NIST CSF: DE.CM-6 Subcategory

From NIST's Cyber Security Framework (version 1):

External service provider activity is monitored to detect potential cybersecurity events

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

CSF Mapped to SP800-53 Controls

Generated from NIST's SP800-53/CSF Crosswalk mappings.

Node
SA-9: External System Services
PS-7: External Personnel Security
SA-4: Acquisition Process
SI-4: System Monitoring
CA-7: Continuous Monitoring

Related ISO 27001 Controls

Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.

  • Monitoring and review of supplier services (15.2.1)
    ISO 27001:2013
  • Outsourced development (14.2.7)
    ISO 27001:2013

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.

ATT&CK ID Title Associated Tactics
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1041 Exfiltration Over C2 Channel Exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
T1567 Exfiltration Over Web Service Exfiltration
T1134.005 SID-History Injection Defense Evasion, Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1574.002 DLL Side-Loading Defense Evasion, Persistence, Privilege Escalation
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation
T1505.004 IIS Components Persistence
T1547.004 Winlogon Helper DLL Persistence, Privilege Escalation
T1003.005 Cached Domain Credentials Credential Access
T1137.001 Office Template Macros Persistence
T1553.003 SIP and Trust Provider Hijacking Defense Evasion
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1602 Data from Configuration Repository Collection
T1036.001 Invalid Code Signature Defense Evasion
T1059.001 PowerShell Execution
T1555.005 Password Managers Credential Access
T1563.002 RDP Hijacking Lateral Movement
T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
T1003.004 LSA Secrets Credential Access
T1537 Transfer Data to Cloud Account Exfiltration
T1037.005 Startup Items Persistence, Privilege Escalation
T1218.013 Mavinject Defense Evasion
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1574.010 Services File Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
T1059.006 Python Execution
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1036.005 Match Legitimate Name or Location Defense Evasion
T1056.002 GUI Input Capture Collection, Credential Access
T1110.003 Password Spraying Credential Access
T1211 Exploitation for Defense Evasion Defense Evasion
T1070.002 Clear Linux or Mac System Logs Defense Evasion
T1029 Scheduled Transfer Exfiltration
T1055.014 VDSO Hijacking Defense Evasion, Privilege Escalation
T1059.002 AppleScript Execution
T1218.009 Regsvcs/Regasm Defense Evasion
T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
T1569 System Services Execution
T1552.004 Private Keys Credential Access
T1205 Traffic Signaling Command and Control, Defense Evasion, Persistence
T1578.001 Create Snapshot Defense Evasion
T1565 Data Manipulation Impact
T1558.004 AS-REP Roasting Credential Access
T1055.001 Dynamic-link Library Injection Defense Evasion, Privilege Escalation
T1070.008 Clear Mailbox Data Defense Evasion
T1135 Network Share Discovery Discovery
T1564.002 Hidden Users Defense Evasion
T1602.001 SNMP (MIB Dump) Collection
T1547.012 Print Processors Persistence, Privilege Escalation
T1499.003 Application Exhaustion Flood Impact
T1555 Credentials from Password Stores Credential Access
T1055.004 Asynchronous Procedure Call Defense Evasion, Privilege Escalation
T1213 Data from Information Repositories Collection
T1114.003 Email Forwarding Rule Collection
T1070 Indicator Removal Defense Evasion
T1102.003 One-Way Communication Command and Control
T1055.011 Extra Window Memory Injection Defense Evasion, Privilege Escalation
T1055.005 Thread Local Storage Defense Evasion, Privilege Escalation
T1552.001 Credentials In Files Credential Access
T1564.004 NTFS File Attributes Defense Evasion
T1566.001 Spearphishing Attachment Initial Access
T1613 Container and Resource Discovery Discovery
T1095 Non-Application Layer Protocol Command and Control
T1078.002 Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1003.002 Security Account Manager Credential Access
T1040 Network Sniffing Credential Access, Discovery
T1132.001 Standard Encoding Command and Control
T1557.003 DHCP Spoofing Collection, Credential Access
T1218.001 Compiled HTML File Defense Evasion
T1070.001 Clear Windows Event Logs Defense Evasion
T1574.005 Executable Installer File Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
T1578.002 Create Cloud Instance Defense Evasion
T1055.009 Proc Memory Defense Evasion, Privilege Escalation
T1087.002 Domain Account Discovery
T1213.001 Confluence Collection
T1218.005 Mshta Defense Evasion
T1053.002 At Execution, Persistence, Privilege Escalation
T1610 Deploy Container Defense Evasion, Execution
T1557 Adversary-in-the-Middle Collection, Credential Access
T1025 Data from Removable Media Collection
T1219 Remote Access Software Command and Control
T1560 Archive Collected Data Collection
T1572 Protocol Tunneling Command and Control
T1574.009 Path Interception by Unquoted Path Defense Evasion, Persistence, Privilege Escalation
T1553.005 Mark-of-the-Web Bypass Defense Evasion
T1059.004 Unix Shell Execution
T1102.002 Bidirectional Communication Command and Control
T1562.002 Disable Windows Event Logging Defense Evasion
T1598 Phishing for Information Reconnaissance
T1566.003 Spearphishing via Service Initial Access
T1562.010 Downgrade Attack Defense Evasion
T1552.002 Credentials in Registry Credential Access
T1003 OS Credential Dumping Credential Access
T1573 Encrypted Channel Command and Control
T1612 Build Image on Host Defense Evasion
T1505.002 Transport Agent Persistence
T1114.001 Local Email Collection Collection
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1550.003 Pass the Ticket Defense Evasion, Lateral Movement
T1136.001 Local Account Persistence
T1552.005 Cloud Instance Metadata API Credential Access
T1003.008 /etc/passwd and /etc/shadow Credential Access
T1059.007 JavaScript Execution
T1601.002 Downgrade System Image Defense Evasion
T1055.002 Portable Executable Injection Defense Evasion, Privilege Escalation
T1091 Replication Through Removable Media Initial Access, Lateral Movement
T1571 Non-Standard Port Command and Control
T1037.004 RC Scripts Persistence, Privilege Escalation
T1566.002 Spearphishing Link Initial Access
T1021.006 Windows Remote Management Lateral Movement
T1553.004 Install Root Certificate Defense Evasion
T1491 Defacement Impact
T1573.001 Symmetric Cryptography Command and Control
T1047 Windows Management Instrumentation Execution
T1556.002 Password Filter DLL Credential Access, Defense Evasion, Persistence
T1530 Data from Cloud Storage Collection
T1601 Modify System Image Defense Evasion
T1557.002 ARP Cache Poisoning Collection, Credential Access
T1218.012 Verclsid Defense Evasion
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1491.001 Internal Defacement Impact
T1190 Exploit Public-Facing Application Initial Access
T1072 Software Deployment Tools Execution, Lateral Movement
T1037.003 Network Logon Script Persistence, Privilege Escalation
T1204.003 Malicious Image Execution
T1212 Exploitation for Credential Access Credential Access
T1547.009 Shortcut Modification Persistence, Privilege Escalation
T1027.002 Software Packing Defense Evasion
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1547.006 Kernel Modules and Extensions Persistence, Privilege Escalation
T1071.002 File Transfer Protocols Command and Control
T1499.002 Service Exhaustion Flood Impact
T1011 Exfiltration Over Other Network Medium Exfiltration
T1037.002 Login Hook Persistence, Privilege Escalation
T1213.002 Sharepoint Collection
T1568 Dynamic Resolution Command and Control
T1133 External Remote Services Initial Access, Persistence
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1053.003 Cron Execution, Persistence, Privilege Escalation
T1011.001 Exfiltration Over Bluetooth Exfiltration
T1055 Process Injection Defense Evasion, Privilege Escalation
T1574 Hijack Execution Flow Defense Evasion, Persistence, Privilege Escalation
T1561.002 Disk Structure Wipe Impact
T1003.006 DCSync Credential Access
T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
T1562.006 Indicator Blocking Defense Evasion
T1055.013 Process Doppelgänging Defense Evasion, Privilege Escalation
T1569.002 Service Execution Execution
T1052.001 Exfiltration over USB Exfiltration
T1553.001 Gatekeeper Bypass Defense Evasion
T1218 System Binary Proxy Execution Defense Evasion
T1486 Data Encrypted for Impact Impact
T1547.007 Re-opened Applications Persistence, Privilege Escalation
T1055.008 Ptrace System Calls Defense Evasion, Privilege Escalation
T1021.003 Distributed Component Object Model Lateral Movement
T1574.001 DLL Search Order Hijacking Defense Evasion, Persistence, Privilege Escalation
T1578.003 Delete Cloud Instance Defense Evasion
T1485 Data Destruction Impact
T1036 Masquerading Defense Evasion
T1574.008 Path Interception by Search Order Hijacking Defense Evasion, Persistence, Privilege Escalation
T1552.006 Group Policy Preferences Credential Access
T1548.004 Elevated Execution with Prompt Defense Evasion, Privilege Escalation
T1546.008 Accessibility Features Persistence, Privilege Escalation
T1070.009 Clear Persistence Defense Evasion
T1598.003 Spearphishing Link Reconnaissance
T1528 Steal Application Access Token Credential Access
T1114 Email Collection Collection
T1647 Plist File Modification Defense Evasion
T1110 Brute Force Credential Access
T1036.007 Double File Extension Defense Evasion
T1221 Template Injection Defense Evasion
T1008 Fallback Channels Command and Control
T1546.016 Installer Packages Persistence, Privilege Escalation
T1552.003 Bash History Credential Access
T1622 Debugger Evasion Defense Evasion, Discovery
T1204 User Execution Execution
T1132.002 Non-Standard Encoding Command and Control
T1059.008 Network Device CLI Execution
T1210 Exploitation of Remote Services Lateral Movement
T1027.007 Dynamic API Resolution Defense Evasion
T1189 Drive-by Compromise Initial Access
T1030 Data Transfer Size Limits Exfiltration
T1001.001 Junk Data Command and Control
T1222.002 Linux and Mac File and Directory Permissions Modification Defense Evasion
T1136.002 Domain Account Persistence
T1059.003 Windows Command Shell Execution
T1499.001 OS Exhaustion Flood Impact
T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
T1570 Lateral Tool Transfer Lateral Movement
T1220 XSL Script Processing Defense Evasion
T1490 Inhibit System Recovery Impact
T1598.001 Spearphishing Service Reconnaissance
T1565.003 Runtime Data Manipulation Impact
T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
T1021 Remote Services Lateral Movement
T1070.003 Clear Command History Defense Evasion
T1489 Service Stop Impact
T1505.003 Web Shell Persistence
T1197 BITS Jobs Defense Evasion, Persistence
T1546.003 Windows Management Instrumentation Event Subscription Persistence, Privilege Escalation
T1543.002 Systemd Service Persistence, Privilege Escalation
T1218.003 CMSTP Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1499 Endpoint Denial of Service Impact
T1071.001 Web Protocols Command and Control
T1599.001 Network Address Translation Traversal Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1564.007 VBA Stomping Defense Evasion
T1539 Steal Web Session Cookie Credential Access
T1555.002 Securityd Memory Credential Access
T1599 Network Boundary Bridging Defense Evasion
T1027 Obfuscated Files or Information Defense Evasion
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1602.002 Network Device Configuration Dump Collection
T1055.012 Process Hollowing Defense Evasion, Privilege Escalation
T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
T1611 Escape to Host Privilege Escalation
T1546.004 Unix Shell Configuration Modification Persistence, Privilege Escalation
T1218.010 Regsvr32 Defense Evasion
T1561.001 Disk Content Wipe Impact
T1550.001 Application Access Token Defense Evasion, Lateral Movement
T1001 Data Obfuscation Command and Control
T1560.001 Archive via Utility Collection
T1218.008 Odbcconf Defense Evasion
T1021.004 SSH Lateral Movement
T1542.005 TFTP Boot Defense Evasion, Persistence
T1546.006 LC_LOAD_DYLIB Addition Persistence, Privilege Escalation
T1132 Data Encoding Command and Control
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation
T1003.001 LSASS Memory Credential Access
T1114.002 Remote Email Collection Collection
T1547.002 Authentication Package Persistence, Privilege Escalation
T1546.014 Emond Persistence, Privilege Escalation
T1491.002 External Defacement Impact
T1110.004 Credential Stuffing Credential Access
T1546.002 Screensaver Persistence, Privilege Escalation
T1098 Account Manipulation Persistence, Privilege Escalation
T1071 Application Layer Protocol Command and Control
T1137 Office Application Startup Persistence
T1566 Phishing Initial Access
T1020.001 Traffic Duplication Exfiltration
T1565.002 Transmitted Data Manipulation Impact
T1548.003 Sudo and Sudo Caching Defense Evasion, Privilege Escalation
T1127.001 MSBuild Defense Evasion
T1505.005 Terminal Services DLL Persistence
T1558 Steal or Forge Kerberos Tickets Credential Access
T1080 Taint Shared Content Lateral Movement
T1216 System Script Proxy Execution Defense Evasion
T1558.002 Silver Ticket Credential Access
T1559.002 Dynamic Data Exchange Execution
T1563.001 SSH Hijacking Lateral Movement
T1542.004 ROMMONkit Defense Evasion, Persistence
T1201 Password Policy Discovery Discovery
T1204.001 Malicious Link Execution
T1562 Impair Defenses Defense Evasion
T1547.003 Time Providers Persistence, Privilege Escalation
T1578 Modify Cloud Compute Infrastructure Defense Evasion
T1205.002 Socket Filters Command and Control, Defense Evasion, Persistence
T1001.002 Steganography Command and Control
T1136.003 Cloud Account Persistence
T1185 Browser Session Hijacking Collection
T1046 Network Service Discovery Discovery
T1087.001 Local Account Discovery
T1187 Forced Authentication Credential Access
T1556.003 Pluggable Authentication Modules Credential Access, Defense Evasion, Persistence
T1555.001 Keychain Credential Access
T1564.006 Run Virtual Instance Defense Evasion
T1505 Server Software Component Persistence
T1563 Remote Service Session Hijacking Lateral Movement
T1222 File and Directory Permissions Modification Defense Evasion
T1071.004 DNS Command and Control
T1564.009 Resource Forking Defense Evasion
T1105 Ingress Tool Transfer Command and Control
T1027.009 Embedded Payloads Defense Evasion
T1564.010 Process Argument Spoofing Defense Evasion
T1565.001 Stored Data Manipulation Impact
T1204.002 Malicious File Execution
T1218.002 Control Panel Defense Evasion
T1573.002 Asymmetric Cryptography Command and Control
T1574.013 KernelCallbackTable Defense Evasion, Persistence, Privilege Escalation
T1553 Subvert Trust Controls Defense Evasion
T1564.008 Email Hiding Rules Defense Evasion
T1021.001 Remote Desktop Protocol Lateral Movement
T1574.007 Path Interception by PATH Environment Variable Defense Evasion, Persistence, Privilege Escalation
T1216.001 PubPrn Defense Evasion
T1547.008 LSASS Driver Persistence, Privilege Escalation
T1102.001 Dead Drop Resolver Command and Control
T1562.003 Impair Command History Logging Defense Evasion
T1547.005 Security Support Provider Persistence, Privilege Escalation
T1648 Serverless Execution Execution
T1556.004 Network Device Authentication Credential Access, Defense Evasion, Persistence
T1136 Create Account Persistence
T1071.003 Mail Protocols Command and Control
T1090.001 Internal Proxy Command and Control
T1111 Multi-Factor Authentication Interception Credential Access
T1104 Multi-Stage Channels Command and Control
T1001.003 Protocol Impersonation Command and Control
T1499.004 Application or System Exploitation Impact
T1070.007 Clear Network Connection History and Configurations Defense Evasion
T1555.004 Windows Credential Manager Credential Access
T1559.003 XPC Services Execution
T1059 Command and Scripting Interpreter Execution
T1552 Unsecured Credentials Credential Access
T1218.004 InstallUtil Defense Evasion
T1003.003 NTDS Credential Access
T1546.013 PowerShell Profile Persistence, Privilege Escalation
T1574.004 Dylib Hijacking Defense Evasion, Persistence, Privilege Escalation
T1129 Shared Modules Execution
T1106 Native API Execution
T1561 Disk Wipe Impact
T1176 Browser Extensions Persistence
T1525 Implant Internal Image Persistence
T1055.003 Thread Execution Hijacking Defense Evasion, Privilege Escalation
T1119 Automated Collection Collection
T1598.002 Spearphishing Attachment Reconnaissance
T1548.001 Setuid and Setgid Defense Evasion, Privilege Escalation
T1562.004 Disable or Modify System Firewall Defense Evasion
T1548.002 Bypass User Account Control Defense Evasion, Privilege Escalation
T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay Collection, Credential Access
T1052 Exfiltration Over Physical Medium Exfiltration
T1087 Account Discovery Discovery
T1568.002 Domain Generation Algorithms Command and Control
T1090 Proxy Command and Control
T1205.001 Port Knocking Command and Control, Defense Evasion, Persistence
T1218.011 Rundll32 Defense Evasion
T1027.008 Stripped Payloads Defense Evasion
T1037 Boot or Logon Initialization Scripts Persistence, Privilege Escalation
T1110.002 Password Cracking Credential Access
T1005 Data from Local System Collection
T1558.003 Kerberoasting Credential Access
T1547.013 XDG Autostart Entries Persistence, Privilege Escalation
T1556.001 Domain Controller Authentication Credential Access, Defense Evasion, Persistence
T1059.005 Visual Basic Execution
T1218.014 MMC Defense Evasion
T1559 Inter-Process Communication Execution
T1021.005 VNC Lateral Movement
T1601.001 Patch System Image Defense Evasion
T1102 Web Service Command and Control
T1203 Exploitation for Client Execution Execution
T1092 Communication Through Removable Media Command and Control
T1003.007 Proc Filesystem Credential Access
T1110.001 Password Guessing Credential Access
T1090.002 External Proxy Command and Control
T1498 Network Denial of Service Impact
T1195.002 Compromise Software Supply Chain Initial Access
T1195 Supply Chain Compromise Initial Access
T1195.001 Compromise Software Dependencies and Development Tools Initial Access
T1213.003 Code Repositories Collection
T1090.003 Multi-hop Proxy Command and Control
T1498.002 Reflection Amplification Impact
T1498.001 Direct Network Flood Impact

CSF Mapped to the NCSC CAF

Cyber Assessment Framework mappings generated from UK Cabinet Office data.

Control ID Name Description
B2.c Privileged User Management You closely manage privileged user access to networks and information systems supporting the essential function.
B2.b Device Management You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function.
A4.a Supply Chain The organisation understands and manages security risks to networks and information systems supporting the operation of essential functions that arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used.
B4.a Secure by Design You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability.
C1.a Monitoring Coverage The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function.