CA-7: Continuous Monitoring
From NIST's SP800-53:
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics]; b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness; c. Ongoing control assessments in accordance with the continuous monitoring strategy; d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e. Correlation and analysis of information generated by control assessments and monitoring; f. Response actions to address results of the analysis of control assessment and monitoring information; and g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
| DE.CM-2 | The physical environment is monitored to detect potential cybersecurity events |
| DE.DP-5 | Detection processes are continuously improved |
| DE.DP-3 | Detection processes are tested |
| DE.DP-1 | Roles and responsibilities for detection are well defined to ensure accountability |
| DE.AE-2 | Detected events are analyzed to understand attack targets and methods |
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-3 | Personnel activity is monitored to detect potential cybersecurity events |
| DE.DP-2 | Detection activities comply with all applicable requirements |
| DE.AE-3 | Event data are collected and correlated from multiple sources and sensors |
| RS.AN-1 | Notifications from detection systems are investigated |
| RS.CO-3 | Information is shared consistent with response plans |
| ID.RA-1 | Asset vulnerabilities are identified and documented |
| PR.IP-7 | Protection processes are improved |
| PR.IP-8 | Effectiveness of protection technologies is shared |
| RS.MI-3 | Newly identified vulnerabilities are mitigated or documented as accepted risks |
| DE.CM-6 | External service provider activity is monitored to detect potential cybersecurity events |
| DE.DP-4 | Event detection information is communicated |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1552.001 | Credentials In Files | Credential Access |
| T1090.001 | Internal Proxy | Command and Control |
| T1036.003 | Rename System Utilities | Defense Evasion |
| T1552 | Unsecured Credentials | Credential Access |
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | Exfiltration |
| T1048.002 | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Exfiltration |
| T1574.004 | Dylib Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1528 | Steal Application Access Token | Credential Access |
| T1218.011 | Rundll32 | Defense Evasion |
| T1059.007 | JavaScript | Execution |
| T1071.004 | DNS | Command and Control |
| T1003.005 | Cached Domain Credentials | Credential Access |
| T1564.004 | NTFS File Attributes | Defense Evasion |
| T1218 | System Binary Proxy Execution | Defense Evasion |
| T1499.001 | OS Exhaustion Flood | Impact |
| T1569 | System Services | Execution |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1037.005 | Startup Items | Persistence, Privilege Escalation |
| T1189 | Drive-by Compromise | Initial Access |
| T1546.013 | PowerShell Profile | Persistence, Privilege Escalation |
| T1008 | Fallback Channels | Command and Control |
| T1557.003 | DHCP Spoofing | Collection, Credential Access |
| T1571 | Non-Standard Port | Command and Control |
| T1001.001 | Junk Data | Command and Control |
| T1003.006 | DCSync | Credential Access |
| T1218.012 | Verclsid | Defense Evasion |
| T1201 | Password Policy Discovery | Discovery |
| T1003.002 | Security Account Manager | Credential Access |
| T1222.002 | Linux and Mac File and Directory Permissions Modification | Defense Evasion |
| T1110.003 | Password Spraying | Credential Access |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1570 | Lateral Tool Transfer | Lateral Movement |
| T1555 | Credentials from Password Stores | Credential Access |
| T1205.001 | Port Knocking | Command and Control, Defense Evasion, Persistence |
| T1499 | Endpoint Denial of Service | Impact |
| T1197 | BITS Jobs | Defense Evasion, Persistence |
| T1055.009 | Proc Memory | Defense Evasion, Privilege Escalation |
| T1132.002 | Non-Standard Encoding | Command and Control |
| T1562.002 | Disable Windows Event Logging | Defense Evasion |
| T1552.002 | Credentials in Registry | Credential Access |
| T1566.002 | Spearphishing Link | Initial Access |
| T1021.002 | SMB/Windows Admin Shares | Lateral Movement |
| T1602 | Data from Configuration Repository | Collection |
| T1548.003 | Sudo and Sudo Caching | Defense Evasion, Privilege Escalation |
| T1072 | Software Deployment Tools | Execution, Lateral Movement |
| T1563.001 | SSH Hijacking | Lateral Movement |
| T1566.003 | Spearphishing via Service | Initial Access |
| T1599 | Network Boundary Bridging | Defense Evasion |
| T1080 | Taint Shared Content | Lateral Movement |
| T1110 | Brute Force | Credential Access |