NIST CSF: PR.DS-6 Subcategory
From NIST's Cyber Security Framework (version 1):
Integrity checking mechanisms are used to verify software, firmware, and information integrity
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Protecting application services transactions (14.1.3)
ISO 27001:2013 -
Installation of software on operational systems (12.5.1)
ISO 27001:2013 -
Controls against malware (12.2.1)
ISO 27001:2013 -
Restrictions on changes to software packages (14.2.4)
ISO 27001:2013 -
Securing application services on public networks (14.1.2)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Communication integrity (SR 3.1)
ISA/IEC 62443-3-3:2013 -
Software and information integrity (SR 3.4)
ISA/IEC 62443-3-3:2013 -
Session integrity (SR 3.8)
ISA/IEC 62443-3-3:2013 -
Security functionality verification (SR 3.3)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1573 | Encrypted Channel | Command and Control |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1505 | Server Software Component | Persistence |
| T1505.002 | Transport Agent | Persistence |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1491.001 | Internal Defacement | Impact |
| T1552.004 | Private Keys | Credential Access |
| T1218.001 | Compiled HTML File | Defense Evasion |
| T1553.005 | Mark-of-the-Web Bypass | Defense Evasion |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1574.013 | KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1491 | Defacement | Impact |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1059.008 | Network Device CLI | Execution |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1218.014 | MMC | Defense Evasion |
| T1119 | Automated Collection | Collection |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1565.002 | Transmitted Data Manipulation | Impact |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1020.001 | Traffic Duplication | Exfiltration |
| T1114.002 | Remote Email Collection | Collection |
| T1219 | Remote Access Software | Command and Control |
| T1176 | Browser Extensions | Persistence |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1548.004 | Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1574.006 | Dynamic Linker Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1216.001 | PubPrn | Defense Evasion |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1037.002 | Login Hook | Persistence, Privilege Escalation |
| T1495 | Firmware Corruption | Impact |
| T1547.002 | Authentication Package | Persistence, Privilege Escalation |
| T1569 | System Services | Execution |
| T1486 | Data Encrypted for Impact | Impact |
| T1059.007 | JavaScript | Execution |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1221 | Template Injection | Defense Evasion |
| T1136.002 | Domain Account | Persistence |
| T1218.004 | InstallUtil | Defense Evasion |
| T1491.002 | External Defacement | Impact |
| T1569.002 | Service Execution | Execution |
| T1059.006 | Python | Execution |
| T1129 | Shared Modules | Execution |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1080 | Taint Shared Content | Lateral Movement |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1218.005 | Mshta | Defense Evasion |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1036 | Masquerading | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1059.002 | AppleScript | Execution |
| T1552 | Unsecured Credentials | Credential Access |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1601.002 | Downgrade System Image | Defense Evasion |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1070 | Indicator Removal | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1027.007 | Dynamic API Resolution | Defense Evasion |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
| T1601.001 | Patch System Image | Defense Evasion |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1525 | Implant Internal Image | Persistence |
| T1204.003 | Malicious Image | Execution |
| T1505.004 | IIS Components | Persistence |
| T1059.003 | Windows Command Shell | Execution |
| T1114 | Email Collection | Collection |
| T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1114.003 | Email Forwarding Rule | Collection |
| T1114.001 | Local Email Collection | Collection |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1558.002 | Silver Ticket | Credential Access |
| T1218.013 | Mavinject | Defense Evasion |
| T1490 | Inhibit System Recovery | Impact |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1609 | Container Administration Command | Execution |
| T1530 | Data from Cloud Storage | Collection |
| T1218.012 | Verclsid | Defense Evasion |
| T1565.001 | Stored Data Manipulation | Impact |
| T1220 | XSL Script Processing | Defense Evasion |
| T1550.004 | Web Session Cookie | Defense Evasion, Lateral Movement |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1003.003 | NTDS | Credential Access |
| T1070.003 | Clear Command History | Defense Evasion |
| T1027.008 | Stripped Payloads | Defense Evasion |
| T1213 | Data from Information Repositories | Collection |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1218.008 | Odbcconf | Defense Evasion |
| T1059.004 | Unix Shell | Execution |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1561 | Disk Wipe | Impact |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.009 | Safe Mode Boot | Defense Evasion |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1185 | Browser Session Hijacking | Collection |
| T1040 | Network Sniffing | Credential Access, Discovery |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1218.002 | Control Panel | Defense Evasion |
| T1611 | Escape to Host | Privilege Escalation |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1562 | Impair Defenses | Defense Evasion |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1564.010 | Process Argument Spoofing | Defense Evasion |
| T1213.002 | Sharepoint | Collection |
| T1547.005 | Security Support Provider | Persistence, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1189 | Drive-by Compromise | Initial Access |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
| T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
| T1136 | Create Account | Persistence |
| T1564.009 | Resource Forking | Defense Evasion |
| T1565 | Data Manipulation | Impact |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1218.003 | CMSTP | Defense Evasion |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1561.002 | Disk Structure Wipe | Impact |
| T1485 | Data Destruction | Impact |
| T1647 | Plist File Modification | Defense Evasion |
| T1204 | User Execution | Execution |
| T1204.002 | Malicious File | Execution |
| T1553.001 | Gatekeeper Bypass | Defense Evasion |
| T1574.012 | COR_PROFILER | Defense Evasion, Persistence, Privilege Escalation |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1546.010 | AppInit DLLs | Persistence, Privilege Escalation |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1047 | Windows Management Instrumentation | Execution |
| T1601 | Modify System Image | Defense Evasion |
| T1546.009 | AppCert DLLs | Persistence, Privilege Escalation |
| T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
| T1561.001 | Disk Content Wipe | Impact |
| T1027.002 | Software Packing | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1003 | OS Credential Dumping | Credential Access |
| T1564.003 | Hidden Window | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
| T1216 | System Script Proxy Execution | Defense Evasion |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1564.006 | Run Virtual Instance | Defense Evasion |
| T1546 | Event Triggered Execution | Persistence, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1213.001 | Confluence | Collection |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1602 | Data from Configuration Repository | Collection |
| T1218.011 | Rundll32 | Defense Evasion |
| T1554 | Compromise Client Software Binary | Persistence |
| T1558.003 | Kerberoasting | Credential Access |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1136.001 | Local Account | Persistence |
| T1136.003 | Cloud Account | Persistence |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B4.d | Vulnerability Management | You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function. |
| B3.b | Data in Transit | You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. |
| B4.b | Secure Configuration | You securely configure the network and information systems that support the operation of essential functions. |
| B4.a | Secure by Design | You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. |
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |
| B4.c | Secure Management | You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security. |