CAF Outcome B6.b: Cyber Security Training
From the UK NCSC's Cyber Assessment Framework (version 3.1):
The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
NCSC CAF Mapped to NIST CSF
B6.b: Cyber Security Training to CSF mappings generated from UK Cabinet Office table.
| Control ID | Description |
|---|---|
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
| PR.AT-2 | Privileged users understand their roles and responsibilities |
| PR.AT-4 | Senior executives understand their roles and responsibilities |
| PR.AT-5 | Physical and cybersecurity personnel understand their roles and responsibilities |
| PR.AT-1 | All users are informed and trained |
| PR.IP-11 | Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
ATT&CK Mitigations
MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.
Application Developer Guidance
This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Develop a training program (4.3.2.4.1)
ISA/IEC 62443-2-1:2009 -
Provide procedure and facility training (4.3.2.4.2)
ISA/IEC 62443-2-1:2009 -
Maintain employee training record (4.3.2.4.6)
ISA/IEC 62443-2-1:2009 -
Provide risk assessment background information (4.2.3.2)
ISA/IEC 62443-2-1:2009 -
Revise the training program over time (4.3.2.4.5)
ISA/IEC 62443-2-1:2009 -
Validate the training program (4.3.2.4.4)
ISA/IEC 62443-2-1:2009 -
Provide training for support personnel (4.3.2.4.3)
ISA/IEC 62443-2-1:2009
Related ISO 27001 Controls
Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.
-
Controls against malware (12.2.1)
ISO 27001:2013 -
Termination or change of employment responsibilities (7.3.1)
ISO 27001:2013 -
Information security, awareness, education, and training (7.2.2)
ISO 27001:2013 -
Clear desk and clear screen policy (11.2.9)
ISO 27001:2013
Related SP800-53 Controls
Generated from NISTs SP800-53/CSF Crosswalk mappings.
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1559.003 | XPC Services | Execution |
| T1593 | Search Open Websites/Domains | Reconnaissance |
| T1647 | Plist File Modification | Defense Evasion |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1593.003 | Code Repositories | Reconnaissance |
| T1564.009 | Resource Forking | Defense Evasion |
| T1621 | Multi-Factor Authentication Request Generation | Credential Access |
| T1204.003 | Malicious Image | Execution |
| T1213.003 | Code Repositories | Collection |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1036.007 | Double File Extension | Defense Evasion |
| T1552.008 | Chat Messages | Credential Access |
| T1003.001 | LSASS Memory | Credential Access |
| T1003.003 | NTDS | Credential Access |
| T1598.004 | Spearphishing Voice | Reconnaissance |
| T1566.002 | Spearphishing Link | Initial Access |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1185 | Browser Session Hijacking | Collection |
| T1204.002 | Malicious File | Execution |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1213 | Data from Information Repositories | Collection |
| T1598.001 | Spearphishing Service | Reconnaissance |
| T1552 | Unsecured Credentials | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1598 | Phishing for Information | Reconnaissance |
| T1566 | Phishing | Initial Access |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1221 | Template Injection | Defense Evasion |
| T1003.004 | LSA Secrets | Credential Access |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1656 | Impersonation | Defense Evasion |
| T1204 | User Execution | Execution |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1204.001 | Malicious Link | Execution |
| T1657 | Financial Theft | Impact |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1213.001 | Confluence | Collection |
| T1003 | OS Credential Dumping | Credential Access |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1566.004 | Spearphishing Voice | Initial Access |