NIST CSF: PR.DS-5 Subcategory

From NIST's Cyber Security Framework (version 1):

Protections against data leaks are implemented

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

CSF Mapped to SP800-53 Controls

Generated from NIST's SP800-53/CSF Crosswalk mappings.

Node
PE-19: Information Leakage
SC-31: Covert Channel Analysis
AC-5: Separation of Duties
AC-6: Least Privilege
AC-4: Information Flow Enforcement
SI-4: System Monitoring
SC-7: Boundary Protection
PS-6: Access Agreements
SC-13: Cryptographic Protection
SC-8: Transmission Confidentiality and Integrity
PS-3: Personnel Screening

Related ISO 27001 Controls

Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

Handling of assets (8.2.3)
ISO 27001:2013
Termination or change of employment responsibilities (7.3.1)
ISO 27001:2013
Network controls (13.1.1)
ISO 27001:2013
Electronic messaging (13.2.3)
ISO 27001:2013
Protecting application services transactions (14.1.3)
ISO 27001:2013
Securing application services on public networks (14.1.2)
ISO 27001:2013
Confidentiality or non-disclosure agreement (13.2.4)
ISO 27001:2013
Policy on the use of cryptographic controls (10.1.1)
ISO 27001:2013
Working in secure areas (11.1.5)
ISO 27001:2013
Management of privileged access rights (9.2.3)
ISO 27001:2013
Protecting against external and environmental threats (11.1.4)
ISO 27001:2013
Information access restriction (9.4.1)
ISO 27001:2013
Access control policy (9.1.1)
ISO 27001:2013
Access to networks and network services (9.1.2)
ISO 27001:2013
Access control to program source code (9.4.5)
ISO 27001:2013
Use of privileged utility programs (9.4.4)
ISO 27001:2013
Segregation of duties (6.1.2)
ISO 27001:2013
Screening (7.1.1)
ISO 27001:2013
Information transfer policies and procedures (13.2.1)
ISO 27001:2013
Terms and conditions of employment (7.1.2)
ISO 27001:2013
Segregation in networks (13.1.3)
ISO 27001:2013
Equipment siting and protection (11.2.1)
ISO 27001:2013
Labelling of information (8.2.2)
ISO 27001:2013

Related ISA/IEC 62443 Controls

Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

Zone boundary protection (SR 5.2)
ISA/IEC 62443-3-3:2013

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.

ATT&CK ID	Title	Associated Tactics
T1071.001	Web Protocols	Command and Control
T1048.002	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Exfiltration
T1567	Exfiltration Over Web Service	Exfiltration
T1071	Application Layer Protocol	Command and Control
T1041	Exfiltration Over C2 Channel	Exfiltration
T1071.002	File Transfer Protocols	Command and Control
T1048	Exfiltration Over Alternative Protocol	Exfiltration
T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Exfiltration
T1071.004	DNS	Command and Control
T1071.003	Mail Protocols	Command and Control
T1190	Exploit Public-Facing Application	Initial Access
T1021	Remote Services	Lateral Movement
T1136	Create Account	Persistence
T1110.002	Password Cracking	Credential Access
T1134.003	Make and Impersonate Token	Defense Evasion, Privilege Escalation
T1547.004	Winlogon Helper DLL	Persistence, Privilege Escalation
T1574.009	Path Interception by Unquoted Path	Defense Evasion, Persistence, Privilege Escalation
T1003.007	Proc Filesystem	Credential Access
T1552.007	Container API	Credential Access
T1558.001	Golden Ticket	Credential Access
T1218	System Binary Proxy Execution	Defense Evasion
T1550.003	Pass the Ticket	Defense Evasion, Lateral Movement
T1601.002	Downgrade System Image	Defense Evasion
T1134	Access Token Manipulation	Defense Evasion, Privilege Escalation
T1543.003	Windows Service	Persistence, Privilege Escalation
T1562	Impair Defenses	Defense Evasion
T1559.001	Component Object Model	Execution
T1098.003	Additional Cloud Roles	Persistence, Privilege Escalation
T1136.003	Cloud Account	Persistence
T1505.002	Transport Agent	Persistence
T1059.008	Network Device CLI	Execution
T1136.002	Domain Account	Persistence
T1003.002	Security Account Manager	Credential Access
T1098.004	SSH Authorized Keys	Persistence, Privilege Escalation
T1110.004	Credential Stuffing	Credential Access
T1003.004	LSA Secrets	Credential Access
T1562.002	Disable Windows Event Logging	Defense Evasion
T1134.002	Create Process with Token	Defense Evasion, Privilege Escalation
T1569.001	Launchctl	Execution
T1489	Service Stop	Impact
T1601	Modify System Image	Defense Evasion
T1552	Unsecured Credentials	Credential Access
T1087.004	Cloud Account	Discovery
T1213.002	Sharepoint	Collection
T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation
T1003.008	/etc/passwd and /etc/shadow	Credential Access
T1110.003	Password Spraying	Credential Access
T1056.003	Web Portal Capture	Collection, Credential Access
T1003.006	DCSync	Credential Access
T1505	Server Software Component	Persistence
T1055	Process Injection	Defense Evasion, Privilege Escalation
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1562.007	Disable or Modify Cloud Firewall	Defense Evasion
T1547.006	Kernel Modules and Extensions	Persistence, Privilege Escalation
T1574.008	Path Interception by Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1098.001	Additional Cloud Credentials	Persistence, Privilege Escalation
T1562.004	Disable or Modify System Firewall	Defense Evasion
T1021.006	Windows Remote Management	Lateral Movement
T1053.003	Cron	Execution, Persistence, Privilege Escalation
T1556.001	Domain Controller Authentication	Credential Access, Defense Evasion, Persistence
T1578.002	Create Cloud Instance	Defense Evasion
T1538	Cloud Service Dashboard	Discovery
T1110	Brute Force	Credential Access
T1210	Exploitation of Remote Services	Lateral Movement
T1222	File and Directory Permissions Modification	Defense Evasion
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1552.002	Credentials in Registry	Credential Access
T1547.012	Print Processors	Persistence, Privilege Escalation
T1072	Software Deployment Tools	Execution, Lateral Movement
T1563.002	RDP Hijacking	Lateral Movement
T1098	Account Manipulation	Persistence, Privilege Escalation
T1021.002	SMB/Windows Admin Shares	Lateral Movement
T1136.001	Local Account	Persistence
T1021.004	SSH	Lateral Movement
T1562.008	Disable or Modify Cloud Logs	Defense Evasion
T1213.001	Confluence	Collection
T1537	Transfer Data to Cloud Account	Exfiltration
T1601.001	Patch System Image	Defense Evasion
T1003.005	Cached Domain Credentials	Credential Access
T1003.003	NTDS	Credential Access
T1547.009	Shortcut Modification	Persistence, Privilege Escalation
T1548	Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation
T1550.002	Pass the Hash	Defense Evasion, Lateral Movement
T1078	Valid Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1563	Remote Service Session Hijacking	Lateral Movement
T1609	Container Administration Command	Execution
T1578.003	Delete Cloud Instance	Defense Evasion
T1185	Browser Session Hijacking	Collection
T1558	Steal or Forge Kerberos Tickets	Credential Access
T1556.005	Reversible Encryption	Credential Access, Defense Evasion, Persistence
T1619	Cloud Storage Object Discovery	Discovery
T1222.002	Linux and Mac File and Directory Permissions Modification	Defense Evasion
T1495	Firmware Corruption	Impact
T1562.006	Indicator Blocking	Defense Evasion
T1021.003	Distributed Component Object Model	Lateral Movement
T1528	Steal Application Access Token	Credential Access
T1070.008	Clear Mailbox Data	Defense Evasion
T1552.001	Credentials In Files	Credential Access
T1070.009	Clear Persistence	Defense Evasion
T1574.005	Executable Installer File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1574.012	COR_PROFILER	Defense Evasion, Persistence, Privilege Escalation
T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement
T1197	BITS Jobs	Defense Evasion, Persistence
T1599.001	Network Address Translation Traversal	Defense Evasion
T1611	Escape to Host	Privilege Escalation
T1558.002	Silver Ticket	Credential Access
T1505.003	Web Shell	Persistence
T1003.001	LSASS Memory	Credential Access
T1070.001	Clear Windows Event Logs	Defense Evasion
T1548.003	Sudo and Sudo Caching	Defense Evasion, Privilege Escalation
T1562.009	Safe Mode Boot	Defense Evasion
T1574.007	Path Interception by PATH Environment Variable	Defense Evasion, Persistence, Privilege Escalation
T1078.001	Default Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1021.001	Remote Desktop Protocol	Lateral Movement
T1525	Implant Internal Image	Persistence
T1559	Inter-Process Communication	Execution
T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence
T1569.002	Service Execution	Execution
T1556.004	Network Device Authentication	Credential Access, Defense Evasion, Persistence
T1530	Data from Cloud Storage	Collection
T1599	Network Boundary Bridging	Defense Evasion
T1070	Indicator Removal	Defense Evasion
T1213	Data from Information Repositories	Collection
T1574.004	Dylib Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1070.002	Clear Linux or Mac System Logs	Defense Evasion
T1505.005	Terminal Services DLL	Persistence
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1546.003	Windows Management Instrumentation Event Subscription	Persistence, Privilege Escalation
T1070.003	Clear Command History	Defense Evasion
T1542	Pre-OS Boot	Defense Evasion, Persistence
T1578	Modify Cloud Compute Infrastructure	Defense Evasion
T1078.002	Domain Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1543.001	Launch Agent	Persistence, Privilege Escalation
T1110.001	Password Guessing	Credential Access
T1578.001	Create Snapshot	Defense Evasion
T1558.003	Kerberoasting	Credential Access
T1563.001	SSH Hijacking	Lateral Movement
T1078.003	Local Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1213.003	Code Repositories	Collection
T1569	System Services	Execution
T1003	OS Credential Dumping	Credential Access
T1098.002	Additional Email Delegate Permissions	Persistence, Privilege Escalation
T1053.006	Systemd Timers	Execution, Persistence, Privilege Escalation
T1543.004	Launch Daemon	Persistence, Privilege Escalation
T1047	Windows Management Instrumentation	Execution
T1059	Command and Scripting Interpreter	Execution
T1484	Domain Policy Modification	Defense Evasion, Privilege Escalation
T1098.005	Device Registration	Persistence, Privilege Escalation
T1222.001	Windows File and Directory Permissions Modification	Defense Evasion
T1552.006	Group Policy Preferences	Credential Access
T1053.007	Container Orchestration Job	Execution, Persistence, Privilege Escalation
T1574.010	Services File Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1055.008	Ptrace System Calls	Defense Evasion, Privilege Escalation
T1134.005	SID-History Injection	Defense Evasion, Privilege Escalation
T1218.007	Msiexec	Defense Evasion
T1548.002	Bypass User Account Control	Defense Evasion, Privilege Escalation
T1580	Cloud Infrastructure Discovery	Discovery
T1542.001	System Firmware	Defense Evasion, Persistence
T1574	Hijack Execution Flow	Defense Evasion, Persistence, Privilege Escalation
T1556.003	Pluggable Authentication Modules	Credential Access, Defense Evasion, Persistence
T1562.001	Disable or Modify Tools	Defense Evasion
T1078.004	Cloud Accounts	Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1606	Forge Web Credentials	Credential Access
T1070.007	Clear Network Connection History and Configurations	Defense Evasion
T1059.001	PowerShell	Execution
T1542.003	Bootkit	Defense Evasion, Persistence
T1134.001	Token Impersonation/Theft	Defense Evasion, Privilege Escalation
T1053.002	At	Execution, Persistence, Privilege Escalation
T1485	Data Destruction	Impact
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1546.011	Application Shimming	Persistence, Privilege Escalation
T1137.005	Outlook Rules	Persistence
T1553	Subvert Trust Controls	Defense Evasion
T1491.002	External Defacement	Impact
T1547.003	Time Providers	Persistence, Privilege Escalation
T1491.001	Internal Defacement	Impact
T1211	Exploitation for Defense Evasion	Defense Evasion
T1212	Exploitation for Credential Access	Credential Access
T1112	Modify Registry	Defense Evasion
T1556.006	Multi-Factor Authentication	Credential Access, Defense Evasion, Persistence
T1025	Data from Removable Media	Collection
T1059.006	Python	Execution
T1137.001	Office Template Macros	Persistence
T1133	External Remote Services	Initial Access, Persistence
T1539	Steal Web Session Cookie	Credential Access
T1055.004	Asynchronous Procedure Call	Defense Evasion, Privilege Escalation
T1553.003	SIP and Trust Provider Hijacking	Defense Evasion
T1055.002	Portable Executable Injection	Defense Evasion, Privilege Escalation
T1546.016	Installer Packages	Persistence, Privilege Escalation
T1059.007	JavaScript	Execution
T1055.009	Proc Memory	Defense Evasion, Privilege Escalation
T1546.004	Unix Shell Configuration Modification	Persistence, Privilege Escalation
T1055.005	Thread Local Storage	Defense Evasion, Privilege Escalation
T1068	Exploitation for Privilege Escalation	Privilege Escalation
T1055.014	VDSO Hijacking	Defense Evasion, Privilege Escalation
T1606.002	SAML Tokens	Credential Access
T1199	Trusted Relationship	Initial Access
T1546.013	PowerShell Profile	Persistence, Privilege Escalation
T1055.013	Process Doppelgänging	Defense Evasion, Privilege Escalation
T1137.006	Add-ins	Persistence
T1491	Defacement	Impact
T1137.004	Outlook Home Page	Persistence
T1055.012	Process Hollowing	Defense Evasion, Privilege Escalation
T1059.003	Windows Command Shell	Execution
T1059.002	AppleScript	Execution
T1486	Data Encrypted for Impact	Impact
T1106	Native API	Execution
T1606.001	Web Cookies	Credential Access
T1505.004	IIS Components	Persistence
T1052	Exfiltration Over Physical Medium	Exfiltration
T1021.005	VNC	Lateral Movement
T1036	Masquerading	Defense Evasion
T1059.005	Visual Basic	Execution
T1059.004	Unix Shell	Execution
T1610	Deploy Container	Defense Evasion, Execution
T1556.007	Hybrid Identity	Credential Access, Defense Evasion, Persistence
T1561.001	Disk Content Wipe	Impact
T1559.002	Dynamic Data Exchange	Execution
T1200	Hardware Additions	Initial Access
T1561	Disk Wipe	Impact
T1189	Drive-by Compromise	Initial Access
T1036.003	Rename System Utilities	Defense Evasion
T1553.006	Code Signing Policy Modification	Defense Evasion
T1137.002	Office Test	Persistence
T1005	Data from Local System	Collection
T1052.001	Exfiltration over USB	Exfiltration
T1613	Container and Resource Discovery	Discovery
T1176	Browser Extensions	Persistence
T1203	Exploitation for Client Execution	Execution
T1542.004	ROMMONkit	Defense Evasion, Persistence
T1137	Office Application Startup	Persistence
T1561.002	Disk Structure Wipe	Impact
T1137.003	Outlook Forms	Persistence
T1612	Build Image on Host	Defense Evasion
T1055.003	Thread Execution Hijacking	Defense Evasion, Privilege Escalation
T1574.011	Services Registry Permissions Weakness	Defense Evasion, Persistence, Privilege Escalation
T1648	Serverless Execution	Execution
T1091	Replication Through Removable Media	Initial Access, Lateral Movement
T1055.001	Dynamic-link Library Injection	Defense Evasion, Privilege Escalation
T1055.011	Extra Window Memory Injection	Defense Evasion, Privilege Escalation
T1647	Plist File Modification	Defense Evasion
T1621	Multi-Factor Authentication Request Generation	Credential Access
T1490	Inhibit System Recovery	Impact
T1090	Proxy	Command and Control
T1132	Data Encoding	Command and Control
T1029	Scheduled Transfer	Exfiltration
T1573	Encrypted Channel	Command and Control
T1567.002	Exfiltration to Cloud Storage	Exfiltration
T1567.001	Exfiltration to Code Repository	Exfiltration
T1204.003	Malicious Image	Execution
T1095	Non-Application Layer Protocol	Command and Control
T1566.001	Spearphishing Attachment	Initial Access
T1102.002	Bidirectional Communication	Command and Control
T1602.002	Network Device Configuration Dump	Collection
T1566	Phishing	Initial Access
T1499.004	Application or System Exploitation	Impact
T1205.002	Socket Filters	Command and Control, Defense Evasion, Persistence
T1001.003	Protocol Impersonation	Command and Control
T1204.001	Malicious Link	Execution
T1030	Data Transfer Size Limits	Exfiltration
T1573.002	Asymmetric Cryptography	Command and Control
T1104	Multi-Stage Channels	Command and Control
T1570	Lateral Tool Transfer	Lateral Movement
T1499	Endpoint Denial of Service	Impact
T1114.003	Email Forwarding Rule	Collection
T1090.002	External Proxy	Command and Control
T1498	Network Denial of Service	Impact
T1552.005	Cloud Instance Metadata API	Credential Access
T1132.002	Non-Standard Encoding	Command and Control
T1132.001	Standard Encoding	Command and Control
T1114	Email Collection	Collection
T1565.003	Runtime Data Manipulation	Impact
T1573.001	Symmetric Cryptography	Command and Control
T1001	Data Obfuscation	Command and Control
T1565	Data Manipulation	Impact
T1187	Forced Authentication	Credential Access
T1499.001	OS Exhaustion Flood	Impact
T1114.001	Local Email Collection	Collection
T1572	Protocol Tunneling	Command and Control
T1566.003	Spearphishing via Service	Initial Access
T1008	Fallback Channels	Command and Control
T1499.002	Service Exhaustion Flood	Impact
T1568	Dynamic Resolution	Command and Control
T1001.002	Steganography	Command and Control
T1114.002	Remote Email Collection	Collection
T1020.001	Traffic Duplication	Exfiltration
T1622	Debugger Evasion	Defense Evasion, Discovery
T1102	Web Service	Command and Control
T1102.001	Dead Drop Resolver	Command and Control
T1090.001	Internal Proxy	Command and Control
T1219	Remote Access Software	Command and Control
T1571	Non-Standard Port	Command and Control
T1557.002	ARP Cache Poisoning	Collection, Credential Access
T1048.001	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Exfiltration
T1218.012	Verclsid	Defense Evasion
T1105	Ingress Tool Transfer	Command and Control
T1499.003	Application Exhaustion Flood	Impact
T1102.003	One-Way Communication	Command and Control
T1001.001	Junk Data	Command and Control
T1090.003	Multi-hop Proxy	Command and Control
T1205.001	Port Knocking	Command and Control, Defense Evasion, Persistence
T1568.002	Domain Generation Algorithms	Command and Control
T1564.008	Email Hiding Rules	Defense Evasion
T1498.001	Direct Network Flood	Impact
T1205	Traffic Signaling	Command and Control, Defense Evasion, Persistence
T1498.002	Reflection Amplification	Impact
T1557.003	DHCP Spoofing	Collection, Credential Access
T1204.002	Malicious File	Execution
T1204	User Execution	Execution
T1598.003	Spearphishing Link	Reconnaissance
T1566.002	Spearphishing Link	Initial Access
T1557.001	LLMNR/NBT-NS Poisoning and SMB Relay	Collection, Credential Access
T1557	Adversary-in-the-Middle	Collection, Credential Access
T1482	Domain Trust Discovery	Discovery
T1046	Network Service Discovery	Discovery
T1602.001	SNMP (MIB Dump)	Collection
T1602	Data from Configuration Repository	Collection
T1598.002	Spearphishing Attachment	Reconnaissance
T1598.001	Spearphishing Service	Reconnaissance
T1598	Phishing for Information	Reconnaissance
T1036.001	Invalid Code Signature	Defense Evasion
T1555.005	Password Managers	Credential Access
T1037.005	Startup Items	Persistence, Privilege Escalation
T1218.013	Mavinject	Defense Evasion
T1056.002	GUI Input Capture	Collection, Credential Access
T1218.009	Regsvcs/Regasm	Defense Evasion
T1552.004	Private Keys	Credential Access
T1558.004	AS-REP Roasting	Credential Access
T1135	Network Share Discovery	Discovery
T1564.002	Hidden Users	Defense Evasion
T1555	Credentials from Password Stores	Credential Access
T1564.004	NTFS File Attributes	Defense Evasion
T1040	Network Sniffing	Credential Access, Discovery
T1218.001	Compiled HTML File	Defense Evasion
T1087.002	Domain Account	Discovery
T1218.005	Mshta	Defense Evasion
T1560	Archive Collected Data	Collection
T1553.005	Mark-of-the-Web Bypass	Defense Evasion
T1562.010	Downgrade Attack	Defense Evasion
T1127	Trusted Developer Utilities Proxy Execution	Defense Evasion
T1037.004	RC Scripts	Persistence, Privilege Escalation
T1553.004	Install Root Certificate	Defense Evasion
T1556.002	Password Filter DLL	Credential Access, Defense Evasion, Persistence
T1037.003	Network Logon Script	Persistence, Privilege Escalation
T1027.002	Software Packing	Defense Evasion
T1011	Exfiltration Over Other Network Medium	Exfiltration
T1037.002	Login Hook	Persistence, Privilege Escalation
T1011.001	Exfiltration Over Bluetooth	Exfiltration
T1553.001	Gatekeeper Bypass	Defense Evasion
T1547.007	Re-opened Applications	Persistence, Privilege Escalation
T1574.001	DLL Search Order Hijacking	Defense Evasion, Persistence, Privilege Escalation
T1548.004	Elevated Execution with Prompt	Defense Evasion, Privilege Escalation
T1546.008	Accessibility Features	Persistence, Privilege Escalation
T1036.007	Double File Extension	Defense Evasion
T1221	Template Injection	Defense Evasion
T1552.003	Bash History	Credential Access
T1027.007	Dynamic API Resolution	Defense Evasion
T1220	XSL Script Processing	Defense Evasion
T1218.003	CMSTP	Defense Evasion
T1564.007	VBA Stomping	Defense Evasion
T1555.002	Securityd Memory	Credential Access
T1027	Obfuscated Files or Information	Defense Evasion
T1218.010	Regsvr32	Defense Evasion
T1550.001	Application Access Token	Defense Evasion, Lateral Movement
T1560.001	Archive via Utility	Collection
T1218.008	Odbcconf	Defense Evasion
T1546.006	LC_LOAD_DYLIB Addition	Persistence, Privilege Escalation
T1547.002	Authentication Package	Persistence, Privilege Escalation
T1546.014	Emond	Persistence, Privilege Escalation
T1546.002	Screensaver	Persistence, Privilege Escalation
T1565.002	Transmitted Data Manipulation	Impact
T1127.001	MSBuild	Defense Evasion
T1080	Taint Shared Content	Lateral Movement
T1216	System Script Proxy Execution	Defense Evasion
T1201	Password Policy Discovery	Discovery
T1087.001	Local Account	Discovery
T1555.001	Keychain	Credential Access
T1564.006	Run Virtual Instance	Defense Evasion
T1564.009	Resource Forking	Defense Evasion
T1027.009	Embedded Payloads	Defense Evasion
T1564.010	Process Argument Spoofing	Defense Evasion
T1565.001	Stored Data Manipulation	Impact
T1218.002	Control Panel	Defense Evasion
T1574.013	KernelCallbackTable	Defense Evasion, Persistence, Privilege Escalation
T1216.001	PubPrn	Defense Evasion
T1547.008	LSASS Driver	Persistence, Privilege Escalation
T1562.003	Impair Command History Logging	Defense Evasion
T1547.005	Security Support Provider	Persistence, Privilege Escalation
T1111	Multi-Factor Authentication Interception	Credential Access
T1555.004	Windows Credential Manager	Credential Access
T1559.003	XPC Services	Execution
T1218.004	InstallUtil	Defense Evasion
T1129	Shared Modules	Execution
T1119	Automated Collection	Collection
T1548.001	Setuid and Setgid	Defense Evasion, Privilege Escalation
T1087	Account Discovery	Discovery
T1218.011	Rundll32	Defense Evasion
T1027.008	Stripped Payloads	Defense Evasion
T1037	Boot or Logon Initialization Scripts	Persistence, Privilege Escalation
T1218.014	MMC	Defense Evasion
T1092	Communication Through Removable Media	Command and Control
T1584.007	Serverless	Resource Development
T1583.007	Serverless	Resource Development
T1550.004	Web Session Cookie	Defense Evasion, Lateral Movement
T1090.004	Domain Fronting	Command and Control

CSF Mapped to the NCSC CAF

Cyber Assessment Framework mappings generated from UK Cabinet Office data.

Control ID	Name	Description
B3.b	Data in Transit	You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties.
B2.a	Identity Verification, Authentication and Authorisation	You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function.
B4.c	Secure Management	You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security.
B3.a	Understanding Data	You have a good understanding of data important to the operation of the essential function, where it is stored, where it travels and how unavailability or unauthorised access, modification or deletion would adversely impact the essential function. This also applies to third parties storing or accessing data important to the operation of essential functions.
B4.a	Secure by Design	You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
B5.b	Design for Resilience	You design the network and information systems supporting your essential function to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated.
B3.c	Stored Data	You have protected stored data important to the operation of the essential function.
B2.d	Identity and Access Management (IdAM)	You closely manage and maintain identity and access control for users, devices and systems accessing the networks and information systems supporting the essential function.
B4.b	Secure Configuration	You securely configure the network and information systems that support the operation of essential functions.
B2.c	Privileged User Management	You closely manage privileged user access to networks and information systems supporting the essential function.

NIST CSF: PR.DS-5 Subcategory

Cyber Threat Graph Context

CSF Mapped to SP800-53 Controls

Related ISO 27001 Controls

Handling of assets (8.2.3)

Termination or change of employment responsibilities (7.3.1)

Network controls (13.1.1)

Electronic messaging (13.2.3)

Protecting application services transactions (14.1.3)

Securing application services on public networks (14.1.2)

Confidentiality or non-disclosure agreement (13.2.4)

Policy on the use of cryptographic controls (10.1.1)

Working in secure areas (11.1.5)

Management of privileged access rights (9.2.3)

Protecting against external and environmental threats (11.1.4)

Information access restriction (9.4.1)

Access control policy (9.1.1)

Access to networks and network services (9.1.2)

Access control to program source code (9.4.5)

Use of privileged utility programs (9.4.4)

Segregation of duties (6.1.2)

Screening (7.1.1)

Information transfer policies and procedures (13.2.1)

Terms and conditions of employment (7.1.2)

Segregation in networks (13.1.3)

Equipment siting and protection (11.2.1)

Labelling of information (8.2.2)

Related ISA/IEC 62443 Controls

Zone boundary protection (SR 5.2)

MITRE ATT&CK Techniques

CSF Mapped to the NCSC CAF