NIST 800-53 SI-14 Mappings

Implementation of non-persistent components and services mitigates risk from advanced persistent threats (APTs) by reducing the targeting capability of adversaries (i.e., window of opportunity and available attack surface) to initiate and complete attacks. By implementing the concept of non-persistence for selected system components, organizations can provide a trusted, known state computing resource for a specific time period that does not give adversaries sufficient time to exploit vulnerabilities in organizational systems or operating environments. Since the APT is a high-end, sophisticated threat with regard to capability, intent, and targeting, organizations assume that over an extended period, a percentage of attacks will be successful. Non-persistent system components and services are activated as required using protected information and terminated periodically or at the end of sessions. Non-persistence increases the work factor of adversaries attempting to compromise or breach organizational systems.

Non-persistence can be achieved by refreshing system components, periodically reimaging components, or using a variety of common virtualization techniques. Non-persistent services can be implemented by using virtualization techniques as part of virtual machines or as new instances of processes on physical machines (either persistent or non-persistent). The benefit of periodic refreshes of system components and services is that it does not require organizations to first determine whether compromises of components or services have occurred (something that may often be difficult to determine). The refresh of selected system components and services occurs with sufficient frequency to prevent the spread or intended impact of attacks, but not with such frequency that it makes the system unstable. Refreshes of critical components and services may be done periodically to hinder the ability of adversaries to exploit optimum windows of vulnerabilities.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
SI-14 Non-persistence Protects T1505 Server Software Component
SI-14 Non-persistence Protects T1546.003 Windows Management Instrumentation Event Subscription
SI-14 Non-persistence Protects T1547.004 Winlogon Helper DLL
SI-14 Non-persistence Protects T1547.006 Kernel Modules and Extensions
SI-14 Non-persistence Protects T1505.001 SQL Stored Procedures
SI-14 Non-persistence Protects T1505.002 Transport Agent
SI-14 Non-persistence Protects T1505.004 IIS Components