CA-7: Continuous Monitoring
From NIST's SP800-53:
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
| DE.DP-5 | Detection processes are continuously improved |
| DE.DP-3 | Detection processes are tested |
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| DE.DP-2 | Detection activities comply with all applicable requirements |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| RS.AN-1 | Notifications from detection systems are investigated |
| RS.CO-3 | Information is shared consistent with response plans |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| PR.IP-7 | Protection processes are improved |
| PR.IP-8 | Effectiveness of protection technologies is shared |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.DP-4 | Event detection information is communicated |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1552.001 | Credentials In Files | Credential Access |
| T1090.001 | Internal Proxy | Command and Control |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1071.004 | DNS | Command and Control |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1569 | System Services | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1189 | Drive-by Compromise | Initial Access |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1571 | Non-Standard Port | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1003.006 | DCSync | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1110.003 | Password Spraying | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1555 | Credentials from Password Stores | Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1552.002 | Credentials in Registry | Credential Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1602 | Data from Configuration Repository | Collection |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1110 | Brute Force | Credential Access |
| T1568 | Dynamic Resolution | Command and Control |
| T1558.002 | Silver Ticket | Credential Access |
| T1046 | Network Service Discovery | Discovery |
| T1078.004 | Cloud Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1558.003 | Kerberoasting | Credential Access |
| T1036 | Masquerading | Defense Evasion |
| T1553.003 | SIP and Trust Provider Hijacking | Defense Evasion |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1053.006 | Systemd Timers | Execution, Persistence, Privilege Escalation |
| T1574.009 | Path Interception by Unquoted Path | Defense Evasion, Persistence, Privilege Escalation |
| T1036.007 | Double File Extension | Defense Evasion |
| T1048.001 | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1003.004 | LSA Secrets | Credential Access |
| T1001.003 | Protocol Impersonation | Command and Control |
| T1498 | Network Denial of Service | Impact |
| T1550.003 | Pass the Ticket | Defense Evasion, Lateral Movement |
| T1552.004 | Private Keys | Credential Access |
| T1546.003 | Windows Management Instrumentation Event Subscription | Persistence, Privilege Escalation |
| T1037 | Boot or Logon Initialization Scripts | Persistence, Privilege Escalation |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1602.002 | Network Device Configuration Dump | Collection |
| T1001 | Data Obfuscation | Command and Control |
| T1052.001 | Exfiltration over USB | Exfiltration |
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1176 | Browser Extensions | Persistence |
| T1070.002 | Clear Linux or Mac System Logs | Defense Evasion |
| T1003.001 | LSASS Memory | Credential Access |
| T1030 | Data Transfer Size Limits | Exfiltration |
| T1565.001 | Stored Data Manipulation | Impact |
| T1059.005 | Visual Basic | Execution |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1489 | Service Stop | Impact |
| T1546.016 | Installer Packages | Persistence, Privilege Escalation |
| T1070.009 | Clear Persistence | Defense Evasion |
| T1195.002 | Compromise Software Supply Chain | Initial Access |
| T1195 | Supply Chain Compromise | Initial Access |
| T1102.001 | Dead Drop Resolver | Command and Control |
| T1598.003 | Spearphishing Link | Reconnaissance |
| T1110.004 | Credential Stuffing | Credential Access |
| T1204.001 | Malicious Link | Execution |
| T1095 | Non-Application Layer Protocol | Command and Control |
| T1565.003 | Runtime Data Manipulation | Impact |
| T1037.002 | Login Hook | Persistence, Privilege Escalation |
| T1213 | Data from Information Repositories | Collection |
| T1573.002 | Asymmetric Cryptography | Command and Control |
| T1562.001 | Disable or Modify Tools | Defense Evasion |
| T1213.002 | Sharepoint | Collection |
| T1037.004 | RC Scripts | Persistence, Privilege Escalation |
| T1104 | Multi-Stage Channels | Command and Control |
| T1213.001 | Confluence | Collection |
| T1212 | Exploitation for Credential Access | Credential Access |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1068 | Exploitation for Privilege Escalation | Privilege Escalation |
| T1090.002 | External Proxy | Command and Control |
| T1556.001 | Domain Controller Authentication | Credential Access, Defense Evasion, Persistence |
| T1574 | Hijack Execution Flow | Defense Evasion, Persistence, Privilege Escalation |
| T1647 | Plist File Modification | Defense Evasion |
| T1598.002 | Spearphishing Attachment | Reconnaissance |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1048 | Exfiltration Over Alternative Protocol | Exfiltration |
| T1552.005 | Cloud Instance Metadata API | Credential Access |
| T1132 | Data Encoding | Command and Control |
| T1195.001 | Compromise Software Dependencies and Development Tools | Initial Access |
| T1562.004 | Disable or Modify System Firewall | Defense Evasion |
| T1574.007 | Path Interception by PATH Environment Variable | Defense Evasion, Persistence, Privilege Escalation |
| T1574.008 | Path Interception by Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1555.001 | Keychain | Credential Access |
| T1530 | Data from Cloud Storage | Collection |
| T1102 | Web Service | Command and Control |
| T1555.002 | Securityd Memory | Credential Access |
| T1219 | Remote Access Software | Command and Control |
| T1558 | Steal or Forge Kerberos Tickets | Credential Access |
| T1111 | Multi-Factor Authentication Interception | Credential Access |
| T1221 | Template Injection | Defense Evasion |
| T1213.003 | Code Repositories | Collection |
| T1204 | User Execution | Execution |
| T1499.004 | Application or System Exploitation | Impact |
| T1090.003 | Multi-hop Proxy | Command and Control |
| T1498.002 | Reflection Amplification | Impact |
| T1558.004 | AS-REP Roasting | Credential Access |
| T1569.002 | Service Execution | Execution |
| T1003.007 | Proc Filesystem | Credential Access |
| T1070.003 | Clear Command History | Defense Evasion |
| T1205 | Traffic Signaling | Command and Control, Defense Evasion, Persistence |
| T1574.013 | KernelCallbackTable | Defense Evasion, Persistence, Privilege Escalation |
| T1622 | Debugger Evasion | Defense Evasion, Discovery |
| T1185 | Browser Session Hijacking | Collection |
| T1599.001 | Network Address Translation Traversal | Defense Evasion |
| T1539 | Steal Web Session Cookie | Credential Access |
| T1211 | Exploitation for Defense Evasion | Defense Evasion |
| T1203 | Exploitation for Client Execution | Execution |
| T1598 | Phishing for Information | Reconnaissance |
| T1204.003 | Malicious Image | Execution |
| T1218.002 | Control Panel | Defense Evasion |
| T1070.007 | Clear Network Connection History and Configurations | Defense Evasion |
| T1070 | Indicator Removal | Defense Evasion |
| T1557.001 | LLMNR/NBT-NS Poisoning and SMB Relay | Collection, Credential Access |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1598.001 | Spearphishing Service | Reconnaissance |
| T1557.002 | ARP Cache Poisoning | Collection, Credential Access |
| T1102.002 | Bidirectional Communication | Command and Control |
| T1110.002 | Password Cracking | Credential Access |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1003.003 | NTDS | Credential Access |
| T1499.002 | Service Exhaustion Flood | Impact |
| T1564.010 | Process Argument Spoofing | Defense Evasion |
| T1001.002 | Steganography | Command and Control |
| T1557 | Adversary-in-the-Middle | Collection, Credential Access |
| T1090 | Proxy | Command and Control |
| T1562 | Impair Defenses | Defense Evasion |
| T1132.001 | Standard Encoding | Command and Control |
| T1187 | Forced Authentication | Credential Access |
| T1568.002 | Domain Generation Algorithms | Command and Control |
| T1078.003 | Local Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1548 | Abuse Elevation Control Mechanism | Defense Evasion, Privilege Escalation |
| T1602.001 | SNMP (MIB Dump) | Collection |
| T1210 | Exploitation of Remote Services | Lateral Movement |
| T1572 | Protocol Tunneling | Command and Control |
| T1565 | Data Manipulation | Impact |
| T1070.001 | Clear Windows Event Logs | Defense Evasion |
| T1547.003 | Time Providers | Persistence, Privilege Escalation |
| T1021.005 | VNC | Lateral Movement |
| T1003.008 | /etc/passwd and /etc/shadow | Credential Access |
| T1037.003 | Network Logon Script | Persistence, Privilege Escalation |
| T1562.006 | Indicator Blocking | Defense Evasion |
| T1029 | Scheduled Transfer | Exfiltration |
| T1546.004 | Unix Shell Configuration Modification | Persistence, Privilege Escalation |
| T1059 | Command and Scripting Interpreter | Execution |
| T1052 | Exfiltration Over Physical Medium | Exfiltration |
| T1105 | Ingress Tool Transfer | Command and Control |
| T1499.003 | Application Exhaustion Flood | Impact |
| T1218.010 | Regsvr32 | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1102.003 | One-Way Communication | Command and Control |
| T1078 | Valid Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1204.002 | Malicious File | Execution |
| T1071.002 | File Transfer Protocols | Command and Control |
| T1222.001 | Windows File and Directory Permissions Modification | Defense Evasion |
| T1110.001 | Password Guessing | Credential Access |
| T1566 | Phishing | Initial Access |
| T1567 | Exfiltration Over Web Service | Exfiltration |
| T1498.001 | Direct Network Flood | Impact |
| T1003 | OS Credential Dumping | Credential Access |
| T1070.008 | Clear Mailbox Data | Defense Evasion |
| T1078.001 | Default Accounts | Defense Evasion, Initial Access, Persistence, Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
| T1556 | Modify Authentication Process | Credential Access, Defense Evasion, Persistence |
| T1071 | Application Layer Protocol | Command and Control |
| T1071.003 | Mail Protocols | Command and Control |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1573.001 | Symmetric Cryptography | Command and Control |