NIST CSF: DE.DP-5 Subcategory
From NIST's Cyber Security Framework (version 1):
Detection processes are continuously improved
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Learning from information security incidents (16.1.6)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Identify and implement corrective and preventive actions (4.4.3.4)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
ATT&CK ID | Title | Associated Tactics |
---|---|---|
T1552.001 | Credentials In Files | Credential Access |
T1090.001 | Internal Proxy | Command and Control |
T1036.003 | Rename System Utilities | Defense Evasion |
T1552 | Unsecured Credentials | Credential Access |
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1528 | Steal Application Access Token | Credential Access |
T1218.011 | Rundll32 | Defense Evasion |
T1059.007 | JavaScript | Execution |
T1071.004 | DNS | Command and Control |
T1003.005 | Cached Domain Credentials | Credential Access |
T1564.004 | NTFS File Attributes | Defense Evasion |
T1218 | System Binary Proxy Execution | Defense Evasion |
T1499.001 | OS Exhaustion Flood | Impact |
T1569 | System Services | Execution |
T1036.005 | Match Legitimate Name or Location | Defense Evasion |
T1037.005 | Startup Items | Persistence, Privilege Escalation |
T1189 | Drive-by Compromise | Initial Access |
T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
T1008 | Fallback Channels | Command and Control |
T1557.003 | DHCP Spoofing | Collection, Credential Access |
T1571 | Non-Standard Port | Command and Control |
T1001.001 | Junk Data | Command and Control |
T1003.006 | DCSync | Credential Access |
T1218.012 | Verclsid | Defense Evasion |
T1201 | Password Policy Discovery | Discovery |
T1003.002 | Security Account Manager | Credential Access |
T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
T1110.003 | Password Spraying | Credential Access |
T1041 | Exfiltration Over C2 Channel | Exfiltration |
T1570 | Lateral Tool Transfer | Lateral Movement |
T1555 | Credentials from Password Stores | Credential Access |
T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
T1499 | Endpoint Denial of Service | Impact |
T1197 | BITS Jobs | Defense Evasion, Persistence |
T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
T1132.002 | Non-Standard Encoding | Command and Control |
T1562.002 | Disable Windows Event Logging | Defense Evasion |
T1552.002 | Credentials in Registry | Credential Access |
T1566.002 | Spearphishing Link | Initial Access |
T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
T1602 | Data from Configuration Repository | Collection |
T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
T1072 | Software Deployment Tools | Execution, Lateral Movement |
T1563.001 | SSH Hijacking | Lateral Movement |
T1566.003 | Spearphishing via Service | Initial Access |
T1599 | Network Boundary Bridging | Defense Evasion |
T1080 | Taint Shared Content | Lateral Movement |
T1110 | Brute Force | Credential Access |
T1568 | Dynamic Resolution | Command and Control |
T1558.002 | Silver Ticket | Credential Access |
T1046 | Network Service Discovery | Discovery |
T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
T1558.003 | Kerberoasting | Credential Access |
T1036 | Masquerading | Defense Evasion |
T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
T1542.005 | TFTP Boot | Defense Evasion, Persistence |
T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
T1036.007 | Double File Extension | Defense Evasion |
T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
T1003.004 | LSA Secrets | Credential Access |
T1001.003 | Protocol Impersonation | Command and Control |
T1498 | Network Denial of Service | Impact |
T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
T1552.004 | Private Keys | Credential Access |
T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
T1566.001 | Spearphishing Attachment | Initial Access |
T1602.002 | Network Device Configuration Dump | Collection |
T1001 | Data Obfuscation | Command and Control |
T1052.001 | Exfiltration over USB | Exfiltration |
T1222 | File and Directory Permissions Modification | Defense Evasion |
T1176 | Browser Extensions | Persistence |
T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
T1003.001 | LSASS Memory | Credential Access |
T1030 | Data Transfer Size Limits | Exfiltration |
T1565.001 | Stored Data Manipulation | Impact |
T1059.005 | Visual Basic | Execution |
T1190 | Exploit Public-Facing Application | Initial Access |
T1489 | Service Stop | Impact |
T1546.016 | Installer Packages | Persistence, Privilege Escalation |
T1070.009 | Clear Persistence | Defense Evasion |
T1195.002 | Compromise Software Supply Chain | Initial Access |
T1195 | Supply Chain Compromise | Initial Access |
T1102.001 | Dead Drop Resolver | Command and Control |
T1598.003 | Spearphishing Link | Reconnaissance |
T1110.004 | Credential Stuffing | Credential Access |
T1204.001 | Malicious Link | Execution |
T1095 | Non-Application Layer Protocol | Command and Control |
T1565.003 | Runtime Data Manipulation | Impact |
T1037.002 | Login Hook | Persistence, Privilege Escalation |
T1213 | Data from Information Repositories | Collection |
T1573.002 | Asymmetric Cryptography | Command and Control |
T1562.001 | Disable or Modify Tools | Defense Evasion |
T1213.002 | Sharepoint | Collection |
T1037.004 | RC Scripts | Persistence, Privilege Escalation |
T1104 | Multi-Stage Channels | Command and Control |
T1213.001 | Confluence | Collection |
T1212 | Exploitation for Credential Access | Credential Access |
T1056.002 | GUI Input Capture | Collection, Credential Access |
T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
T1090.002 | External Proxy | Command and Control |
T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
T1647 | Plist File Modification | Defense Evasion |
T1598.002 | Spearphishing Attachment | Reconnaissance |
T1537 | Transfer Data to Cloud Account | Exfiltration |
T1542.004 | ROMMONkit | Defense Evasion, Persistence |
T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
T1552.005 | Cloud Instance Metadata API | Credential Access |
T1132 | Data Encoding | Command and Control |
T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access |
T1562.004 | Disable or Modify System Firewall | Defense Evasion |
T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1555.001 | Keychain | Credential Access |
T1530 | Data from Cloud Storage | Collection |
T1102 | Web Service | Command and Control |
T1555.002 | Securityd Memory | Credential Access |
T1219 | Remote Access Software | Command and Control |
T1558 | Steal or Forge Kerberos Tickets | Credential Access |
T1111 | Multi-Factor Authentication Interception | Credential Access |
T1221 | Template Injection | Defense Evasion |
T1213.003 | Code Repositories | Collection |
T1204 | User Execution | Execution |
T1499.004 | Application or System Exploitation | Impact |
T1090.003 | Multi-hop Proxy | Command and Control |
T1498.002 | Reflection Amplification | Impact |
T1558.004 | AS-REP Roasting | Credential Access |
T1569.002 | Service Execution | Execution |
T1003.007 | Proc Filesystem | Credential Access |
T1070.003 | Clear Command History | Defense Evasion |
T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
T1574.013 | KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
T1622 | Debugger Evasion | Defense Evasion, Discovery |
T1185 | Browser Session Hijacking | Collection |
T1599.001 | Network Address Translation Traversal | Defense Evasion |
T1539 | Steal Web Session Cookie | Credential Access |
T1211 | Exploitation for Defense Evasion | Defense Evasion |
T1203 | Exploitation for Client Execution | Execution |
T1598 | Phishing for Information | Reconnaissance |
T1204.003 | Malicious Image | Execution |
T1218.002 | Control Panel | Defense Evasion |
T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
T1070 | Indicator Removal | Defense Evasion |
T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
T1598.001 | Spearphishing Service | Reconnaissance |
T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
T1102.002 | Bidirectional Communication | Command and Control |
T1110.002 | Password Cracking | Credential Access |
T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
T1003.003 | NTDS | Credential Access |
T1499.002 | Service Exhaustion Flood | Impact |
T1564.010 | Process Argument Spoofing | Defense Evasion |
T1001.002 | Steganography | Command and Control |
T1557 | Adversary-in-the-Middle | Collection, Credential Access |
T1090 | Proxy | Command and Control |
T1562 | Impair Defenses | Defense Evasion |
T1132.001 | Standard Encoding | Command and Control |
T1187 | Forced Authentication | Credential Access |
T1568.002 | Domain Generation Algorithms | Command and Control |
T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
T1602.001 | SNMP (MIB Dump) | Collection |
T1210 | Exploitation of Remote Services | Lateral Movement |
T1572 | Protocol Tunneling | Command and Control |
T1565 | Data Manipulation | Impact |
T1070.001 | Clear Windows Event Logs | Defense Evasion |
T1547.003 | Time Providers | Persistence, Privilege Escalation |
T1021.005 | VNC | Lateral Movement |
T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
T1562.006 | Indicator Blocking | Defense Evasion |
T1029 | Scheduled Transfer | Exfiltration |
T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
T1059 | Command and Scripting Interpreter | Execution |
T1052 | Exfiltration Over Physical Medium | Exfiltration |
T1105 | Ingress Tool Transfer | Command and Control |
T1499.003 | Application Exhaustion Flood | Impact |
T1218.010 | Regsvr32 | Defense Evasion |
T1573 | Encrypted Channel | Command and Control |
T1102.003 | One-Way Communication | Command and Control |
T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
T1204.002 | Malicious File | Execution |
T1071.002 | File Transfer Protocols | Command and Control |
T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
T1110.001 | Password Guessing | Credential Access |
T1566 | Phishing | Initial Access |
T1567 | Exfiltration Over Web Service | Exfiltration |
T1498.001 | Direct Network Flood | Impact |
T1003 | OS Credential Dumping | Credential Access |
T1070.008 | Clear Mailbox Data | Defense Evasion |
T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
T1071.001 | Web Protocols | Command and Control |
T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
T1071 | Application Layer Protocol | Command and Control |
T1071.003 | Mail Protocols | Command and Control |
T1543.002 | Systemd Service | Persistence, Privilege Escalation |
T1573.001 | Symmetric Cryptography | Command and Control |
T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
T1505.004 | IIS Components | Persistence |
T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
T1137.001 | Office Template Macros | Persistence |
T1036.001 | Invalid Code Signature | Defense Evasion |
T1059.001 | PowerShell | Execution |
T1555.005 | Password Managers | Credential Access |
T1563.002 | RDP Hijacking | Lateral Movement |
T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
T1218.013 | Mavinject | Defense Evasion |
T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
T1059.006 | Python | Execution |
T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
T1059.002 | AppleScript | Execution |
T1218.009 | Regsvcs/Regasm | Defense Evasion |
T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
T1578.001 | Create Snapshot | Defense Evasion |
T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
T1135 | Network Share Discovery | Discovery |
T1564.002 | Hidden Users | Defense Evasion |
T1547.012 | Print Processors | Persistence, Privilege Escalation |
T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
T1114.003 | Email Forwarding Rule | Collection |
T1055.011 | Extra Window Memory Injection | Defense Evasion, Privilege Escalation |
T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
T1613 | Container and Resource Discovery | Discovery |
T1078.002 | Domain Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
T1040 | Network Sniffing | Credential Access, Discovery |
T1218.001 | Compiled HTML File | Defense Evasion |
T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
T1578.002 | Create Cloud Instance | Defense Evasion |
T1087.002 | Domain Account | Discovery |
T1218.005 | Mshta | Defense Evasion |
T1053.002 | At | Execution, Persistence, Privilege Escalation |
T1610 | Deploy Container | Defense Evasion, Execution |
T1025 | Data from Removable Media | Collection |
T1560 | Archive Collected Data | Collection |
T1553.005 | Mark-of-the-Web Bypass | Defense Evasion |
T1059.004 | Unix Shell | Execution |
T1562.010 | Downgrade Attack | Defense Evasion |
T1612 | Build Image on Host | Defense Evasion |
T1505.002 | Transport Agent | Persistence |
T1114.001 | Local Email Collection | Collection |
T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
T1136.001 | Local Account | Persistence |
T1601.002 | Downgrade System Image | Defense Evasion |
T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
T1021.006 | Windows Remote Management | Lateral Movement |
T1553.004 | Install Root Certificate | Defense Evasion |
T1491 | Defacement | Impact |
T1047 | Windows Management Instrumentation | Execution |
T1556.002 | Password Filter DLL | Credential Access, Defense Evasion, Persistence |
T1601 | Modify System Image | Defense Evasion |
T1491.001 | Internal Defacement | Impact |
T1547.009 | Shortcut Modification | Persistence, Privilege Escalation |
T1027.002 | Software Packing | Defense Evasion |
T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
T1011 | Exfiltration Over Other Network Medium | Exfiltration |
T1133 | External Remote Services | Initial Access, Persistence |
T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
T1055 | Process Injection | Defense Evasion, Privilege Escalation |
T1561.002 | Disk Structure Wipe | Impact |
T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
T1553.001 | Gatekeeper Bypass | Defense Evasion |
T1486 | Data Encrypted for Impact | Impact |
T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
T1055.008 | Ptrace System Calls | Defense Evasion, Privilege Escalation |
T1021.003 | Distributed Component Object Model | Lateral Movement |
T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
T1578.003 | Delete Cloud Instance | Defense Evasion |
T1485 | Data Destruction | Impact |
T1552.006 | Group Policy Preferences | Credential Access |
T1548.004 | Elevated Execution with Prompt | Defense Evasion, Privilege Escalation |
T1546.008 | Accessibility Features | Persistence, Privilege Escalation |
T1114 | Email Collection | Collection |
T1552.003 | Bash History | Credential Access |
T1059.008 | Network Device CLI | Execution |
T1027.007 | Dynamic API Resolution | Defense Evasion |
T1136.002 | Domain Account | Persistence |
T1059.003 | Windows Command Shell | Execution |
T1220 | XSL Script Processing | Defense Evasion |
T1490 | Inhibit System Recovery | Impact |
T1098.002 | Additional Email Delegate Permissions | Persistence, Privilege Escalation |
T1021 | Remote Services | Lateral Movement |
T1505.003 | Web Shell | Persistence |
T1218.003 | CMSTP | Defense Evasion |
T1564.007 | VBA Stomping | Defense Evasion |
T1027 | Obfuscated Files or Information | Defense Evasion |
T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
T1098.001 | Additional Cloud Credentials | Persistence, Privilege Escalation |
T1611 | Escape to Host | Privilege Escalation |
T1561.001 | Disk Content Wipe | Impact |
T1550.001 | Application Access Token | Defense Evasion, Lateral Movement |
T1560.001 | Archive via Utility | Collection |
T1218.008 | Odbcconf | Defense Evasion |
T1021.004 | SSH | Lateral Movement |
T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
T1114.002 | Remote Email Collection | Collection |
T1547.002 | Authentication Package | Persistence, Privilege Escalation |
T1546.014 | Emond | Persistence, Privilege Escalation |
T1491.002 | External Defacement | Impact |
T1546.002 | Screensaver | Persistence, Privilege Escalation |
T1098 | Account Manipulation | Persistence, Privilege Escalation |
T1137 | Office Application Startup | Persistence |
T1020.001 | Traffic Duplication | Exfiltration |
T1565.002 | Transmitted Data Manipulation | Impact |
T1127.001 | MSBuild | Defense Evasion |
T1505.005 | Terminal Services DLL | Persistence |
T1216 | System Script Proxy Execution | Defense Evasion |
T1559.002 | Dynamic Data Exchange | Execution |
T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
T1205.002 | Socket Filters | Command and Control, Defense Evasion, Persistence |
T1136.003 | Cloud Account | Persistence |
T1087.001 | Local Account | Discovery |
T1556.003 | Pluggable Authentication Modules | Credential Access, Defense Evasion, Persistence |
T1564.006 | Run Virtual Instance | Defense Evasion |
T1505 | Server Software Component | Persistence |
T1563 | Remote Service Session Hijacking | Lateral Movement |
T1564.009 | Resource Forking | Defense Evasion |
T1027.009 | Embedded Payloads | Defense Evasion |
T1553 | Subvert Trust Controls | Defense Evasion |
T1564.008 | Email Hiding Rules | Defense Evasion |
T1021.001 | Remote Desktop Protocol | Lateral Movement |
T1216.001 | PubPrn | Defense Evasion |
T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
T1562.003 | Impair Command History Logging | Defense Evasion |
T1547.005 | Security Support Provider | Persistence, Privilege Escalation |
T1648 | Serverless Execution | Execution |
T1556.004 | Network Device Authentication | Credential Access, Defense Evasion, Persistence |
T1136 | Create Account | Persistence |
T1555.004 | Windows Credential Manager | Credential Access |
T1559.003 | XPC Services | Execution |
T1218.004 | InstallUtil | Defense Evasion |
T1129 | Shared Modules | Execution |
T1106 | Native API | Execution |
T1561 | Disk Wipe | Impact |
T1525 | Implant Internal Image | Persistence |
T1055.003 | Thread Execution Hijacking | Defense Evasion, Privilege Escalation |
T1119 | Automated Collection | Collection |
T1548.001 | Setuid and Setgid | Defense Evasion, Privilege Escalation |
T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
T1087 | Account Discovery | Discovery |
T1027.008 | Stripped Payloads | Defense Evasion |
T1005 | Data from Local System | Collection |
T1218.014 | MMC | Defense Evasion |
T1559 | Inter-Process Communication | Execution |
T1601.001 | Patch System Image | Defense Evasion |
T1092 | Communication Through Removable Media | Command and Control |
T1505.001 | SQL Stored Procedures | Persistence |
T1482 | Domain Trust Discovery | Discovery |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
Control ID | Name | Description |
---|---|---|
D2.b | Using Incidents to Drive Improvements | Your organisation uses lessons learned from incidents to improve your security measures. |
D2.a | Incident Root Cause Analysis | When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken. |
C1.e | Monitoring Tools and Skills | Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. |
C1.d | Identifying Security Incidents | You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response. |