NIST 800-53 AC-4 Mappings

Information flow control regulates where information can travel within a system and between systems (in contrast to who is allowed to access the information) and without regard to subsequent accesses to that information. Flow control restrictions include blocking external traffic that claims to be from within the organization, keeping export-controlled information from being transmitted in the clear to the Internet, restricting web requests that are not from the internal web proxy server, and limiting information transfers between organizations based on data structures and content. Transferring information between organizations may require an agreement specifying how the information flow is enforced (see CA-03). Transferring information between systems in different security or privacy domains with different security or privacy policies introduces the risk that such transfers violate one or more domain security or privacy policies. In such situations, information owners/stewards provide guidance at designated policy enforcement points between connected systems. Organizations consider mandating specific architectural solutions to enforce specific security and privacy policies. Enforcement includes prohibiting information transfers between connected systems (i.e., allowing access only), verifying write permissions before accepting information from another security or privacy domain or connected system, employing hardware mechanisms to enforce one-way information flows, and implementing trustworthy regrading mechanisms to reassign security or privacy attributes and labels.

Organizations commonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations within systems and between connected systems. Flow control is based on the characteristics of the information and/or the information path. Enforcement occurs, for example, in boundary protection devices that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or provide a message-filtering capability based on message content. Organizations also consider the trustworthiness of filtering and/or inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Control enhancements 3 through 32 primarily address cross-domain solution needs that focus on more advanced filtering techniques, in-depth analysis, and stronger flow enforcement mechanisms implemented in cross-domain products, such as high-assurance guards. Such capabilities are generally not available in commercial off-the-shelf products. Information flow enforcement also applies to control plane traffic (e.g., routing and DNS).

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1020.001 Traffic Duplication
AC-4 Information Flow Enforcement Protects T1021.001 Remote Desktop Protocol
AC-4 Information Flow Enforcement Protects T1095 Non-Application Layer Protocol
AC-4 Information Flow Enforcement Protects T1098 Account Manipulation
AC-4 Information Flow Enforcement Protects T1098.001 Additional Cloud Credentials
AC-4 Information Flow Enforcement Protects T1105 Ingress Tool Transfer
AC-4 Information Flow Enforcement Protects T1189 Drive-by Compromise
AC-4 Information Flow Enforcement Protects T1190 Exploit Public-Facing Application
AC-4 Information Flow Enforcement Protects T1197 BITS Jobs
AC-4 Information Flow Enforcement Protects T1203 Exploitation for Client Execution
AC-4 Information Flow Enforcement Protects T1205 Traffic Signaling
AC-4 Information Flow Enforcement Protects T1205.001 Port Knocking
AC-4 Information Flow Enforcement Protects T1210 Exploitation of Remote Services
AC-4 Information Flow Enforcement Protects T1211 Exploitation for Defense Evasion
AC-4 Information Flow Enforcement Protects T1218.012 Verclsid
AC-4 Information Flow Enforcement Protects T1219 Remote Access Software
AC-4 Information Flow Enforcement Protects T1498.001 Direct Network Flood
AC-4 Information Flow Enforcement Protects T1498.002 Reflection Amplification
AC-4 Information Flow Enforcement Protects T1499 Endpoint Denial of Service
AC-4 Information Flow Enforcement Protects T1499.001 OS Exhaustion Flood
AC-4 Information Flow Enforcement Protects T1499.002 Service Exhaustion Flood
AC-4 Information Flow Enforcement Protects T1499.003 Application Exhaustion Flood
AC-4 Information Flow Enforcement Protects T1499.004 Application or System Exploitation
AC-4 Information Flow Enforcement Protects T1537 Transfer Data to Cloud Account
AC-4 Information Flow Enforcement Protects T1547.003 Time Providers
AC-4 Information Flow Enforcement Protects T1552.005 Cloud Instance Metadata API
AC-4 Information Flow Enforcement Protects T1559 Inter-Process Communication
AC-4 Information Flow Enforcement Protects T1559.002 Dynamic Data Exchange
AC-4 Information Flow Enforcement Protects T1565 Data Manipulation
AC-4 Information Flow Enforcement Protects T1565.003 Runtime Data Manipulation
AC-4 Information Flow Enforcement Protects T1567 Exfiltration Over Web Service
AC-4 Information Flow Enforcement Protects T1567.002 Exfiltration to Cloud Storage
AC-4 Information Flow Enforcement Protects T1568.002 Domain Generation Algorithms
AC-4 Information Flow Enforcement Protects T1570 Lateral Tool Transfer
AC-4 Information Flow Enforcement Protects T1574 Hijack Execution Flow
AC-4 Information Flow Enforcement Protects T1574.007 Path Interception by PATH Environment Variable
AC-4 Information Flow Enforcement Protects T1602.002 Network Device Configuration Dump
AC-4 Information Flow Enforcement Protects T1001 Data Obfuscation
AC-4 Information Flow Enforcement Protects T1001.001 Junk Data
AC-4 Information Flow Enforcement Protects T1001.002 Steganography
AC-4 Information Flow Enforcement Protects T1001.003 Protocol Impersonation
AC-4 Information Flow Enforcement Protects T1003 OS Credential Dumping
AC-4 Information Flow Enforcement Protects T1003.005 Cached Domain Credentials
AC-4 Information Flow Enforcement Protects T1003.006 DCSync
AC-4 Information Flow Enforcement Protects T1008 Fallback Channels
AC-4 Information Flow Enforcement Protects T1021.002 SMB/Windows Admin Shares
AC-4 Information Flow Enforcement Protects T1021.003 Distributed Component Object Model
AC-4 Information Flow Enforcement Protects T1021.005 VNC
AC-4 Information Flow Enforcement Protects T1021.006 Windows Remote Management
AC-4 Information Flow Enforcement Protects T1029 Scheduled Transfer
AC-4 Information Flow Enforcement Protects T1030 Data Transfer Size Limits
AC-4 Information Flow Enforcement Protects T1041 Exfiltration Over C2 Channel
AC-4 Information Flow Enforcement Protects T1048 Exfiltration Over Alternative Protocol
AC-4 Information Flow Enforcement Protects T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
AC-4 Information Flow Enforcement Protects T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
AC-4 Information Flow Enforcement Protects T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
AC-4 Information Flow Enforcement Protects T1071 Application Layer Protocol
AC-4 Information Flow Enforcement Protects T1071.001 Web Protocols
AC-4 Information Flow Enforcement Protects T1071.002 File Transfer Protocols
AC-4 Information Flow Enforcement Protects T1071.003 Mail Protocols
AC-4 Information Flow Enforcement Protects T1071.004 DNS
AC-4 Information Flow Enforcement Protects T1072 Software Deployment Tools
AC-4 Information Flow Enforcement Protects T1090 Proxy
AC-4 Information Flow Enforcement Protects T1090.001 Internal Proxy
AC-4 Information Flow Enforcement Protects T1090.002 External Proxy
AC-4 Information Flow Enforcement Protects T1090.003 Multi-hop Proxy
AC-4 Information Flow Enforcement Protects T1102 Web Service
AC-4 Information Flow Enforcement Protects T1102.001 Dead Drop Resolver
AC-4 Information Flow Enforcement Protects T1102.002 Bidirectional Communication
AC-4 Information Flow Enforcement Protects T1102.003 One-Way Communication
AC-4 Information Flow Enforcement Protects T1104 Multi-Stage Channels
AC-4 Information Flow Enforcement Protects T1114 Email Collection
AC-4 Information Flow Enforcement Protects T1114.001 Local Email Collection
AC-4 Information Flow Enforcement Protects T1114.002 Remote Email Collection
AC-4 Information Flow Enforcement Protects T1114.003 Email Forwarding Rule
AC-4 Information Flow Enforcement Protects T1132 Data Encoding
AC-4 Information Flow Enforcement Protects T1132.001 Standard Encoding
AC-4 Information Flow Enforcement Protects T1132.002 Non-Standard Encoding
AC-4 Information Flow Enforcement Protects T1134.005 SID-History Injection
AC-4 Information Flow Enforcement Protects T1136 Create Account
AC-4 Information Flow Enforcement Protects T1136.002 Domain Account
AC-4 Information Flow Enforcement Protects T1136.003 Cloud Account
AC-4 Information Flow Enforcement Protects T1187 Forced Authentication
AC-4 Information Flow Enforcement Protects T1204.001 Malicious Link
AC-4 Information Flow Enforcement Protects T1204.003 Malicious Image
AC-4 Information Flow Enforcement Protects T1213 Data from Information Repositories
AC-4 Information Flow Enforcement Protects T1213.001 Confluence
AC-4 Information Flow Enforcement Protects T1213.002 Sharepoint
AC-4 Information Flow Enforcement Protects T1484 Domain Policy Modification
AC-4 Information Flow Enforcement Protects T1489 Service Stop
AC-4 Information Flow Enforcement Protects T1498 Network Denial of Service
AC-4 Information Flow Enforcement Protects T1505.004 IIS Components
AC-4 Information Flow Enforcement Protects T1552 Unsecured Credentials
AC-4 Information Flow Enforcement Protects T1552.001 Credentials In Files
AC-4 Information Flow Enforcement Protects T1557.002 ARP Cache Poisoning
AC-4 Information Flow Enforcement Protects T1559.001 Component Object Model
AC-4 Information Flow Enforcement Protects T1563 Remote Service Session Hijacking
AC-4 Information Flow Enforcement Protects T1563.002 RDP Hijacking
AC-4 Information Flow Enforcement Protects T1564.008 Email Hiding Rules
AC-4 Information Flow Enforcement Protects T1566 Phishing
AC-4 Information Flow Enforcement Protects T1566.001 Spearphishing Attachment
AC-4 Information Flow Enforcement Protects T1566.003 Spearphishing via Service
AC-4 Information Flow Enforcement Protects T1567.001 Exfiltration to Code Repository
AC-4 Information Flow Enforcement Protects T1568 Dynamic Resolution
AC-4 Information Flow Enforcement Protects T1571 Non-Standard Port
AC-4 Information Flow Enforcement Protects T1572 Protocol Tunneling
AC-4 Information Flow Enforcement Protects T1573 Encrypted Channel
AC-4 Information Flow Enforcement Protects T1573.001 Symmetric Cryptography
AC-4 Information Flow Enforcement Protects T1573.002 Asymmetric Cryptography
AC-4 Information Flow Enforcement Protects T1574.004 Dylib Hijacking
AC-4 Information Flow Enforcement Protects T1574.005 Executable Installer File Permissions Weakness
AC-4 Information Flow Enforcement Protects T1574.008 Path Interception by Search Order Hijacking
AC-4 Information Flow Enforcement Protects T1574.009 Path Interception by Unquoted Path
AC-4 Information Flow Enforcement Protects T1574.010 Services File Permissions Weakness
AC-4 Information Flow Enforcement Protects T1598 Phishing for Information
AC-4 Information Flow Enforcement Protects T1598.001 Spearphishing Service
AC-4 Information Flow Enforcement Protects T1598.002 Spearphishing Attachment
AC-4 Information Flow Enforcement Protects T1599.001 Network Address Translation Traversal
AC-4 Information Flow Enforcement Protects T1601 Modify System Image
AC-4 Information Flow Enforcement Protects T1601.001 Patch System Image
AC-4 Information Flow Enforcement Protects T1601.002 Downgrade System Image
AC-4 Information Flow Enforcement Protects T1602 Data from Configuration Repository
AC-4 Information Flow Enforcement Protects T1602.001 SNMP (MIB Dump)
AC-4 Information Flow Enforcement Protects T1003.001 LSASS Memory
AC-4 Information Flow Enforcement Protects T1046 Network Service Scanning
AC-4 Information Flow Enforcement Protects T1068 Exploitation for Privilege Escalation
AC-4 Information Flow Enforcement Protects T1133 External Remote Services
AC-4 Information Flow Enforcement Protects T1199 Trusted Relationship
AC-4 Information Flow Enforcement Protects T1212 Exploitation for Credential Access
AC-4 Information Flow Enforcement Protects T1482 Domain Trust Discovery
AC-4 Information Flow Enforcement Protects T1528 Steal Application Access Token
AC-4 Information Flow Enforcement Protects T1530 Data from Cloud Storage Object
AC-4 Information Flow Enforcement Protects T1552.007 Container API
AC-4 Information Flow Enforcement Protects T1557 Adversary-in-the-Middle
AC-4 Information Flow Enforcement Protects T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
AC-4 Information Flow Enforcement Protects T1566.002 Spearphishing Link
AC-4 Information Flow Enforcement Protects T1598.003 Spearphishing Link
AC-4 Information Flow Enforcement Protects T1599 Network Boundary Bridging
AC-4 Information Flow Enforcement Protects T1611 Escape to Host
AC-4 Information Flow Enforcement Protects T1204 User Execution
AC-4 Information Flow Enforcement Protects T1204.002 Malicious File
AC-4 Information Flow Enforcement Protects T1557.003 DHCP Spoofing
AC-4 Information Flow Enforcement Protects T1609 Container Administration Command
AC-4 Information Flow Enforcement Protects T1622 Debugger Evasion
AC-4 Information Flow Enforncement Protects T1205.002 Socket Filters