NIST CSF: DE.CM-4 Subcategory
From NIST's Cyber Security Framework (version 1):
Malicious code is detected
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
CSF Mapped to SP800-53 Controls
Generated from NIST's SP800-53/CSF Crosswalk mappings.
Related ISO 27001 Controls
Annex A controls from ISO 27001 (2013) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Controls against malware (12.2.1)
ISO 27001:2013
Related ISA/IEC 62443 Controls
Clauses and controls from IEC 62443 (62443-2-1 and 62443-3-3) which are related to this CSF subcategory, taken from mappings by NIST and additional data from Ofgem.
-
Establish and document antivirus/malware management procedure (4.3.4.3.8)
ISA/IEC 62443-2-1:2009 -
Malicious code protection (SR 3.2)
ISA/IEC 62443-3-3:2013
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against. This is based on mappings to associated SP800-53 controls.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1204.003 | Malicious Image | Execution |
| T1137.002 | Office Test | Persistence |
| T1137.004 | Outlook Home Page | Persistence |
| T1204.001 | Malicious Link | Execution |
| T1137.003 | Outlook Forms | Persistence |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1137.001 | Office Template Macros | Persistence |
| T1137.006 | Add-ins | Persistence |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1221 | Template Injection | Defense Evasion |
| T1598.001 | Spearphishing Service | Reconnaissance |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1598 | Phishing for Information | Reconnaissance |
| T1137 | Office Application Startup | Persistence |
| T1204.002 | Malicious File | Execution |
| T1566 | Phishing | Initial Access |
| T1137.005 | Outlook Rules | Persistence |
| T1204 | User Execution | Execution |
| T1566.002 | Spearphishing Link | Initial Access |
| T1598.002 | Spearphishing Attachment | Reconnaissance |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1055.012 | Process Hollowing | Defense Evasion, Privilege Escalation |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1003.002 | Security Account Manager | Credential Access |
| T1176 | Browser Extensions | Persistence |
| T1559 | Inter-Process Communication | Execution |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1546.006 | LC_LOAD_DYLIB Addition | Persistence, Privilege Escalation |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1055.002 | Portable Executable Injection | Defense Evasion, Privilege Escalation |
| T1185 | Browser Session Hijacking | Collection |
| T1218.014 | MMC | Defense Evasion |
| T1106 | Native API | Execution |
| T1561 | Disk Wipe | Impact |
| T1003.001 | LSASS Memory | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1102.003 | One-Way Communication | Command and Control |
| T1560.001 | Archive via Utility | Collection |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1055.005 | Thread Local Storage | Defense Evasion, Privilege Escalation |
| T1090.001 | Internal Proxy | Command and Control |
| T1218.004 | InstallUtil | Defense Evasion |
| T1055.013 | Process Doppelgänging | Defense Evasion, Privilege Escalation |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
CSF Mapped to the NCSC CAF
Cyber Assessment Framework mappings generated from UK Cabinet Office data.
| Control ID | Name | Description |
|---|---|---|
| C1.a | Monitoring Coverage | The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function. |
| B4.d | Vulnerability Management | You manage known vulnerabilities in your network and information systems to prevent adverse impact on the essential function. |
| B5.a | Resilience Preparation | You are prepared to restore the operation of your essential function following adverse impact. |
| C2.b | Proactive Attack Discovery | You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. |
| B4.a | Secure by Design | You design security into the network and information systems that support the operation of essential functions. You minimise their attack surface and ensure that the operation of the essential function should not be impacted by the exploitation of any single vulnerability. |
| B4.c | Secure Management | You manage your organisation's network and information systems that support the operation of essential functions to enable and maintain security. |