CAF Outcome B6.b: Cyber Security Training

From the UK NCSC's Cyber Assessment Framework (version 3.1):

The people who support the operation of your essential function are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed.

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

NCSC CAF Mapped to NIST CSF

B6.b: Cyber Security Training to CSF mappings generated from UK Cabinet Office table.

Control ID Description
DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability
PR.AT-2 Privileged users understand their roles and responsibilities
PR.AT-4 Senior executives understand their roles and responsibilities
PR.AT-5 Physical and cybersecurity personnel understand their roles and responsibilities
PR.AT-1 All users are informed and trained
PR.IP-11 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)

ATT&CK Mitigations

MITRE ATT&CK mitigations which map to this CAF outcome, based on mappings by Ofgem.

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Develop a training program (4.3.2.4.1)
    ISA/IEC 62443-2-1:2009
  • Provide procedure and facility training (4.3.2.4.2)
    ISA/IEC 62443-2-1:2009
  • Maintain employee training record (4.3.2.4.6)
    ISA/IEC 62443-2-1:2009
  • Provide risk assessment background information (4.2.3.2)
    ISA/IEC 62443-2-1:2009
  • Revise the training program over time (4.3.2.4.5)
    ISA/IEC 62443-2-1:2009
  • Validate the training program (4.3.2.4.4)
    ISA/IEC 62443-2-1:2009
  • Provide training for support personnel (4.3.2.4.3)
    ISA/IEC 62443-2-1:2009

Related ISO 27001 Controls

Clauses and controls from ISO 27001 (2013) which are related to this CAF outcome, taken from mappings by Ofgem.

  • Controls against malware (12.2.1)
    ISO 27001:2013
  • Termination or change of employment responsibilities (7.3.1)
    ISO 27001:2013
  • Information security, awareness, education, and training (7.2.2)
    ISO 27001:2013
  • Clear desk and clear screen policy (11.2.9)
    ISO 27001:2013

Related SP800-53 Controls

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Node
CA-7: Continuous Monitoring
CA-2: Control Assessments
PM-14: Testing, Training, and Monitoring
AT-3: Role-based Training
PM-13: Security and Privacy Workforce
IR-2: Incident Response Training
AT-2: Literacy Training and Awareness
PS-3: Personnel Screening
PS-6: Access Agreements
PS-7: External Personnel Security
PS-2: Position Risk Designation
SA-21: Developer Screening
PS-1: Policy and Procedures
PS-8: Personnel Sanctions
PS-4: Personnel Termination
PS-5: Personnel Transfer

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on the above mappings to ATT&CK mitigations by Ofgem.

ATT&CK ID Title Associated Tactics
T1559.003 XPC Services Execution
T1593 Search Open Websites/Domains Reconnaissance
T1647 Plist File Modification Defense Evasion
T1574.002 DLL Side-Loading Defense Evasion, Persistence, Privilege Escalation
T1574 Hijack Execution Flow Defense Evasion, Persistence, Privilege Escalation
T1212 Exploitation for Credential Access Credential Access
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1559 Inter-Process Communication Execution
T1593.003 Code Repositories Reconnaissance
T1564.009 Resource Forking Defense Evasion
T1621 Multi-Factor Authentication Request Generation Credential Access
T1204.003 Malicious Image Execution
T1213.003 Code Repositories Collection
T1003.005 Cached Domain Credentials Credential Access
T1036.007 Double File Extension Defense Evasion
T1552.008 Chat Messages Credential Access
T1003.001 LSASS Memory Credential Access
T1003.003 NTDS Credential Access
T1598.004 Spearphishing Voice Reconnaissance
T1566.002 Spearphishing Link Initial Access
T1566.001 Spearphishing Attachment Initial Access
T1185 Browser Session Hijacking Collection
T1204.002 Malicious File Execution
T1111 Multi-Factor Authentication Interception Credential Access
T1213 Data from Information Repositories Collection
T1598.001 Spearphishing Service Reconnaissance
T1552 Unsecured Credentials Credential Access
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1598 Phishing for Information Reconnaissance
T1566 Phishing Initial Access
T1539 Steal Web Session Cookie Credential Access
T1557 Adversary-in-the-Middle Collection, Credential Access
T1221 Template Injection Defense Evasion
T1003.004 LSA Secrets Credential Access
T1547.007 Re-opened Applications Persistence, Privilege Escalation
T1528 Steal Application Access Token Credential Access
T1656 Impersonation Defense Evasion
T1204 User Execution Execution
T1027 Obfuscated Files or Information Defense Evasion
T1078.002 Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1213.002 Sharepoint Collection
T1204.001 Malicious Link Execution
T1657 Financial Theft Impact
T1072 Software Deployment Tools Execution, Lateral Movement
T1213.001 Confluence Collection
T1003 OS Credential Dumping Credential Access
T1566.003 Spearphishing via Service Initial Access
T1557.002 ARP Cache Poisoning Collection, Credential Access
T1056.002 GUI Input Capture Collection, Credential Access
T1566.004 Spearphishing Voice Initial Access
T1036 Masquerading Defense Evasion
T1003.002 Security Account Manager Credential Access
T1598.002 Spearphishing Attachment Reconnaissance
T1598.003 Spearphishing Link Reconnaissance
T1176 Browser Extensions Persistence
T1552.001 Credentials In Files Credential Access