NIST CSF: RS.CO-3 Subcategory
From NIST's Cyber Security Framework (version 1):
Information is shared consistent with response plans
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Reporting information security events (16.1.2)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Communicate the incident response plan (4.3.4.5.2)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1213 | Data from Information Repositories | Collection |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1505.003 | Web Shell | Persistence |
| T1525 | Implant Internal Image | Persistence |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1127.001 | MSBuild | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1552.001 | Credentials In Files | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1218.014 | MMC | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1530 | Data from Cloud Storage | Collection |
| T1562 | Impair Defenses | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1218.012 | Verclsid | Defense Evasion |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505.005 | Terminal Services DLL | Persistence |
| T1213.001 | Confluence | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1176 | Browser Extensions | Persistence |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1218.003 | CMSTP | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.010 | Downgrade Attack | Defense Evasion |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| C1.e | Monitoring Tools and Skills | Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. |
| A4.a | Supply Chain | The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. |
| B6.a | Cyber Security Culture | You develop and pursue a positive cyber security culture. |
| D1.a | Response Plan | You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function and covers a range of incident scenarios. |
| D2.a | Incident Root Cause Analysis | When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken. |
| D1.b | Response and Recovery Capability | You have the capability to enact your incident response plan, including effective limitation of impact on the operation of your essential function. During an incident, you have access to timely information on which to base your response decisions. |