Define, implement and evaluate processes, procedures and technical measures for the periodic performance of penetration testing by independent third parties.
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| TVM-06 | External Library Vulnerabilities | mitigates | T1190 | Exploit Public-Facing Application |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1574.001 | DLL |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
For this specific technique, leveraging the program sxstrace.exe that is included with Windows along with manual inspection, to check manifest files for side-loading vulnerabilities in software with the use of vulnerable DLLs.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1574 | Hijack Execution Flow |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
For this specific technique, leveraging the program sxstrace.exe that is included with Windows along with manual inspection, to check manifest files for side-loading vulnerabilities in software with the use of vulnerable DLLs.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1176 | Software Extensions |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1204.003 | Malicious Image |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1525 | Implant Internal Image |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1195.002 | Compromise Software Supply Chain |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1195.001 | Compromise Software Dependencies and Development Tools |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|
| TVM-06 | External Library Vulnerabilities | mitigates | T1195 | Supply Chain Compromise |
Comments
This control requires both CSP and CSC to independently manage third-party and open-source libraries by maintaining accurate inventories, integrating with vulnerability databases, automating patching and updates, using dependency and scanning tools to mitigate risks from library vulnerabilities.
|