NIST CSF: DE.CM-6 Subcategory
From NIST's Cyber Security Framework (version 1):
External service provider activity is monitored to detect potential cybersecurity events
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Monitoring and review of supplier services (15.2.1)
ISO 27001:2013 -
Outsourced development (14.2.7)
ISO 27001:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1134.005 | SID-History Injection | Defense Evasion, Privilege Escalation |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1574.002 | DLL Side-Loading | Defense Evasion, Persistence, Privilege Escalation |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1505.004 | IIS Components | Persistence |
| T1547.004 | Winlogon Helper DLL | Persistence, Privilege Escalation |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1137.001 | Office Template Macros | Persistence |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1602 | Data from Configuration Repository | Collection |
| T1036.001 | Invalid Code Signature | Defense Evasion |
| T1059.001 | PowerShell | Execution |
| T1555.005 | Password Managers | Credential Access |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1003.004 | LSA Secrets | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1218.013 | Mavinject | Defense Evasion |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1059.006 | Python | Execution |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1110.003 | Password Spraying | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1029 | Scheduled Transfer | Exfiltration |
| T1055.014 | VDSO Hijacking | Defense Evasion, Privilege Escalation |
| T1059.002 | AppleScript | Execution |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1098.003 | Additional Cloud Roles | Persistence, Privilege Escalation |
| T1569 | System Services | Execution |
| T1552.004 | Private Keys | Credential Access |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1565 | Data Manipulation | Impact |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| B2.c | Privileged User Management | You closely manage privileged user access to networks and information systems supporting the essential function. |
| B2.b | Device Management | You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function. |
| A4.a | Supply Chain | The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. |
| B4.a | Secure by Design | You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. |
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |