RA-5: Vulnerability Monitoring and Scanning
From NIST's SP800-53:
a. Monitor and scan for vulnerabilities in the system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system are identified and reported; b. Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1. Enumerating platforms, software flaws, and improper configurations; 2. Formatting checklists and test procedures; and 3. Measuring vulnerability impact; c. Analyze vulnerability scan reports and results from vulnerability monitoring; d. Remediate legitimate vulnerabilities [Assignment: organization-defined response times] in accordance with an organizational assessment of risk; e. Share information obtained from the vulnerability monitoring process and control assessments with [Assignment: organization-defined personnel or roles] to help eliminate similar vulnerabilities in other systems; and f. Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| PR.IP-12 | A vulnerability management plan is developed and implemented |
| RS.CO-3 | Information is shared consistent with response plans |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| DE.DP-4 | Event detection information is communicated |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| DE.DP-5 | Detection processes are continuously improved |
| DE.CM-8 | Vulnerability scans are performed |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1213 | Data from Information Repositories | Collection |
| T1133 | External Remote Services | Initial Access, Persistence |
| T1098.004 | SSH Authorized Keys | Persistence, Privilege Escalation |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1546.002 | Screensaver | Persistence, Privilege Escalation |
| T1137.001 | Office Template Macros | Persistence |
| T1505.003 | Web Shell | Persistence |
| T1525 | Implant Internal Image | Persistence |
| T1218.009 | Regsvcs/Regasm | Defense Evasion |
| T1505 | Server Software Component | Persistence |
| T1053 | Scheduled Task/Job | Execution, Persistence, Privilege Escalation |
| T1059.001 | PowerShell | Execution |
| T1552.006 | Group Policy Preferences | Credential Access |
| T1011.001 | Exfiltration Over Bluetooth | Exfiltration |
| T1574.010 | Services File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1548.002 | Bypass User Account Control | Defense Evasion, Privilege Escalation |
| T1053.003 | Cron | Execution, Persistence, Privilege Escalation |
| T1127.001 | MSBuild | Defense Evasion |
| T1552.004 | Private Keys | Credential Access |
| T1505.004 | IIS Components | Persistence |
| T1021.006 | Windows Remote Management | Lateral Movement |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1552.001 | Credentials In Files | Credential Access |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1213.002 | Sharepoint | Collection |
| T1574.005 | Executable Installer File Permissions Weakness | Defense Evasion, Persistence, Privilege Escalation |
| T1218.014 | MMC | Defense Evasion |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1530 | Data from Cloud Storage | Collection |
| T1562 | Impair Defenses | Defense Evasion |
| T1505.001 | SQL Stored Procedures | Persistence |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1578.003 | Delete Cloud Instance | Defense Evasion |
| T1218.012 | Verclsid | Defense Evasion |
| T1578 | Modify Cloud Compute Infrastructure | Defense Evasion |
| T1563 | Remote Service Session Hijacking | Lateral Movement |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1505.005 | Terminal Services DLL | Persistence |
| T1213.001 | Confluence | Collection |
| T1505.002 | Transport Agent | Persistence |
| T1176 | Browser Extensions | Persistence |
| T1091 | Replication Through Removable Media | Initial Access, Lateral Movement |
| T1547.008 | LSASS Driver | Persistence, Privilege Escalation |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1484 | Domain Policy Modification | Defense Evasion, Privilege Escalation |
| T1218.003 | CMSTP | Defense Evasion |
| T1059 | Command and Scripting Interpreter | Execution |
| T1562.010 | Downgrade Attack | Defense Evasion |
| T1578.001 | Create Snapshot | Defense Evasion |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1218.004 | InstallUtil | Defense Evasion |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1092 | Communication Through Removable Media | Command and Control |
| T1482 | Domain Trust Discovery | Discovery |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1559 | Inter-Process Communication | Execution |
| T1563.002 | RDP Hijacking | Lateral Movement |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1218.008 | Odbcconf | Defense Evasion |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1195.002 | Compromise Software Supply Chain | Initial Access |
| T1047 | Windows Management Instrumentation | Execution |
| T1546.014 | Emond | Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1213.003 | Code Repositories | Collection |
| T1059.007 | JavaScript | Execution |
| T1559.002 | Dynamic Data Exchange | Execution |
| T1612 | Build Image on Host | Defense Evasion |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1021.003 | Distributed Component Object Model | Lateral Movement |
| T1221 | Template Injection | Defense Evasion |
| T1021.001 | Remote Desktop Protocol | Lateral Movement |
| T1552.002 | Credentials in Registry | Credential Access |
| T1547.006 | Kernel Modules and Extensions | Persistence, Privilege Escalation |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1127 | Trusted Developer Utilities Proxy Execution | Defense Evasion |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1137 | Office Application Startup | Persistence |
| T1021.005 | VNC | Lateral Movement |
| T1053.002 | At | Execution, Persistence, Privilege Escalation |
| T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access |
| T1560.001 | Archive via Utility | Collection |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1204.003 | Malicious Image | Execution |
| T1059.005 | Visual Basic | Execution |
| T1195 | Supply Chain Compromise | Initial Access |
| T1218.013 | Mavinject | Defense Evasion |
| T1560 | Archive Collected Data | Collection |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1578.002 | Create Cloud Instance | Defense Evasion |
| T1218.005 | Mshta | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1046 | Network Service Discovery | Discovery |
| T1021.004 | SSH | Lateral Movement |