CIS Logo
tagline: Confidence in the Connected World

CIS Controls Navigator

Help
  • The following page shows a dynamic list of CIS Sub-Controls that can be filtered according to Implementation Groups and specific Mappings.
  • To filter by Implementation Group, simply select the checkbox for the Implementation Group. The filter will be automatically applied.
  • To filter by specific mappings, select from the dropdown the mapping you'd like to filter by, then check   individual values or click "Check All" to select all mapping values. Finally click "Apply {Mapping} Filter". More than one mapping can be applied concurrently.
  • Additional Sub-Controls can be added to or deselected from filtered results. To add more, scroll to the bottom of results and click "View Hidden Sub-Controls", then select. To remove, deselect the checkboxes of those you wish to remove, then hit "Remove Unchecked CIS Sub-Controls". This functionality will only become visible after an initial filter has been applied.
  • Filters for Mappings and Implementation Groups can be applied concurrently. However, once "Filter by Checked CIS Sub-Controls" is clicked, the results become dependent upon whether or not each Sub-Control is individually checked. To clear this, click "Reset Filters".
  • All Sub-Controls within IG (Implementation Group) 1 will also be a part of IG 2 and IG 3. All Sub-Controls within IG 2 will also be within IG 3. The IG's for each Sub-Control are signified by one or more colored dots.
  • Download a copy of the CIS Sub-Controls and learn more about Implementation Groups.
CIS Control CIS
Sub-Control
Title Asset Type Implementation Groups
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
   
DE.AE-2 - Detected events are analyzed to understand attack targets and methods
   
DE.AE-3 - Event data are collected and correlated from multiple sources and sensors
   
DE.AE-5 - Incident alert thresholds are established
   
DE.CM-1 - The network is monitored to detect potential cybersecurity events
   
DE.CM-3 - Personnel activity is monitored to detect potential cybersecurity events
   
DE.CM-4 - Malicious code is detected
   
DE.CM-7 - Monitoring for unauthorized personnel, connections, devices, and software is performed
   
DE.CM-8 - Vulnerability scans are performed
   
DE.DP-1 - Roles and responsibilities for detection are well defined to ensure accountability
   
DE.DP-4 - Event detection information is communicated
   
ID.AM-1 - Physical devices and systems within the organization are inventoried
   
ID.AM-2 - Software platforms and applications within the organization are inventoried
   
ID.AM-3 - Organizational communication and data flows are mapped
   
ID.AM-4 - External information systems are catalogued
   
ID.AM-5 - Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
   
ID.AM-6 - Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
   
ID.GV-2 - Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
   
ID.RA-1 - Asset vulnerabilities are identified and documented
   
ID.RA-5 - Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
   
ID.SC-5 - Response and recovery planning and testing are conducted with suppliers and third-party providers
   
PR.AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
   
PR.AC-3 - Remote access is managed
   
PR.AC-4 - Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
   
PR.AC-5 - Network integrity is protected (e.g., network segregation, network segmentation)
   
PR.AC-6 - Identities are proofed and bound to credentials and asserted in interactions
   
PR.AC-7 - Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
   
PR.AT-1 - All users are informed and trained
   
PR.AT-2 - Privileged users understand their roles and responsibilities
   
PR.AT-3 - Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
   
PR.AT-4 - Senior executives understand their roles and responsibilities
   
PR.AT-5 - Physical and cybersecurity personnel understand their roles and responsibilities
   
PR.DS-1 - Data-at-rest is protected
   
PR.DS-2 - Data-in-transit is protected
   
PR.DS-3 - Assets are formally managed throughout removal, transfers, and disposition
   
PR.DS-4 - Adequate capacity to ensure availability is maintained
   
PR.DS-5 - Protections against data leaks are implemented
   
PR.DS-6 - Integrity checking mechanisms are used to verify software, firmware, and information integrity
   
PR.DS-7 - The development and testing environment(s) are separate from the production environment
   
PR.IP-1 - A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
   
PR.IP-10 - Response and recovery plans are tested
   
PR.IP-11 - Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
   
PR.IP-12 - A vulnerability management plan is developed and implemented
   
PR.IP-3 - Configuration change control processes are in place
   
PR.IP-4 - Backups of information are conducted, maintained, and tested
   
PR.IP-9 - Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
   
PR.MA-2 - Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
   
PR.PT-1 - Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
   
PR.PT-2 - Removable media is protected and its use restricted according to policy
   
PR.PT-3 - The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
   
PR.PT-5 - Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
   
RS.AN-1 - Notifications from detection systems are investigated 
   
RS.AN-4 - Incidents are categorized consistent with response plans
   
RS.AN-5 - Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
   
RS.CO-1 - Personnel know their roles and order of operations when a response is needed
   
RS.CO-2 - Incidents are reported consistent with established criteria
   
RS.CO-4 - Coordination with stakeholders occurs consistent with response plans
   
RS.MI-3 - Newly identified vulnerabilities are mitigated or documented as accepted risks
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
A.6.1.3 - Contact with authorities
   
A.6.2.1 - Mobile device policy
   
A.7.2.2 - Information security awareness, education and training
   
A.8.1.1 - Inventory of assets
   
A.8.1.3 - Acceptable use of assets
   
A.8.2.1 - Classification of information
   
A.8.3.1 - Management of removable media
   
A.9.1.1 - Access control policy
   
A.9.1.2 - Access to networks and network services
   
A.9.2.1 - User registration and deregistration
   
A.9.2.3 - Management of privileged access rights
   
A.9.2.6 - Removal or adjustment of access rights
   
A.9.3.1 - Use of secret authentication information
   
A.9.4.2 - Secure log-on procedures
   
A.9.4.3 - Password management system
   
A.10.1.1 - Policy on the use of cryptographic controls
   
A.11.2.5 - Removal of assets
   
A.12.1.2 - Change management
   
A.12.1.4 - Separation of development, test and operational environments
   
A.12.2.1 - Controls against malware
   
A.12.3.1 - Information backup
   
A.12.4.1 - Event logging
   
A.12.4.3 - Administrator and operator logs
   
A.12.4.4 - Clock synchronization
   
A.12.5.1 - Installation of software on operational systems
   
A.12.6.1 - Management of technical vulnerabilities
   
A.12.6.2 - Restrictions on software installation
   
A.12.14.1 - Event logging
   
A.13.1.1 - Network Controls
   
A.13.1.2 - Security of network services
   
A.13.1.3 - Segregation in networks
   
A.13.2.3 - Electronic messaging
   
A.14.2.1 - Secure development policy
   
A.14.2.5 - Secure system engineering principles
   
A.16.1.1 - Responsibilities and procedures
   
A.16.1.3 - Reporting information security events
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
3.1.1 - Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
   
3.1.2 - Limit system access to the types of transactions and functions that authorized users are permitted to execute.
   
3.1.2e - Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
   
3.1.3 - Control the flow of CUI in accordance with approved authorizations.
   
3.1.3e - Employ secure information transfer solutions to control information flows between security domains on connected systems.
   
3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
   
3.1.7 - Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
   
3.1.8 - Limit unsuccessful logon attempts.
   
3.1.10 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
   
3.1.11 - Terminate (automatically) a user session after a defined condition.
   
3.1.12 - Monitor and control remote access sessions.
   
3.1.13 - Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
   
3.1.14 - Route remote access via managed access control points.
   
3.1.16 - Authorize wireless access prior to allowing such connections.
   
3.1.17 - Protect wireless access using authentication and encryption.
   
3.1.18 - Control connection of mobile devices.
   
3.1.19 - Encrypt CUI on mobile devices and mobile computing platforms.
   
3.1.20 - Verify and control/limit connections to and use of external systems.
   
3.2.1 - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
   
3.2.1e - Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
   
3.2.2 - Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
   
3.2.2e - Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
   
3.2.3 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
   
3.3.1 - Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
   
3.3.2 - Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
   
3.3.3 - Review and update logged events.
   
3.3.5 - Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
   
3.3.7 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
   
3.3.9 - Limit management of audit logging functionality to a subset of privileged users.
   
3.4.1 - Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
   
3.4.1e - Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
   
3.4.2 - Establish and enforce security configuration settings for information technology products employed in organizational systems.
   
3.4.3 - Track, review, approve or disapprove, and log changes to organizational systems.
   
3.4.5 - Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
   
3.4.7 - Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
   
3.4.8 - Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
   
3.4.9 - Control and monitor user-installed software.
   
3.5.1 - Identify system users, processes acting on behalf of users, and devices.
   
3.5.2 - Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
   
3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
   
3.5.6 - Disable identifiers after a defined period of inactivity.
   
3.5.7 - Enforce a minimum password complexity and change of characters when new passwords are created.
   
3.5.8 - Prohibit password reuse for a specified number of generations.
   
3.5.10 - Store and transmit only cryptographically-protected passwords.
   
3.6.1 - Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
   
3.6.2 - Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
   
3.6.3 - Test the organizational incident response capability.
   
3.7.3 - Ensure equipment removed for off-site maintenance is sanitized of any CUI.
   
3.7.4 - Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
   
3.7.5 - Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
   
3.8.1 - Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
   
3.8.2 - Limit access to CUI on system media to authorized users.
   
3.8.5 - Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
   
3.8.6 - Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
   
3.8.7 - Control the use of removable media on system components.
   
3.8.9 - Protect the confidentiality of backup CUI at storage locations.
   
3.9.2 - Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
   
3.10.2 - Protect and monitor the physical facility and support infrastructure for organizational systems.
   
3.11.2 - Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
   
3.11.3 - Remediate vulnerabilities in accordance with risk assessments.
   
3.12.1 - Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
   
3.12.2 - Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
   
3.12.3 - Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
   
3.12.4 - Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
   
3.13.1 - Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
   
3.13.3 - Separate user functionality from system management functionality.
   
3.13.4 - Prevent unauthorized and unintended information transfer via shared system resources.
   
3.13.5 - Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
   
3.13.6 - Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
   
3.13.8 - Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
   
3.13.11 - Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
   
3.13.12 - Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
   
3.13.13 - Control and monitor the use of mobile code.
   
3.13.15 - Protect the authenticity of communications sessions.
   
3.13.16 - Protect the confidentiality of CUI at rest.
   
3.14.1 - Identify, report, and correct system flaws in a timely manner.
   
3.14.2 - Provide protection from malicious code at designated locations within organizational systems.
   
3.14.4 - Update malicious code protection mechanisms when new releases are available.
   
3.14.5 - Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
   
3.14.7 - Identify unauthorized use of organizational systems.
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
AC-2 - Account Management
   
AC-3 - Access Enforcement
   
AC-17 - Remote Access
   
AC-18 - Wireless Access
   
AC-20 - Use of External Information Systems
   
AT-1 - Security Awareness and Training Policy and Procedures
   
AT-2 - Security Awareness Training
   
AU-2 - Audit Events
   
AU-3 - Content of Audit Records
   
AU-4 - Audit Storage Capacity
   
AU-6 - Audit Review, Analysis, and Reporting
   
AU-8 - Time Stamps
   
AU-12 - Audit Generation
   
CA-3 - System Interconnections
   
CA-7 - Continuous Monitoring
   
CA-9 - Internal System Connections
   
CM-1 - Configuration Management Policy and Procedures
   
CM-2 - Baseline Configurations
   
CM-6 - Configuration Settings
   
CM-7 - Least Functionality
   
CM-8 - Information System Component Inventory
   
CM-10 - Software Usage Restrictions
   
CM-11 - User-Installed Software
   
CP-9 - Information system Backup
   
IA-02 (1) - Identification and Authentication (Organizational Users)
   
IA-4 - Identifier Management
   
IA-5 - Authenticator Management
   
IA-5 (1) - Authenticator Management
   
IA-6 - Authenticator Feedback
   
IR-1 - Incident Response Policy and Procedures
   
IR-2 - Incident Response Training
   
IR-6 - Incident Reporting
   
IR-8 - Incident Response Plan
   
MP-2 - Media Access
   
MP-7 - Media Use
   
RA-5 - Vulnerability Scanning
   
SA-9 - External Information System Services
   
SC-7 - Boundary Protection
   
SC-20 - Secure Name / Address Resolution Service (Authoritative Source)
   
SC-21 - Secure Name / Address Resolution Service (Recursive or Caching Resolver)
   
SC-39 - Process Isolation
   
SI-3 - Malicious Code Protection
   
SI-4 - Information System Monitoring
   
SI-5 - Security Alerts, Advisories, and Directives
   
SI-16 - Memory Protection
  • Please select the mappings you'd like to apply, then hit the 'Apply...' button.
  • Scroll down to view the filtered Sub-Controls.
   
T1001 - Data Obfuscation
   
T1002 - Data Compressed
   
T1003 - Credential Dumping
   
T1004 - Winlogon Helper DLL
   
T1008 - Fallback Channels
   
T1011 - Exfiltration Over Other Network Medium
   
T1015 - Accessibility Features
   
T1017 - Application Deployment Software
   
T1019 - System Firmware
   
T1021 - Remote Services
   
T1023 - Shortcut Modification
   
T1024 - Custom Cryptographic Protocol
   
T1026 - Multiband Communication
   
T1027 - Obfuscated Files or Information
   
T1028 - Windows Remote Management
   
T1029 - Scheduled Transfer
   
T1030 - Data Transfer Size Limits
   
T1031 - Modify Existing Service
   
T1032 - Standard Cryptographic Protocol
   
T1034 - Path Interception
   
T1035 - Service Execution
   
T1036 - Masquerading
   
T1037 - Logon Scripts
   
T1038 - DLL Search Order Hijacking
   
T1040 - Network Sniffing
   
T1041 - Exfiltration Over Command and Control Channel
   
T1043 - Commonly Used Port
   
T1044 - File System Permissions Weakness
   
T1045 - Software Packing
   
T1046 - Network Service Scanning
   
T1047 - Windows Management Instrumentation
   
T1048 - Exfiltration Over Alternative Protoco
   
T1050 - New Service
   
T1051 - Shared Webroot
   
T1052 - Exfiltration Over Physical Medium
   
T1053 - Scheduled Task
   
T1054 - Indicator Blocking
   
T1055 - Process Injection
   
T1058 - Service Registry Permissions Weakness
   
T1059 - Command-Line Interface
   
T1064 - Scripting
   
T1065 - Uncommonly Used Port
   
T1067 - Bootkit
   
T1068 - Exploitation for Privilege Escalation
   
T1070 - Indicator Removal on Host
   
T1071 - Standard Application Layer Protocol
   
T1072 - Third-party Software
   
T1073 - DLL Side-Loading
   
T1075 - Pass the Hash
   
T1076 - Remote Desktop Protocol
   
T1077 - Windows Admin Shares
   
T1078 - Valid Accounts
   
T1079 - Multilayer Encryption
   
T1080 - Taint Shared Content
   
T1081 - Credentials in Files
   
T1084 - Windows Management Instrumentation Event Subscription
   
T1085 - Rundll32
   
T1086 - PowerShell
   
T1087 - Account Discovery
   
T1088 - Bypass User Account Control
   
T1089 - Disabling Security Tools
   
T1090 - Connection Proxy
   
T1091 - Replication Through Removable Media
   
T1092 - Communication Through Removable Media
   
T1094 - Custom Command and Control Protocol
   
T1095 - Standard Non-Application Layer Protocol
   
T1096 - NTFS File Attributes
   
T1097 - Pass the Ticket
   
T1098 - Account Manipulation
   
T1100 - Web Shell
   
T1101 - Security Support Provider
   
T1102 - Web Service
   
T1103 - AppInit DLLs
   
T1104 - Multi-Stage Channels
   
T1105 - Remote File Copy
   
T1106 - Execution through API
   
T1108 - Redundant Access
   
T1110 - Brute Force
   
T1111 - Two-Factor Authentication Interception
   
T1112 - Modify Registry
   
T1114 - Email Collection
   
T1117 - Regsvr32
   
T1118 - InstallUtil
   
T1119 - Automated Collection
   
T1121 - Regsvcs/Regasm
   
T1127 - Trusted Developer Utilities
   
T1129 - Execution through Module Load
   
T1130 - Install Root Certificate
   
T1131 - Authentication Package
   
T1132 - Data Encoding
   
T1133 - External Remote Services
   
T1134 - Access Token Manipulation
   
T1136 - Create Account
   
T1137 - Office Application Startup
   
T1138 - Application Shimming
   
T1139 - Bash History
   
T1141 - Input Prompt
   
T1142 - Keychain
   
T1143 - Hidden Window
   
T1144 - Gatekeeper Bypass
   
T1145 - Private Keys
   
T1146 - Clear Command History
   
T1147 - Hidden Users
   
T1148 - HISTCONTROL
   
T1149 - LC_MAIN Hijacking
   
T1150 - Plist Modification
   
T1152 - Launchctl
   
T1155 - AppleScript
   
T1156 - .bash_profile and .bashrc
   
T1157 - Dylib Hijacking
   
T1159 - Launch Agent
   
T1160 - Launch Daemon
   
T1161 - LC_LOAD_DYLIB Addition
   
T1162 - Login Item
   
T1163 - Rc.common
   
T1164 - Re-opened Applications
   
T1165 - Startup Items
   
T1166 - Setuid and Setgid
   
T1168 - Local Job Scheduling
   
T1169 - Sudo
   
T1170 - Mshta
   
T1171 - LLMNR/NBT-NS Poisoning and Relay
   
T1172 - Domain Fronting
   
T1173 - Dynamic Data Exchange
   
T1174 - Password Filter DLL
   
T1175 - Component Object Model and Distributed COM
   
T1176 - Browser Extensions
   
T1177 - LSASS Driver
   
T1178 - SID-History Injection
   
T1180 - Screensaver
   
T1182 - AppCert DLLs
   
T1184 - SSH Hijacking
   
T1185 - Man in the Browser
   
T1187 - Forced Authentication
   
T1188 - Multi-hop Proxy
   
T1189 - Drive-by Compromise
   
T1190 - Exploit Public-Facing Application
   
T1191 - CMSTP
   
T1192 - Spearphishing Link
   
T1193 - Spearphishing Attachment
   
T1194 - Spearphishing via Service
   
T1195 - Supply Chain Compromise
   
T1196 - Control Panel Items
   
T1197 - BITS Jobs
   
T1198 - SIP and Trust Provider Hijacking
   
T1199 - Trusted Relationship
   
T1200 - Hardware Additions
   
T1201 - Password Policy Discovery
   
T1203 - Exploitation for Client Execution
   
T1204 - User Execution
   
T1205 - Port Knocking
   
T1206 - Sudo Caching
   
T1208 - Kerberoasting
   
T1209 - Time Providers
   
T1210 - Exploitation of Remote Services
   
T1211 - Exploitation for Defense Evasion
   
T1212 - Exploitation for Credential Access
   
T1213 - Data from Information Repositories
   
T1214 - Credentials in Registry
   
T1215 - Kernel Modules and Extensions
   
T1216 - Signed Script Proxy Execution
   
T1218 - Signed Binary Proxy Execution
   
T1219 - Remote Access Tools
   
T1220 - XSL Script Processing
   
T1221 - Template Injection
   
T1223 - Compiled HTML File
   
T1413 - Access Sensitive Data in Device Logs
   
T1482 - Domain Trust Discovery
   
T1483 - Domain Generation Algorithms
   
T1484 - Group Policy Modification
   
T1485 - Data Destruction
   
T1486 - Data Encrypted for Impact
   
T1487 - Disk Structure Wipe
   
T1488 - Disk Content Wipe
   
T1489 - Service Stop
   
T1490 - Inhibit System Recovery
   
T1491 - Defacement
   
T1492 - Stored Data Manipulation
   
T1493 - Transmitted Data Manipulation
   
T1494 - Runtime Data Manipulation
   
T1495 - Firmware Corruption
   
T1498 - Network Denial of Service
   
T1499 - Endpoint Denial of Service
   
T1501 - Systemd Service
   
T1503 - Credentials from Web Browsers
   
T1504 - PowerShell Profile
   
T1505 - Server Software Component
   
T1506 - Web Session Cookie
   
T1513 - Screen Capture
   
T1514 - Elevated Execution with Prompt
   
T1517 - Access Notifications
   
T1519 - Emond
   
T1522 - Cloud Instance Metadata API
   
T1525 - Implant Container Image
   
T1527 - Application Access Token
   
T1528 - Steal Application Access Token
   
T1530 - Data from Cloud Storage Object
   
T1535 - Unused/Unsupported Cloud Regions
   
T1537 - Transfer Data to Cloud Account
   
T1538 - Cloud Service Dashboard
   
T1539 - Steal Web Session Cookie

CIS Control 1 - Inventory and Control of Hardware Assets

  • Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
1 Devices
1.1

Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.2

Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.3

Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.4

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.

NIST CSF Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.5.1
Identify system users, processes acting on behalf of users, and devices.

NIST SP 800-53 Groups:

CM-8
Information System Component Inventory
1 Devices
1.5

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

NIST CSF Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.5.1
Identify system users, processes acting on behalf of users, and devices.

NIST SP 800-53 Groups:

CM-8
Information System Component Inventory
IA-4
Identifier Management
1 Devices
1.6

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.

NIST CSF Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.11.2.5
Removal of assets

NIST SP 800-171 Groups:

3.1.2e
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

MITRE ATT&CK Groups:

T1200
Hardware Additions
T1091
Replication Through Removable Media
1 Devices
1.7

Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

NIST CSF Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

ISO 27001 Groups:

A.9.1.2
Access to networks and network services
A.13.1.1
Network Controls

NIST SP 800-171 Groups:

3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.16
Authorize wireless access prior to allowing such connections.
1 Devices
1.8

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

NIST CSF Groups:

PR.AC-6
Identities are proofed and bound to credentials and asserted in interactions

ISO 27001 Groups:

A.13.1.1
Network Controls

NIST SP 800-171 Groups:

3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.16
Authorize wireless access prior to allowing such connections.

CIS Control 2 - Inventory and Control of Software Assets

  • Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
2 Applications
2.1

Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.9
Control and monitor user-installed software.

NIST SP 800-53 Groups:

CM-8
Information System Component Inventory
CM-11
User-Installed Software
2 Applications
2.2

Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.3

Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
2 Applications
2.4

The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

IA-4
Identifier Management
2 Applications
2.5

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

NIST CSF Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.6

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.5.1
Installation of software on operational systems
A.12.6.2
Restrictions on software installation

NIST SP 800-171 Groups:

3.1.2e
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.9
Control and monitor user-installed software.

NIST SP 800-53 Groups:

CM-11
User-Installed Software

MITRE ATT&CK Groups:

T1164
Re-opened Applications
T1170
Mshta
T1171
LLMNR/NBT-NS Poisoning and Relay
T1173
Dynamic Data Exchange
T1175
Component Object Model and Distributed COM
T1180
Screensaver
T1184
SSH Hijacking
T1191
CMSTP
T1028
Windows Remote Management
T1210
Exploitation of Remote Services
T1221
Template Injection
T1519
Emond
T1046
Network Service Scanning
T1052
Exfiltration Over Physical Medium
T1064
Scripting
T1076
Remote Desktop Protocol
T1086
PowerShell
T1091
Replication Through Removable Media
T1092
Communication Through Removable Media
T1118
InstallUtil
T1121
Regsvcs/Regasm
T1127
Trusted Developer Utilities
T1133
External Remote Services
T1137
Office Application Startup
2 Applications
2.7

Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.

NIST CSF Groups:

DE.CM-7
Mo