NIST CSF: DE.AE-1 Subcategory
From NIST's Cyber Security Framework (version 1):
A baseline of network operations and expected data flows for users and systems is established and managed
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Security of network services (13.1.2)
ISO 27001:2013 -
Network controls (13.1.1)
ISO 27001:2013 -
Documented operating procedures (12.1.1)
ISO 27001:2013 -
Change management (12.1.2)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Establish triggers to evaluate CSMS (4.4.3.3)
ISA/IEC 62443-2-1:2009
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1555.005 | Password Managers | Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1218.013 | Mavinject | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1059.006 | Python | Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1029 | Scheduled Transfer | Exfiltration |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1059.002 | AppleScript | Execution |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1569 | System Services | Execution |
| T1552.004 | Private Keys | Credential Access |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1565 | Data Manipulation | Impact |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1135 | Network Share Discovery | Discovery |
| T1564.002 | Hidden Users | Defense Evasion |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1547.012 | Print Processors | Persistence, Privilege Escalation |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1555 | Credentials from Password Stores | Credential Access |
| T1055.004 | Asynchronous Procedure Call | Defense Evasion, Privilege Escalation |
| T1213 | Data from Information Repositories | Collection |
| T1114.003 | Email Forwarding Rule | Collection |
| T1070 | Indicator Removal | Defense Evasion |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B4.b | Secure Configuration | You securely configure the network and information systems that support the operation of essential functions. |
| B3.b | Data in Transit | You have protected the transit of data important to the operation of the essential function. This includes the transfer of data to third parties. |
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |
| A4.a | Supply Chain | The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. |
| B2.a | Identity Verification, Authentication and Authorisation | You robustly verify, authenticate and authorise access to the networks and information systems supporting your essential function. |
| B4.a | Secure by Design | You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. |