NIST 800-53 SC-28 Mappings

Information at rest refers to the state of information when it is not in process or in transit and is located on system components. Such components include internal or external hard disk drives, storage area network devices, or databases. However, the focus of protecting information at rest is not on the type of storage device or frequency of access but rather on the state of the information. Information at rest addresses the confidentiality and integrity of information and covers user information and system information. System-related information that requires protection includes configurations or rule sets for firewalls, intrusion detection and prevention systems, filtering routers, and authentication information. Organizations may employ different mechanisms to achieve confidentiality and integrity protections, including the use of cryptographic mechanisms and file share scanning. Integrity protection can be achieved, for example, by implementing write-once-read-many (WORM) technologies. When adequate protection of information at rest cannot otherwise be achieved, organizations may employ other controls, including frequent scanning to identify malicious code at rest and secure offline storage in lieu of online storage.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SC-28 Protection of Information at Rest Protects T1003 OS Credential Dumping
SC-28 Protection of Information at Rest Protects T1003.001 LSASS Memory
SC-28 Protection of Information at Rest Protects T1003.002 Security Account Manager
SC-28 Protection of Information at Rest Protects T1003.003 NTDS
SC-28 Protection of Information at Rest Protects T1003.004 LSA Secrets
SC-28 Protection of Information at Rest Protects T1003.005 Cached Domain Credentials
SC-28 Protection of Information at Rest Protects T1003.006 DCSync
SC-28 Protection of Information at Rest Protects T1003.007 Proc Filesystem
SC-28 Protection of Information at Rest Protects T1003.008 /etc/passwd and /etc/shadow
SC-28 Protection of Information at Rest Protects T1005 Data from Local System
SC-28 Protection of Information at Rest Protects T1025 Data from Removable Media
SC-28 Protection of Information at Rest Protects T1041 Exfiltration Over C2 Channel
SC-28 Protection of Information at Rest Protects T1048 Exfiltration Over Alternative Protocol
SC-28 Protection of Information at Rest Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
SC-28 Protection of Information at Rest Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
SC-28 Protection of Information at Rest Protects T1052 Exfiltration Over Physical Medium
SC-28 Protection of Information at Rest Protects T1052.001 Exfiltration over USB
SC-28 Protection of Information at Rest Protects T1078 Valid Accounts
SC-28 Protection of Information at Rest Protects T1078.001 Default Accounts
SC-28 Protection of Information at Rest Protects T1078.003 Local Accounts
SC-28 Protection of Information at Rest Protects T1078.004 Cloud Accounts
SC-28 Protection of Information at Rest Protects T1213 Data from Information Repositories
SC-28 Protection of Information at Rest Protects T1213.001 Confluence
SC-28 Protection of Information at Rest Protects T1213.002 Sharepoint
SC-28 Protection of Information at Rest Protects T1530 Data from Cloud Storage Object
SC-28 Protection of Information at Rest Protects T1550.001 Application Access Token
SC-28 Protection of Information at Rest Protects T1552 Unsecured Credentials
SC-28 Protection of Information at Rest Protects T1552.001 Credentials In Files
SC-28 Protection of Information at Rest Protects T1552.002 Credentials in Registry
SC-28 Protection of Information at Rest Protects T1552.003 Bash History
SC-28 Protection of Information at Rest Protects T1552.004 Private Keys
SC-28 Protection of Information at Rest Protects T1565 Data Manipulation
SC-28 Protection of Information at Rest Protects T1565.001 Stored Data Manipulation
SC-28 Protection of Information at Rest Protects T1565.003 Runtime Data Manipulation
SC-28 Protection of Information at Rest Protects T1567 Exfiltration Over Web Service
SC-28 Protection of Information at Rest Protects T1599 Network Boundary Bridging
SC-28 Protection of Information at Rest Protects T1599.001 Network Address Translation Traversal
SC-28 Protection of Information at Rest Protects T1602 Data from Configuration Repository
SC-28 Protection of Information at Rest Protects T1602.001 SNMP (MIB Dump)
SC-28 Protection of Information at Rest Protects T1602.002 Network Device Configuration Dump