NIST CSF: DE.DP-5 Subcategory
From NIST's Cyber Security Framework (version 1):
Detection processes are continuously improved
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Learning from information security incidents (16.1.6)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Identify and implement corrective and preventive actions (4.4.3.4)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1552.001 | Credentials In Files | Credential Access |
| T1090.001 | Internal Proxy | Command and Control |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1071.004 | DNS | Command and Control |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1569 | System Services | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1189 | Drive-by Compromise | Initial Access |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1571 | Non-Standard Port | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1003.006 | DCSync | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1110.003 | Password Spraying | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1555 | Credentials from Password Stores | Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1552.002 | Credentials in Registry | Credential Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1602 | Data from Configuration Repository | Collection |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1110 | Brute Force | Credential Access |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| D2.b | Using Incidents to Drive Improvements | Your organisation uses lessons learned from incidents to improve your security measures. |
| D2.a | Incident Root Cause Analysis | When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken. |
| C1.e | Monitoring Tools and Skills | Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. |
| C1.d | Identifying Security Incidents | You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response. |