Question 3: What are we going to do about it?
Question 3 Overview (Click to Enlarge)
Now that we have a prioritized list of TTPs that our adversaries will likely use against our specific tech platform(s), we need to identify how our tech platform(s)’s existing security measures mitigate them. This section will provide a guide for using the Center’s Mappings Explorer website to identify which existing security capabilities within your environment are mapped to the threats you’re concerned about. If the Explorer’s existing mappings don’t fit your needs, this section will also introduce a process for mapping security controls and capabilities, native to a technology platform or mapping framework, to ATT&CK TTPs. These resources can be used to understand, assess, and record the real-world threats that security controls, within your technology platform, are able to mitigate. Using these Mappings, we can prioritize defensive investments against high priority TTPs targeting our technology platforms. Continuing with the AMPS example in Question 2, we will see which of the TTPs identified within our Azure attack tree branch are mitigated by leveraging the Azure mapping within Mappings Explorer.
Mappings Explorer Overview
The Center provides a collection of mappings connecting security capabilities to the MITRE ATT&CK® framework through Mappings Explorer. This website hosts a collection of open, independently developed mappings products, tools, and resources. These mappings form a bridge between the threat-informed approach to cybersecurity (Question 2) and the traditional security controls perspective. Mappings Explorer enables cyber defenders to understand how security controls and capabilities map onto adversary behaviors catalogued in the ATT&CK knowledge base. The website presents security control mappings and threat and mitigation data in user-friendly ways. This enables the exploration of adversary techniques and the corresponding mapped capabilities across platforms and frameworks. The mappings provided in Mappings Explorer are designed to provide independent data on which native security capabilities are most useful in defending against specific adversary TTPs. You will need to decide what types of capability functions are applicable for implementation in your environment and meet your threat mitigation needs. The security capabilities of the following frameworks mapped to ATT&CK are freely and openly available:
Screenshot of Mappings Explorer
You can use Mappings Explorer for many different purposes. In this document, we will focus on using the mappings to align cyber defenses to threats by identifying security capabilities mapped to detect, defend against, or respond to specific technology platform-based branches of our attack trees. Later in this section, we will use these resources to visualize and assess defensive coverage to identify deficiencies and plan policy and security capability implementation around adversary TTPs from Question 2.
Creating Security Capability Mappings
The Center uses a standard methodology to map security controls native to a technology platform to ATT&CK. As discussed previously, many of these mappings have already been done for you and are readily accessible in mappings explorer referenced in the previous section. In the event you have a technology platform that has not been mapped, the below steps are a reusable method of using ATT&CK to determine the capabilities of a platform’s security offerings.
The methodology consists of the following basic steps:
Identify Platform Security Controls
Identify the native security controls available on the platform.
Review Security Capability
For each identified control, understand the security capabilities it provides.
Identify Mappable ATT&CK Techniques & Sub-techniques
Identify the ATT&CK techniques and sub-techniques mappable to the control.
Assess and Score Control Effectiveness
Assess the effectiveness of the type of protection the control provides (protect, detect, or response) for the identified ATT&CK techniques and sub-techniques.
Create a Mapping
Create a mapping based on the information gathered from the previous steps.
The full mapping methodology and scoring rubric are available on the Mappings Explorer website.
Creating Custom Mappings
For most users, you should start with Mappings Explorer to find mappings data relevant to your environment, available for downloading the data in spreadsheet or machine-readable formats. If you have a need to produce your own customized mappings data, then you can apply the mapping methodology to the platform capabilities you have. If you are not using one of the mapping frameworks in the Mappings Explorer collection and instead plan on creating a custom mapping for your technology platform, we recommend using the Center’s Mappings Editor tool and following the documentation to create new mappings.
Mappings Editor
Mappings Editor is an interactive, web-based tool created by the Center for creating and updating mappings of security capabilities to ATT&CK. At the time of publication, this tool is available as a public beta. Mappings Editor makes it quick and easy to create, edit, and review mappings and includes several features specially engineered to enhance the mapping process. The Editor is designed to streamline the creation of mapping files, which consist of one or more mappings that associate a security control, vulnerability, or capability to an adversary behavior catalogued by ATT&CK. Using the Mappings Editor, the mapping files can be exported as ATT&CK Navigator Layers or as .CSV, .JSON, .YAML, or Microsoft Excel (.XLSX) Files. To learn more, visit the Mappings Editor wiki.
Mitigating Threats to AMPS
Continuing with the AMPS device scenario, we will be looking at the security capabilities native to the Azure cloud platform. Using Mappings Explorer, we can easily identify 48 Azure security capabilities mapped to ATT&CK techniques and sub-techniques, with a total of 978 mappings. Analyst attention can be focused on considering the applicability of these mapped security capabilities as mitigation options for the specific threats identified in Question 2. Azure security capability mappings fall under Security Stack Mappings, which include scoring assessments for each control’s ability to protect against, detect, and respond to TTPs. These assessments are provided to reflect the security capability’s functions and ability to mitigate the mapped threats. Azure mappings are provided for the following capability function areas:
Protect: capability limits or contains the impact of a (sub-)technique.
Detect: capability identifies the potential occurrence of a (sub-)technique.
Respond: capability provides actions to take for detected (sub-)technique.
Typically, it is recommended that capability mappings scored as Partial or Significant effectiveness at mitigating the behavior described by a (sub-) technique, be considered for implementation. If you are inclined to include a capability scored as Minimal effectiveness, carefully consider whether this control would actually be a practical means of mitigating the threat. Often, minimally scored controls could technically mitigate the behavior but in the real world would not be used for that purpose. In that case, the recommendation would be to exclude it. Using Mappings Explorer data and looking at each of the specific TTPs identified in Q2, we identify the Azure security capabilities mappings as listed in the table below. Native Azure capabilities scored as significant or partial effectiveness for protecting against, detecting, or responding to the TTP are included, resulting in a total of 83 mappings. Note: The TTPs with strike-throughs are ones we did not score in Q2 due to time limitation but these would typically be used too.
Table of Azure Capabilities Mappings by Technique
ATT&CK (Sub-)Technique Name |
ATT&CK ID |
Mapping Category |
Effectiveness Score |
Azure Security Capability |
|---|---|---|---|---|
Account Discovery |
T1087 |
detect |
partial |
Alerts for Windows Machines |
Account Manipulation |
T1098 |
protect |
partial |
Azure AD Privileged Identity Management |
Account Manipulation |
T1098 |
protect |
partial |
Role Based Access Control |
Account Manipulation |
T1098 |
detect |
partial |
Microsoft Defender for Identity |
Active Scanning |
T1595 |
protect |
partial |
Azure Firewall |
Active Scanning |
T1595 |
protect |
partial |
Azure Web Application Firewall |
Additional Cloud Credentials |
T1098.001 |
protect |
significant |
Azure AD Privileged Identity Management |
Additional Cloud Credentials |
T1098.001 |
protect |
partial |
Role Based Access Control |
Automated Collection |
T1119 |
protect |
partial |
Cloud App Security Policies |
Automated Collection |
T1119 |
detect |
partial |
Cloud App Security Policies |
Brute Force |
T1110 |
protect |
significant |
Azure AD Multi-Factor Authentication |
Brute Force |
T1110 |
protect |
significant |
Conditional Access |
Brute Force |
T1110 |
protect |
significant |
Just-in-Time VM Access |
Brute Force |
T1110 |
protect |
significant |
Passwordless Authentication |
Brute Force |
T1110 |
protect |
partial |
Azure Active Directory Password Protection |
Brute Force |
T1110 |
protect |
partial |
Azure AD Identity Secure Score |
Brute Force |
T1110 |
protect |
partial |
Azure AD Password Policy |
Brute Force |
T1110 |
protect |
partial |
Azure Policy |
Brute Force |
T1110 |
detect |
significant |
Azure Alerts for Network Layer |
Brute Force |
T1110 |
detect |
partial |
Alerts for Windows Machines |
Brute Force |
T1110 |
detect |
partial |
Azure Sentinel |
Brute Force |
T1110 |
detect |
partial |
Cloud App Security Policies |
Brute Force |
T1110 |
detect |
partial |
Linux auditd alerts and Log Analytics agent integration |
Brute Force |
T1110 |
detect |
partial |
Microsoft Defender for Identity |
Cloud Service Discovery |
T1526 |
protect |
partial |
Azure Policy |
Cloud Service Discovery |
T1526 |
detect |
partial |
Azure Defender for Resource Manager |
Cloud Service Discovery |
T1526 |
detect |
partial |
Cloud App Security Policies |
Create Account |
T1136 |
detect |
partial |
Azure Sentinel |
Data from Cloud Storage |
T1530 |
protect |
partial |
Azure Policy |
Data from Cloud Storage |
T1530 |
protect |
partial |
Role Based Access Control |
Data from Cloud Storage |
T1530 |
detect |
significant |
Azure Defender for Storage |
Data from Cloud Storage |
T1530 |
detect |
partial |
Cloud App Security Policies |
Exploit Public-Facing Application |
T1190 |
protect |
significant |
Azure Web Application Firewall |
Exploit Public-Facing Application |
T1190 |
protect |
partial |
Azure Automation Update Management |
Exploit Public-Facing Application |
T1190 |
protect |
partial |
Azure Defender for Kubernetes |
Exploit Public-Facing Application |
T1190 |
protect |
partial |
Azure Policy |
Exploit Public-Facing Application |
T1190 |
protect |
partial |
Integrated Vulnerability Scanner Powered by Qualys |
Exploit Public-Facing Application |
T1190 |
detect |
significant |
Azure Web Application Firewall |
Exploit Public-Facing Application |
T1190 |
detect |
partial |
Alerts for Windows Machines |
Exploit Public-Facing Application |
T1190 |
detect |
partial |
Azure Defender for App Service |
Exploit Public-Facing Application |
T1190 |
detect |
partial |
Azure Network Traffic Analytics |
Exploitation for Credential Access |
T1212 |
protect |
significant |
Azure Automation Update Management |
Exploitation for Credential Access |
T1212 |
protect |
partial |
Integrated Vulnerability Scanner Powered by Qualys |
Exploitation for Credential Access |
T1212 |
detect |
partial |
Alerts for Windows Machines |
Exploitation for Credential Access |
T1212 |
detect |
partial |
Azure Defender for App Service |
File and Directory Permissions Modification |
T1222 |
detect |
partial |
File Integrity Monitoring |
Gather Victim Network Information |
T1590 |
protect |
partial |
Azure Firewall |
Gather Victim Network Information |
T1590 |
protect |
partial |
Azure Policy |
Modify Authentication Process |
T1556 |
detect |
partial |
File Integrity Monitoring |
Password Spraying |
T1110.003 |
respond |
significant |
Azure AD Identity Protection |
Password Spraying |
T1110.003 |
protect |
significant |
Azure AD Multi-Factor Authentication |
Password Spraying |
T1110.003 |
protect |
significant |
Conditional Access |
Password Spraying |
T1110.003 |
protect |
significant |
Just-in-Time VM Access |
Password Spraying |
T1110.003 |
protect |
significant |
Passwordless Authentication |
Password Spraying |
T1110.003 |
protect |
partial |
Azure Active Directory Password Protection |
Password Spraying |
T1110.003 |
protect |
partial |
Azure AD Identity Secure Score |
Password Spraying |
T1110.003 |
protect |
partial |
Azure Policy |
Password Spraying |
T1110.003 |
detect |
significant |
Alerts for Windows Machines |
Password Spraying |
T1110.003 |
detect |
significant |
Azure Alerts for Network Layer |
Password Spraying |
T1110.003 |
detect |
significant |
Microsoft Defender for Identity |
Password Spraying |
T1110.003 |
detect |
partial |
Azure AD Identity Protection |
Password Spraying |
T1110.003 |
detect |
partial |
Azure Sentinel |
Password Spraying |
T1110.003 |
detect |
partial |
Cloud App Security Policies |
Password Spraying |
T1110.003 |
detect |
partial |
Linux auditd alerts and Log Analytics agent integration |
Remote System Discovery |
T1018 |
protect |
partial |
Azure Firewall |
Steal Application Access Token |
T1528 |
protect |
partial |
Azure AD Identity Secure Score |
Steal Application Access Token |
T1528 |
protect |
partial |
Azure Key Vault |
Steal Application Access Token |
T1528 |
protect |
partial |
Cloud App Security Policies |
Steal Application Access Token |
T1528 |
protect |
partial |
Role Based Access Control |
Steal Application Access Token |
T1528 |
detect |
partial |
Cloud App Security Policies |
Unsecured Credentials |
T1522 |
protect |
partial |
Azure Key Vault |
Unused/Unsupported Cloud Regions |
T1535 |
protect |
partial |
Azure Policy |
Unused/Unsupported Cloud Regions |
T1535 |
detect |
partial |
Cloud App Security Policies |
Valid Accounts |
T1078 |
respond |
partial |
Azure AD Identity Protection |
Valid Accounts |
T1078 |
detect |
partial |
Alerts for Windows Machines |
Valid Accounts |
T1078 |
detect |
partial |
Azure AD Identity Protection |
Valid Accounts |
T1078 |
detect |
partial |
Azure Sentinel |
Valid Accounts |
T1078 |
detect |
partial |
Cloud App Security Policies |
Vulnerability Scanning |
T1595.002 |
protect |
partial |
Azure Firewall |
Vulnerability Scanning |
T1595.002 |
protect |
partial |
Azure Web Application Firewall |
Vulnerability Scanning |
T1595.002 |
detect |
partial |
Azure Defender for App Service |
Vulnerability Scanning |
T1595.002 |
detect |
partial |
Azure Sentinel |
Vulnerability Scanning |
T1595.002 |
detect |
partial |
Azure Web Application Firewall |
The next table presents the Azure Security Capability mappings that can provide mitigation for the ATT&CK TTPs identified in Q2. The included capabilities were scored as being significant or partial effectiveness for each of the mapping categories of protect, detect, and respond in relation to the mapped technique.
Table of Azure Capabilities Mappings by Capability
Azure Security Capability |
Mapping Category |
Effectiveness Score |
ATT&CK ID |
ATT&CK (Sub-)Technique Name |
|---|---|---|---|---|
Alerts for Windows Machines |
detect |
significant |
T1110.003 |
Password Spraying |
Alerts for Windows Machines |
detect |
partial |
T1087 |
Account Discovery |
Alerts for Windows Machines |
detect |
partial |
T1110 |
Brute Force |
Alerts for Windows Machines |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
Alerts for Windows Machines |
detect |
partial |
T1212 |
Exploitation for Credential Access |
Alerts for Windows Machines |
detect |
partial |
T1078 |
Valid Accounts |
Azure Active Directory Password Protection |
protect |
partial |
T1110 |
Brute Force |
Azure Active Directory Password Protection |
protect |
partial |
T1110.003 |
Password Spraying |
Azure AD Identity Protection |
respond |
significant |
T1110.003 |
Password Spraying |
Azure AD Identity Protection |
respond |
partial |
T1078 |
Valid Accounts |
Azure AD Identity Protection |
detect |
partial |
T1110.003 |
Password Spraying |
Azure AD Identity Protection |
detect |
partial |
T1078 |
Valid Accounts |
Azure AD Identity Secure Score |
protect |
partial |
T1110 |
Brute Force |
Azure AD Identity Secure Score |
protect |
partial |
T1110.003 |
Password Spraying |
Azure AD Identity Secure Score |
protect |
partial |
T1528 |
Steal Application Access Token |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110 |
Brute Force |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110.003 |
Password Spraying |
Azure AD Password Policy |
protect |
partial |
T1110 |
Brute Force |
Azure AD Privileged Identity Management |
protect |
significant |
T1098.001 |
Additional Cloud Credentials |
Azure AD Privileged Identity Management |
protect |
partial |
T1098 |
Account Manipulation |
Azure Alerts for Network Layer |
detect |
significant |
T1110 |
Brute Force |
Azure Alerts for Network Layer |
detect |
significant |
T1110.003 |
Password Spraying |
Azure Automation Update Management |
protect |
significant |
T1212 |
Exploitation for Credential Access |
Azure Automation Update Management |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
Azure Defender for App Service |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
Azure Defender for App Service |
detect |
partial |
T1212 |
Exploitation for Credential Access |
Azure Defender for App Service |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
Azure Defender for Kubernetes |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
Azure Defender for Resource Manager |
detect |
partial |
T1526 |
Cloud Service Discovery |
Azure Defender for Storage |
detect |
significant |
T1530 |
Data from Cloud Storage |
Azure Firewall |
protect |
partial |
T1595 |
Active Scanning |
Azure Firewall |
protect |
partial |
T1590 |
Gather Victim Network Information |
Azure Firewall |
protect |
partial |
T1018 |
Remote System Discovery |
Azure Firewall |
protect |
partial |
T1595.002 |
Vulnerability Scanning |
Azure Key Vault |
protect |
partial |
T1528 |
Steal Application Access Token |
Azure Key Vault |
protect |
partial |
T1522 |
Unsecured Credentials |
Azure Network Traffic Analytics |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
Azure Policy |
protect |
partial |
T1110 |
Brute Force |
Azure Policy |
protect |
partial |
T1526 |
Cloud Service Discovery |
Azure Policy |
protect |
partial |
T1530 |
Data from Cloud Storage |
Azure Policy |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
Azure Policy |
protect |
partial |
T1590 |
Gather Victim Network Information |
Azure Policy |
protect |
partial |
T1110.003 |
Password Spraying |
Azure Policy |
protect |
partial |
T1535 |
Unused/Unsupported Cloud Regions |
Azure Sentinel |
detect |
partial |
T1110 |
Brute Force |
Azure Sentinel |
detect |
partial |
T1136 |
Create Account |
Azure Sentinel |
detect |
partial |
T1110.003 |
Password Spraying |
Azure Sentinel |
detect |
partial |
T1078 |
Valid Accounts |
Azure Sentinel |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
Azure Web Application Firewall |
protect |
significant |
T1190 |
Exploit Public-Facing Application |
Azure Web Application Firewall |
protect |
partial |
T1595 |
Active Scanning |
Azure Web Application Firewall |
protect |
partial |
T1595.002 |
Vulnerability Scanning |
Azure Web Application Firewall |
detect |
significant |
T1190 |
Exploit Public-Facing Application |
Azure Web Application Firewall |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
Cloud App Security Policies |
protect |
partial |
T1119 |
Automated Collection |
Cloud App Security Policies |
protect |
partial |
T1528 |
Steal Application Access Token |
Cloud App Security Policies |
detect |
partial |
T1119 |
Automated Collection |
Cloud App Security Policies |
detect |
partial |
T1110 |
Brute Force |
Cloud App Security Policies |
detect |
partial |
T1526 |
Cloud Service Discovery |
Cloud App Security Policies |
detect |
partial |
T1530 |
Data from Cloud Storage |
Cloud App Security Policies |
detect |
partial |
T1110.003 |
Password Spraying |
Cloud App Security Policies |
detect |
partial |
T1528 |
Steal Application Access Token |
Cloud App Security Policies |
detect |
partial |
T1535 |
Unused/Unsupported Cloud Regions |
Cloud App Security Policies |
detect |
partial |
T1078 |
Valid Accounts |
Conditional Access |
protect |
significant |
T1110 |
Brute Force |
Conditional Access |
protect |
significant |
T1110.003 |
Password Spraying |
File Integrity Monitoring |
detect |
partial |
T1222 |
File and Directory Permissions Modification |
File Integrity Monitoring |
detect |
partial |
T1556 |
Modify Authentication Process |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1212 |
Exploitation for Credential Access |
Just-in-Time VM Access |
protect |
significant |
T1110 |
Brute Force |
Just-in-Time VM Access |
protect |
significant |
T1110.003 |
Password Spraying |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110 |
Brute Force |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110.003 |
Password Spraying |
Microsoft Defender for Identity |
detect |
significant |
T1110.003 |
Password Spraying |
Microsoft Defender for Identity |
detect |
partial |
T1098 |
Account Manipulation |
Microsoft Defender for Identity |
detect |
partial |
T1110 |
Brute Force |
Passwordless Authentication |
protect |
significant |
T1110 |
Brute Force |
Passwordless Authentication |
protect |
significant |
T1110.003 |
Password Spraying |
Role Based Access Control |
protect |
partial |
T1098 |
Account Manipulation |
Role Based Access Control |
protect |
partial |
T1098.001 |
Additional Cloud Credentials |
Role Based Access Control |
protect |
partial |
T1530 |
Data from Cloud Storage |
Role Based Access Control |
protect |
partial |
T1528 |
Steal Application Access Token |
Identify Areas of Risk
Scales of Threat, Defense, and Risk
During this step of the process, we will be combining scored threat TTPs that were compiled from the evidence and theory sections with the defensive capabilities mapped in the previous section. The example will continue to focus on the Azure platform and the TTPs associated with possible threats against the AMPS device. This step results in three navigator layers, the layers are optional and can be chosen to be completed based on the needs of the organization. Start by creating two navigator layers and overlaying them for a comprehensive view:
Layer 1: A visualization of the threat scoring determined in Question 2 (Figure below). To create this layer within Navigator, the following numbering will be used:
Scoring:
5 = No theory, No evidence
4 = No theory, Some evidence or Some theory, No evidence
3 = No Theory, Strong Evidence or Some theory, Some Evidence or Strong theory, No evidence
2 = Some theory, Strong evidence or Strong theory, Some evidence
1 = Strong theory, Strong evidence
Example: T1556: Modify Authentication Process = Some theory Some Evidence = 3
Example ATT&CK Navigator Layer for Scored TTPs
Layer 2: A visualization of the number of defensive controls determined in the Question 3 mappings (Figure below).
To figure out this range, you will count the amount of defensive capabilities for each TTP and take the highest amount and make that the maximum with the minimum being 1.
T1556: Modify Authentication Process # of defensive capabilities = 1 Maximum # of defensive capabilities = 15 (Password Spraying)
Example ATT&CK Navigator Layer for Number of Defensive Capabilities
Once those two layers are completed, you overlay them to create a heat map that visualizes the overall risk. On the low end we have low threat high defense and on the high end we have high threat low defense. An easy way to determine this is by adding the maximum determined for layer 2 (in our case 15) to the maximum for layer 1 (which should always be 5). The resulting number will determine the range to set for the Navigator gradient (in our case 15 + 5 = 20). Then, for each TTP, the associated number for layer 1 and layer 2 will be combined. When these are plotted on the navigator layer, light purple is low risk and dark purple is high risk.
Example Defense Layer
Example Navigator Layer for Defenses Coverage Against TTPs
T1556 Modify Authentication Process Example:
Some theory Some Evidence = 3
# of defensive capabilities = 1
Navigator value = 4
Navigator scale = 2 – 20
The video below walks through an example of building a scoring, defense, and risk layer.
Implementing Mitigations to Risks
At this stage, by leveraging the Mapping Explorer or crafting mappings of our own, we understand the mitigations within our environment and the degree to which each addresses the threats we are likely to face. By implementing these specific Azure controls, that we’ve mapped to our relevant threat TTPs, we’ve significantly reduced the potential impact of an attack.
By reviewing our overlayed Navigator layers, we can see that several TTPs, such as “Valid Accounts” (T1078), even with existing mitigations implemented within our Azure environment, remains a high risk to our system. Addressing these latent risks is a priority and your team may already have applicable controls they are aware of. If you and your team can’t think of additional fixes to these threats, we recommend using the Center’s mappings of NIST 800-53. 800-53 is a list of security and privacy controls for information systems that, if implemented, can address the latent risk posed by our remaining threats.
The Valid Account technique T1078, for example, is mapped to several 800-53 controls. These include information Exchange, Usage Restrictions, Boundary Protection and many more. These controls represent best practices that can be adopted within your system to better protect against your remaining high risk TTPs. In our case, one mitigation might be changing existing policies within the environment to achieve “least functionality.” This can be done by ensuring component functionality is limited to a single function per component, removing unused or unnecessary software, or limiting unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. These mitigations can further be tailored to fit your given system by collaborating with your team on potential implementations.
This mapping gives us best practices derived from NIST 800-53 to implement additional protections tailored to the risks within our system. Tailored changes constitute our best approach for securing our system against potential exploits.