RA-5: Vulnerability Monitoring and Scanning
From NIST's SP800-53:
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| RS.CO-3 | Information is shared consistent with response plans |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| DE.DP-4 | Event detection information is communicated |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| DE.DP-5 | Detection processes are continuously improved |
| DE.CM-8 | Vulnerability scans are performed |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1213 | Data from Information Repositories | Collection |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1505.003 | Web Shell | Persistence |
| T1525 | Implant Internal Image | Persistence |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1127.001 | MSBuild | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1552.001 | Credentials In Files | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1218.014 | MMC | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1530 | Data from Cloud Storage | Collection |
| T1562 | Impair Defenses | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1218.012 | Verclsid | Defense Evasion |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505.005 | Terminal Services DLL | Persistence |
| T1213.001 | Confluence | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1176 | Browser Extensions | Persistence |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1218.003 | CMSTP | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.010 | Downgrade Attack | Defense Evasion |