NIST CSF: ID.AM-3 Subcategory
From NIST's Cyber Security Framework (version 1):
Organizational communication and data flows are mapped
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Information transfer policies and procedures (13.2.1)
ISO 27001:2013 -
Agreements on information transfer (13.2.2)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Identify the industrial automation and control systems (4.2.3.4)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1090 | Proxy | Command and Control |
| T1132 | Data Encoding | Command and Control |
| T1029 | Scheduled Transfer | Exfiltration |
| T1573 | Encrypted Channel | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1567.002 | Exfiltration to Cloud Storage | Exfiltration |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1136.002 | Domain Account | Persistence |
| T1567.001 | Exfiltration to Code Repository | Exfiltration |
| T1071.004 | DNS | Command and Control |
| T1204.003 | Malicious Image | Execution |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1566 | Phishing | Initial Access |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1499.004 | Application or System Exploitation | Impact |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1205.002 | Socket Filters | Command and Control, Defense Evasion, Persistence |
| T1136.003 | Cloud Account | Persistence |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1609 | Container Administration Command | Execution |
| T1204.001 | Malicious Link | Execution |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1559.001 | Component Object Model | Execution |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1104 | Multi-Stage Channels | Command and Control |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1499 | Endpoint Denial of Service | Impact |
| T1114.003 | Email Forwarding Rule | Collection |
| T1090.002 | External Proxy | Command and Control |
| T1498 | Network Denial of Service | Impact |
| T1003 | OS Credential Dumping | Credential Access |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1189 | Drive-by Compromise | Initial Access |
| T1132.001 | Standard Encoding | Command and Control |
| T1114 | Email Collection | Collection |
| T1213.002 | Sharepoint | Collection |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1001 | Data Obfuscation | Command and Control |
| T1565 | Data Manipulation | Impact |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1098 | Account Manipulation | Persistence, Privilege Escalation |
| T1136 | Create Account | Persistence |
| T1187 | Forced Authentication | Credential Access |
| T1213 | Data from Information Repositories | Collection |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1114.001 | Local Email Collection | Collection |
| T1572 | Protocol Tunneling | Command and Control |
| T1505.004 | IIS Components | Persistence |
| T1071.001 | Web Protocols | Command and Control |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1008 | Fallback Channels | Command and Control |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1568 | Dynamic Resolution | Command and Control |
| T1021.005 | VNC | Lateral Movement |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1001.002 | Steganography | Command and Control |
| T1114.002 | Remote Email Collection | Collection |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1102 | Web Service | Command and Control |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1090.001 | Internal Proxy | Command and Control |
| T1219 | Remote Access Software | Command and Control |
| T1571 | Non-Standard Port | Command and Control |
| T1552 | Unsecured Credentials | Credential Access |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1218.012 | Verclsid | Defense Evasion |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1489 | Service Stop | Impact |
| T1213.001 | Confluence | Collection |
| T1559 | Inter-Process Communication | Execution |
| T1203 | Exploitation for Client Execution | Execution |
| T1102.003 | One-Way Communication | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1071 | Application Layer Protocol | Command and Control |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1498.001 | Direct Network Flood | Impact |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1552.001 | Credentials In Files | Credential Access |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1003.006 | DCSync | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1498.002 | Reflection Amplification | Impact |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1204.002 | Malicious File | Execution |
| T1204 | User Execution | Execution |
| T1611 | Escape to Host | Privilege Escalation |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1566.002 | Spearphishing Link | Initial Access |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1552.007 | Container API | Credential Access |
| T1530 | Data from Cloud Storage | Collection |
| T1528 | Steal Application Access Token | Credential Access |
| T1482 | Domain Trust Discovery | Discovery |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1199 | Trusted Relationship | Initial Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1046 | Network Service Discovery | Discovery |
| T1003.001 | LSASS Memory | Credential Access |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1602 | Data from Configuration Repository | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1601.001 | Patch System Image | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1598.002 | Spearphishing Attachment | Reconnaissance |
| T1598.001 | Spearphishing Service | Reconnaissance |
| T1598 | Phishing for Information | Reconnaissance |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B3.a | Understanding Data | You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions. |
| B3.b | Data in Transit | You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. |
| A4.a | Supply Chain | The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. |