NIST CSF: RS.AN-1 Subcategory
From NIST's Cyber Security Framework (version 1):
Notifications from detection systems are investigated
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Event Logging (12.4.1)
ISO 27001:2013 -
Response to information security incidents (16.1.5)
ISO 27001:2013 -
Administrator and operator logs (12.4.3)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Identify failed and successful cyber security breaches (4.3.4.5.7)
ISA/IEC 62443-2-1:2009 -
Audit log accessibility (SR 6.1)
ISA/IEC 62443-3-3:2013 -
Document the details of incidents (4.3.4.5.8)
ISA/IEC 62443-2-1:2009 -
Identify and respond to incidents (4.3.4.5.6)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1552.001 | Credentials In Files | Credential Access |
| T1090.001 | Internal Proxy | Command and Control |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1071.004 | DNS | Command and Control |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1569 | System Services | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1189 | Drive-by Compromise | Initial Access |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1571 | Non-Standard Port | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1003.006 | DCSync | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1110.003 | Password Spraying | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1555 | Credentials from Password Stores | Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1552.002 | Credentials in Registry | Credential Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1602 | Data from Configuration Repository | Collection |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B2.c | Privileged User Management | You closely manage privileged user access to networks and information systems supporting the essential function. |
| C1.c | Generating Alerts | Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. |
| B2.d | Identity and Access Management (IdAM) | You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function. |
| C1.e | Monitoring Tools and Skills | Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. |