Security Control Matrix
This matrix is a map that correlates attackers methodology with NIST 800-53 security controls: ATTACK METHODOLOGY/CONTROL
- Recon
- General/Google
- RA-3 RISK ASSESSMENT – you can only reduce exposure and can never “stop” general reconnaissance, but you damn well better know what you’re defending before the attacker starts to find out
- Network scanning
- CM-7 LEAST FUNCTIONALITY – show the attacker the smallest profile you can by turning off every service and port you don’t absolutely need
- Sniffing
- PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS – know where physical entry points might allow access to your network or equipment
- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – don’t allow unauthorized devices on your network
- AC-18 WIRELESS ACCESS – know what information is on your wireless network and make sure it is configured securely
- Penetration
- Perimeter
- SC-7 BOUNDARY PROTECTION – use firewalls, routers, proxies, gateways, etc. to limit access and protect the perimeter
- SI-2 FLAW REMEDIATION – patch known flaws
- SI-4 INFORMATION SYSTEM MONITORING – use IDS/IPS to monitor traffic going across the perimeter
- Wireless
- AC-18 WIRELESS ACCESS – secure wireless configuration is essential
- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – “port control” is needed to prevent against rogue devices on your network
- SI-4 INFORMATION SYSTEM MONITORING – monitor wireless activity, keeping an eye out for spoofing and rogue devices
- Client side
- SI-2 FLAW REMEDIATION – most conventional patching is aimed at operating systems – make sure your client-side tools are up to date also
- SI-3 MALICIOUS CODE PROTECTION – anti-virus signatures won’t stop everything, but they help, keep them up to date
- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – check system event logs on a regular basis, looking for evidence of abnormal activity
- SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
- Application
- SI-2 FLAW REMEDIATION – in addition to operating systems and client tools, applications may need to be patched also
- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – check system event logs on a regular basis, looking for evidence of abnormal activity
- SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
- Physical
- PE-3 PHYSICAL ACCESS CONTROL – if an attacker gets physical access to systems, you must assume they own them
- CM-8 INFORMATION SYSTEM COMPONENT INVENTORY – it is imperative to know what is on your network
- IA-3 DEVICE IDENTIFICATION AND AUTHENTICATION – this protects against rogue devices being added to the network
- AC-11 SESSION LOCK – don’t make it easy for an attacker who is inside your building to sit down at a workstation that is logged in and start taking over your network
- PE-18 LOCATION OF INFORMATION SYSTEM COMPONENTS – know where the key stuff is so you can add extra protection
- Perimeter
- Entrench
- Whoami
- AC-6 LEAST PRIVILEGE – this control forces the attacker to procede to an attempt to escalate privileges
- Escalate privileges
- SI-2 FLAW REMEDIATION – most privilege escalation techniques (but not all) are exploits that can be prevented by patching
- Pull password hashes and crack them
- IA-5 AUTHENTICATOR MANAGEMENT – password strength requirements increase the amount of time it takes to crack hashes
- CM-6 CONFIGURATION SETTINGS – make sure weak hash formats are not being used (LM hashes are not safe)
- Add an admin user
- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING – keep watching those event logs and make sure you can identify events that should send up a red flag
- Whoami
- Ensure future access
- CM-7 LEAST FUNCTIONALITY – don’t grant local admin rights unless they are really needed and think carefully about how to best do it when you must
- Exfiltrate data
- CM-7 LEAST FUNCTIONALITY – make it as difficult as possible for the successful attacker to do anything at all, don’t just hand over access rights easily
- AU-13 MONITORING FOR INFORMATION DISCLOSURE – in addition to internal monitoring, watch external sources for any indication of information leakage
- SI-4 INFORMATION SYSTEM MONITORING – keep an eye on your network at all times
- CA-7 CONTINUOUS MONITORING – this takes many forms:
- SI-4 INFORMATION SYSTEM MONITORING
- RA-5 VULNERABILITY SCANNING
- SI-7 SOFTWARE AND INFORMATION INTEGRITY
- AU-6 AUDIT REVIEW, ANALYSIS, AND REPORTING
- Alter data
- SI-7 SOFTWARE AND INFORMATION INTEGRITY – use integrity checking to ensure files have not been altered without authorization
- Alter configurations
- CM-5 ACCESS RESTRICTIONS FOR CHANGE – define special restrictions to limit the ability to make configuration changes to system components
- Denial of service
- SC-5 DENIAL OF SERVICE PROTECTION – employ techniques to limit or prevent the effects of these attacks
- Extortion
- AT-2 SECURITY AWARENESS – make sure your users are aware of social engineering and have some clue about how to handle it, who to report incidents to
- IR-4 INCIDENT HANDLING – does your incident response plan need to cover extortion or blackmail?
- Stealth
- SC-31 COVERT CHANNEL ANALYSIS – analyze your system communications to identify potential for covert timing and storage channels
- Situational awareness
- CM-7 LEAST FUNCTIONALITY – don’t make it easy for the attacker to know what’s going on inside your network – shut down everything you don’t need, make it hard, slow them down
- OODA loops
- IR-3 INCIDENT RESPONSE TESTING AND EXERCISES – OODA loop tactics involve getting “inside” the response time of an opponent – practice of Incident Response operations can shorten response times
- RA-3 RISK ASSESSMENT – you must know what you are defending BEFORE the attacker does or you have lost the battle of OODA tactics
NOTE – all NIST 800-53 controls are designed to be “general guidance” so that they can be applied to a wide range of systems and situations and may need to have tailoring and supplementing processes applied to them to make them most effective in a particular environment.
SEE ALSO:
Security Control Implementation
Attack Methodology
