NIST CSF: DE.CM-3 Subcategory
From NIST's Cyber Security Framework (version 1):
Personnel activity is monitored to detect potential cybersecurity events
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Event Logging (12.4.1)
ISO 27001:2013 -
Administrator and operator logs (12.4.3)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Continuous monitoring (SR 6.2)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1559.002 | Dynamic Data Exchange | Execution |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1553.004 | Install Root Certificate | Defense Evasion |
| T1552.001 | Credentials In Files | Credential Access |
| T1090.001 | Internal Proxy | Command and Control |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1071.004 | DNS | Command and Control |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1569 | System Services | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1189 | Drive-by Compromise | Initial Access |
| T1008 | Fallback Channels | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1571 | Non-Standard Port | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1003.006 | DCSync | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1110.003 | Password Spraying | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1555 | Credentials from Password Stores | Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1552.002 | Credentials in Registry | Credential Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B2.c | Privileged User Management | You closely manage privileged user access to networks and information systems supporting the essential function. |
| B2.d | Identity and Access Management (IdAM) | You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function. |
| C1.c | Generating Alerts | Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. |
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |
| C1.b | Securing Logs | You hold logging da ta securely and grant read access only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted. |