.3.3.4.3)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Segregation in networks (13.1.3)
ISO 27001:2013 -
Information security in project management (6.1.5)
ISO 27001:2013 -
Separation of development, testing, and operational environments (12.1.4)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1119 | Automated Collection | Collection |
| T1070.003 | Clear Command History | Defense Evasion |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1565 | Data Manipulation | Impact |
| T1565.001 | Stored Data Manipulation | Impact |
| T1070 | Indicator Removal | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1219 | Remote Access Software | Command and Control |
| T1205.002 | Socket Filters | Command and Control, Defense Evasion, Persistence |
| T1021.005 | VNC | Lateral Movement |
| T1498.001 | Direct Network Flood | Impact |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1498 | Network Denial of Service | Impact |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1071.004 | DNS | Command and Control |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1498.002 | Reflection Amplification | Impact |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1552 | Unsecured Credentials | Credential Access |
| T1602 | Data from Configuration Repository | Collection |
| T1218.012 | Verclsid | Defense Evasion |
| T1187 | Forced Authentication | Credential Access |
| T1499.004 | Application or System Exploitation | Impact |
| T1499 | Endpoint Denial of Service | Impact |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1572 | Protocol Tunneling | Command and Control |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1090 | Proxy | Command and Control |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1530 | Data from Cloud Storage | Collection |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1552.007 | Container API | Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1609 | Container Administration Command | Execution |
| T1200 | Hardware Additions | Initial Access |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1610 | Deploy Container | Defense Evasion, Execution |
| T1613 | Container and Resource Discovery | Discovery |
| T1612 | Build Image on Host | Defense Evasion |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1571 | Non-Standard Port | Command and Control |
| T1199 | Trusted Relationship | Initial Access |
| T1136.003 | Cloud Account | Persistence |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1136 | Create Account | Persistence |
| T1482 | Domain Trust Discovery | Discovery |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1046 | Network Service Discovery | Discovery |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1489 | Service Stop | Impact |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1136.002 | Domain Account | Persistence |
| T1505 | Server Software Component | Persistence |
| T1554 | Compromise Client Software Binary | Persistence |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1525 | Implant Internal Image | Persistence |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.002 | AppleScript | Execution |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1505.002 | Transport Agent | Persistence |
| T1601 | Modify System Image | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1601.001 | Patch System Image | Defense Evasion |
| T1505.004 | IIS Components | Persistence |
| T1204.003 | Malicious Image | Execution |
| T1036 | Masquerading | Defense Evasion |