NIST 800-53 RA-5 Mappings

Security categorization of information and systems guides the frequency and comprehensiveness of vulnerability monitoring (including scans). Organizations determine the required vulnerability monitoring for system components, ensuring that the potential sources of vulnerabilities—such as infrastructure components (e.g., switches, routers, guards, sensors), networked printers, scanners, and copiers—are not overlooked. The capability to readily update vulnerability monitoring tools as new vulnerabilities are discovered and announced and as new scanning methods are developed helps to ensure that new vulnerabilities are not missed by employed vulnerability monitoring tools. The vulnerability monitoring tool update process helps to ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible. Vulnerability monitoring and analyses for custom software may require additional approaches, such as static analysis, dynamic analysis, binary analysis, or a hybrid of the three approaches. Organizations can use these analysis approaches in source code reviews and in a variety of tools, including web-based application scanners, static analysis tools, and binary analyzers.

Vulnerability monitoring includes scanning for patch levels; scanning for functions, ports, protocols, and services that should not be accessible to users or devices; and scanning for flow control mechanisms that are improperly configured or operating incorrectly. Vulnerability monitoring may also include continuous vulnerability monitoring tools that use instrumentation to continuously analyze components. Instrumentation-based tools may improve accuracy and may be run throughout an organization without scanning. Vulnerability monitoring tools that facilitate interoperability include tools that are Security Content Automated Protocol (SCAP)-validated. Thus, organizations consider using scanning tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and that employ the Open Vulnerability Assessment Language (OVAL) to determine the presence of vulnerabilities. Sources for vulnerability information include the Common Weakness Enumeration (CWE) listing and the National Vulnerability Database (NVD). Control assessments, such as red team exercises, provide additional sources of potential vulnerabilities for which to scan. Organizations also consider using scanning tools that express vulnerability impact by the Common Vulnerability Scoring System (CVSS).

Vulnerability monitoring includes a channel and process for receiving reports of security vulnerabilities from the public at-large. Vulnerability disclosure programs can be as simple as publishing a monitored email address or web form that can receive reports, including notification authorizing good-faith research and disclosure of security vulnerabilities. Organizations generally expect that such research is happening with or without their authorization and can use public vulnerability disclosure channels to increase the likelihood that discovered vulnerabilities are reported directly to the organization for remediation.

Organizations may also employ the use of financial incentives (also known as bug bounties) to further encourage external security researchers to report discovered vulnerabilities. Bug bounty programs can be tailored to the organization’s needs. Bounties can be operated indefinitely or over a defined period of time and can be offered to the general public or to a curated group. Organizations may run public and private bounties simultaneously and could choose to offer partially credentialed access to certain participants in order to evaluate security vulnerabilities from privileged vantage points.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
RA-5 Vulnerability Monitoring and Scanning Protects T1011.001 Exfiltration Over Bluetooth
RA-5 Vulnerability Monitoring and Scanning Protects T1021.001 Remote Desktop Protocol
RA-5 Vulnerability Monitoring and Scanning Protects T1021.003 Distributed Component Object Model
RA-5 Vulnerability Monitoring and Scanning Protects T1021.004 SSH
RA-5 Vulnerability Monitoring and Scanning Protects T1021.005 VNC
RA-5 Vulnerability Monitoring and Scanning Protects T1021.006 Windows Remote Management
RA-5 Vulnerability Monitoring and Scanning Protects T1046 Network Service Scanning
RA-5 Vulnerability Monitoring and Scanning Protects T1047 Windows Management Instrumentation
RA-5 Vulnerability Monitoring and Scanning Protects T1052 Exfiltration Over Physical Medium
RA-5 Vulnerability Monitoring and Scanning Protects T1052.001 Exfiltration over USB
RA-5 Vulnerability Monitoring and Scanning Protects T1053 Scheduled Task/Job
RA-5 Vulnerability Monitoring and Scanning Protects T1053.001 At (Linux)
RA-5 Vulnerability Monitoring and Scanning Protects T1053.002 At (Windows)
RA-5 Vulnerability Monitoring and Scanning Protects T1053.003 Cron
RA-5 Vulnerability Monitoring and Scanning Protects T1053.005 Scheduled Task
RA-5 Vulnerability Monitoring and Scanning Protects T1059 Command and Scripting Interpreter
RA-5 Vulnerability Monitoring and Scanning Protects T1059.001 PowerShell
RA-5 Vulnerability Monitoring and Scanning Protects T1059.005 Visual Basic
RA-5 Vulnerability Monitoring and Scanning Protects T1059.007 JavaScript
RA-5 Vulnerability Monitoring and Scanning Protects T1068 Exploitation for Privilege Escalation
RA-5 Vulnerability Monitoring and Scanning Protects T1078 Valid Accounts
RA-5 Vulnerability Monitoring and Scanning Protects T1091 Replication Through Removable Media
RA-5 Vulnerability Monitoring and Scanning Protects T1092 Communication Through Removable Media
RA-5 Vulnerability Monitoring and Scanning Protects T1098.004 SSH Authorized Keys
RA-5 Vulnerability Monitoring and Scanning Protects T1127 Trusted Developer Utilities Proxy Execution
RA-5 Vulnerability Monitoring and Scanning Protects T1127.001 MSBuild
RA-5 Vulnerability Monitoring and Scanning Protects T1133 External Remote Services
RA-5 Vulnerability Monitoring and Scanning Protects T1137 Office Application Startup
RA-5 Vulnerability Monitoring and Scanning Protects T1137.001 Office Template Macros
RA-5 Vulnerability Monitoring and Scanning Protects T1176 Browser Extensions
RA-5 Vulnerability Monitoring and Scanning Protects T1190 Exploit Public-Facing Application
RA-5 Vulnerability Monitoring and Scanning Protects T1195 Supply Chain Compromise
RA-5 Vulnerability Monitoring and Scanning Protects T1195.001 Compromise Software Dependencies and Development Tools
RA-5 Vulnerability Monitoring and Scanning Protects T1195.002 Compromise Software Supply Chain
RA-5 Vulnerability Monitoring and Scanning Protects T1204.003 Malicious Image
RA-5 Vulnerability Monitoring and Scanning Protects T1210 Exploitation of Remote Services
RA-5 Vulnerability Monitoring and Scanning Protects T1211 Exploitation for Defense Evasion
RA-5 Vulnerability Monitoring and Scanning Protects T1212 Exploitation for Credential Access
RA-5 Vulnerability Monitoring and Scanning Protects T1213 Data from Information Repositories
RA-5 Vulnerability Monitoring and Scanning Protects T1213.001 Confluence
RA-5 Vulnerability Monitoring and Scanning Protects T1213.002 Sharepoint
RA-5 Vulnerability Monitoring and Scanning Protects T1213.003 Code Repositories
RA-5 Vulnerability Monitoring and Scanning Protects T1218 Signed Binary Proxy Execution
RA-5 Vulnerability Monitoring and Scanning Protects T1218.003 CMSTP
RA-5 Vulnerability Monitoring and Scanning Protects T1218.004 InstallUtil
RA-5 Vulnerability Monitoring and Scanning Protects T1218.005 Mshta
RA-5 Vulnerability Monitoring and Scanning Protects T1218.008 Odbcconf
RA-5 Vulnerability Monitoring and Scanning Protects T1218.009 Regsvcs/Regasm
RA-5 Vulnerability Monitoring and Scanning Protects T1218.012 Verclsid
RA-5 Vulnerability Monitoring and Scanning Protects T1218.013 Mavinject
RA-5 Vulnerability Monitoring and Scanning Protects T1218.014 MMC
RA-5 Vulnerability Monitoring and Scanning Protects T1221 Template Injection
RA-5 Vulnerability Monitoring and Scanning Protects T1482 Domain Trust Discovery
RA-5 Vulnerability Monitoring and Scanning Protects T1484 Domain Policy Modification
RA-5 Vulnerability Monitoring and Scanning Protects T1505 Server Software Component
RA-5 Vulnerability Monitoring and Scanning Protects T1505.001 SQL Stored Procedures
RA-5 Vulnerability Monitoring and Scanning Protects T1505.002 Transport Agent
RA-5 Vulnerability Monitoring and Scanning Protects T1505.003 Web Shell
RA-5 Vulnerability Monitoring and Scanning Protects T1505.004 IIS Components
RA-5 Vulnerability Monitoring and Scanning Protects T1525 Implant Internal Image
RA-5 Vulnerability Monitoring and Scanning Protects T1528 Steal Application Access Token
RA-5 Vulnerability Monitoring and Scanning Protects T1530 Data from Cloud Storage Object
RA-5 Vulnerability Monitoring and Scanning Protects T1542.004 ROMMONkit
RA-5 Vulnerability Monitoring and Scanning Protects T1542.005 TFTP Boot
RA-5 Vulnerability Monitoring and Scanning Protects T1543 Create or Modify System Process
RA-5 Vulnerability Monitoring and Scanning Protects T1546.002 Screensaver
RA-5 Vulnerability Monitoring and Scanning Protects T1546.014 Emond
RA-5 Vulnerability Monitoring and Scanning Protects T1547.006 Kernel Modules and Extensions
RA-5 Vulnerability Monitoring and Scanning Protects T1547.007 Re-opened Applications
RA-5 Vulnerability Monitoring and Scanning Protects T1547.008 LSASS Driver
RA-5 Vulnerability Monitoring and Scanning Protects T1548 Abuse Elevation Control Mechanism
RA-5 Vulnerability Monitoring and Scanning Protects T1548.002 Bypass User Account Control
RA-5 Vulnerability Monitoring and Scanning Protects T1548.003 Sudo and Sudo Caching
RA-5 Vulnerability Monitoring and Scanning Protects T1552 Unsecured Credentials
RA-5 Vulnerability Monitoring and Scanning Protects T1552.001 Credentials In Files
RA-5 Vulnerability Monitoring and Scanning Protects T1552.002 Credentials in Registry
RA-5 Vulnerability Monitoring and Scanning Protects T1552.004 Private Keys
RA-5 Vulnerability Monitoring and Scanning Protects T1552.006 Group Policy Preferences
RA-5 Vulnerability Monitoring and Scanning Protects T1557 Adversary-in-the-Middle
RA-5 Vulnerability Monitoring and Scanning Protects T1558.004 AS-REP Roasting
RA-5 Vulnerability Monitoring and Scanning Protects T1559 Inter-Process Communication
RA-5 Vulnerability Monitoring and Scanning Protects T1559.002 Dynamic Data Exchange
RA-5 Vulnerability Monitoring and Scanning Protects T1560 Archive Collected Data
RA-5 Vulnerability Monitoring and Scanning Protects T1560.001 Archive via Utility
RA-5 Vulnerability Monitoring and Scanning Protects T1562 Impair Defenses
RA-5 Vulnerability Monitoring and Scanning Protects T1562.010 Downgrade Attack
RA-5 Vulnerability Monitoring and Scanning Protects T1563 Remote Service Session Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1563.001 SSH Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1563.002 RDP Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1574 Hijack Execution Flow
RA-5 Vulnerability Monitoring and Scanning Protects T1574.001 DLL Search Order Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1574.004 Dylib Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1574.005 Executable Installer File Permissions Weakness
RA-5 Vulnerability Monitoring and Scanning Protects T1574.007 Path Interception by PATH Environment Variable
RA-5 Vulnerability Monitoring and Scanning Protects T1574.008 Path Interception by Search Order Hijacking
RA-5 Vulnerability Monitoring and Scanning Protects T1574.009 Path Interception by Unquoted Path
RA-5 Vulnerability Monitoring and Scanning Protects T1574.010 Services File Permissions Weakness
RA-5 Vulnerability Monitoring and Scanning Protects T1578 Modify Cloud Compute Infrastructure
RA-5 Vulnerability Monitoring and Scanning Protects T1578.001 Create Snapshot
RA-5 Vulnerability Monitoring and Scanning Protects T1578.002 Create Cloud Instance
RA-5 Vulnerability Monitoring and Scanning Protects T1578.003 Delete Cloud Instance
RA-5 Vulnerability Monitoring and Scanning Protects T1612 Build Image on Host