How they apply to your organization based on laws, sensitive information, contracts, industry, and geography.
What overlaps exist between them and what processes can satisfy multiple requirements?
Be sure to adopt the strictest guidance for your initiatives. The strictest and most comprehensive requirement should always win since it will exceed any looser requirements.
Scoping is critical. Just applying the rules to sensitive systems is often not enough to provide good security. Consider the effort and cost of increasing the scope to mitigate risks through any connected system that could affect the legislatively required scope.
Keep in mind that any regulatory compliance requirements are the absolute minimum your organization should be doing. If you are not meeting the minimums, or have lapses in the requirements, you are the low-hanging fruit a threat actor is seeking, and slowest individual being pursued by the bear.
Payment Card Industry (PCI)
Was created to increase controls around cardholder data to reduce credit card fraud
Has become a de facto standard for protecting access to personally identifiable information (PII), especially in the retail industry
Is mandated by the card issuers
Is administered by the Payment Card Industry Security Standards Council (PCI SSC)
Organizations face several challenges when working to prove their compliance with PCI DSS. The largest organizations are challenged with assessments that are conducted annually by a Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC). And although compliance with PCI DSS is not required by federal law in the United States, the laws of some states either refer to PCI DSS directly or make equivalent provisions. If an organization has been breached and was not in compliance with PCI, the card issuers can impose significant financial penalties on the merchant. Since it is the responsibility of the merchant to achieve, demonstrate, and maintain their compliance at all times during the annual assessment, best practice for PCI DSS compliance is to continually improve processes to ensure ongoing compliance, rather than treating compliance as a point-in-time project. Naturally, this can create a tremendous resource drain on technology- and security-oriented teams.
PCI DSS Requirements, High-Level Overview
HIPAA
Enacted by the US Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) provides provisions to protect health insurance coverage for workers and their families when they change or lose their jobs. HIPAA requires the establishment of national standards for electronic healthcare transactions and national identifiers for providers, health insurance plans, and employers. HIPAA has become a de facto standard for protecting the privacy and security of personally identifiable information (PII) in the healthcare industry.
Administrative Safeguards: Policies and procedures designed to clearly show how the entity will comply with the act
Physical Safeguards: Controlling physical access to protect against inappropriate access to protected data
Technical Safeguards: Controlling access to computer systems and enabling covered entities to protect communications containing PHI (protected health information) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
HIPAA Requirements That Can Be Addressed with PAM
HIPAA STANDARD | REF | PM | EPM | SRA |
|---|---|---|---|---|
Security Management Process | 164.308(a)(1) | √ | √ | √ |
Assigned Security Responsibility | 164.308(a)(2) | √ | √ | √ |
Workforce Security | 164.308(a)(3) | √ | √ | √ |
Information Access Management | 164.308(a)(4) | √ | √ | √ |
Security Incident Procedures | 164.308(a)(6) | √ | ||
Contingency Plans | 164.308(a)(7) | √ | ||
Business Associate Contracts and Other Arrangements | 164.308(b)(1) | √ | √ | |
Facility Access Controls | 164.310(a)(1) | √ | √ | |
Workstation Use | 164.310(b) | √ | √ | √ |
Workstation Security | 164.310(c) | √ | √ | |
Device and Media Controls | 164.310(d)(1) | √ | √ | |
Access Control | 164.312(a)(1) | √ | √ | √ |
Audit Controls | 164.312(b) | √ | √ | √ |
Integrity | 164.312(c)(1) | √ | √ | √ |
Person or Entity Authentication | 164.312(d) | √ | √ | √ |
Transmission Security | 164.312(e)(1) | √ | ||
Business Associate Contracts or Other Arrangements | 164.314(a)(1) | √ | √ | √ |
SOX
In July 2002, the US Congress passed the Sarbanes-Oxley Act (“SOX”), which was primarily designed to restore investor confidence following well-publicized bankruptcies that brought chief executives, audit committees, and independent auditors under heavy scrutiny. The act applies to all publicly registered companies under the jurisdiction of the Securities and Exchange Commission (SEC). Financial data and documentation are at the heart of the compliance issue, and within the legislation, SOX Section 404: Assessment of Internal Controls defines vulnerability and privileged access management as a business requirement. This helps a business understand the flow of transactions, including IT aspects, to identify points at which a misstatement could arise, and evaluate controls designed to prevent or detect fraud. The latter places privileges as an attack vector and session monitoring clearly in focus for fraud detection and prevention.
GLBA
Subtitle A: Disclosure of Nonpublic Personal Information—Constructing a thorough [risk management] on each department handling the nonpublic information
Subtitle B: Fraudulent Access to Financial Information—Social engineering occurs when someone tries to gain access to personal nonpublic information without proper authority
NIST
NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, was developed by a joint task force composed of representatives from NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems. This interagency partnership formed in 2009.
This guide delivers a holistic approach to information security and risk management by providing organizations with a comprehensive set of security controls essential to fundamentally strengthen their information systems, as well as the environments in which they operate. The resulting systems are more resilient in the face of threats and cyberattacks. NIST SP 800-53 outlines a “Build It Right” strategy combined with various security controls for continuous monitoring and strives to provide the senior leaders of organizations information in near real-time to support making risk-based decisions related to their critical missions.
Controlling and monitoring privileged access is extremely important for mitigating the risks posed by insider threats, preventing data breaches, and meeting compliance requirements. With that being said, security and IT leaders should walk a fine line between protecting the organization’s critical data to ensure business continuity and enable users and administrators to be productive.
The NIST publication recognizes this dilemma and formalizes separation of duties, change control, and privileged session auditing. This clearly defines how an organization should manage access and when. Unfortunately, the size and scope of actual PAM mappings to NIST 800-53 is enormous. If your organization has NIST requirements, please consider external consultants (or in-house expertise if you have the resources) to map your business requirements to contracts and actual deliverables. The scope may even include your supply chain and be completely outside of your control, except for contractually-based audits.
ISO
The International Organization for Standardization (ISO) has established guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined in ISO 27002:2013(E) provide general guidance on the commonly accepted goals of information security management.
The control objectives and controls in ISO 27002 are intended to be implemented to meet the requirements identified by a risk assessment. ISO 27002 can serve as a practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in interorganizational activities.
PAM Mappings for ISO 27002:2013(E)
6 ORGANIZATION OF INFORMATION SECURITY | PM | EPM | SRA | ||
|---|---|---|---|---|---|
6.1 INTERNAL ORGANIZATION | |||||
6.1.1 Information security roles and responsibilities | √ | √ | √ | ||
6.1.2 Segregation of duties | √ | √ | √ | ||
6.1.5 Information security in project management | √ | √ | √ | ||
6.2 MOBILE DEVICES AND TELEWORKING | |||||
6.2.2 Teleworking | √ | √ | √ | ||
8 ASSET MANAGEMENT | |||||
8.1 RESPONSIBILITY FOR ASSETS | |||||
8.1.3 Acceptable use of assets | √ | √ | |||
8.2 INFORMATION CLASSIFICATION | |||||
8.2.3 Handling of assets | √ | ||||
9 ACCESS CONTROL | |||||
9.1 BUSINESS REQUIREMENT OF ACCESS CONTROL | |||||
9.1.1 Access control policy | √ | √ | √ | ||
9.1.2 Access to networks and network services | √ | √ | √ | ||
9.2 USER ACCESS MANAGEMENT | |||||
9.2.1 User registration and deregistration | √ | √ | |||
9.2.2 User access provisioning | √ | √ | √ | ||
9.2.3 Management of privilege access rights | √ | √ | √ | ||
9.2.4 Management of secret authentication information of users | √ | √ | |||
9.2.5 Review of user access rights | √ | √ | √ | ||
9.3 USER RESPONSIBILITIES | |||||
9.3.1 Use of secret authentication information | √ | √ | |||
9.4 SYSTEM AND APPLICATION ACCESS CONTROL | |||||
9.4.1 Information access restriction | √ | √ | √ | ||
9.4.2 Secure logon procedures | √ | √ | √ | ||
9.4.3 Password management system | √ | √ | √ | ||
9.4.4 Use of privileged utility programs | √ | √ | √ | ||
9.4.5 Access control program source code | √ | ||||
10 CRYPTOGRAPHY | |||||
10.1 CRYPTOGRAPHIC CONTROLS | |||||
10.1.2 Key management | √ | ||||
12 OPERATIONS SECURITY | |||||
12.1 OPERATIONAL PROCEDURES AND RESPONSIBILITIES | |||||
12.1.2 Change management | √ | √ | √ | ||
12.4 LOGGING AND MONITORING | |||||
12.4.1 Event logging | √ | √ | √ | ||
12.4.2 Protection of log information | √ | √ | |||
12.4.3 Administrator and operator logs | √ | √ | |||
12.5 CONTROL OF OPERATIONAL SOFTWARE | |||||
12.5.1 Installation of software on operational systems | √ | √ | √ | ||
12.7 INFORMATION SYSTEMS AUDIT CONSIDERATIONS | |||||
12.7.1 Information systems audit controls | √ | √ | √ | ||
13 COMMUNICATIONS SECURITY | |||||
13.1 NETWORK SECURITY MANAGEMENT | |||||
13.1.1 Network controls | √ | √ | |||
13.1.2 Security of network services | √ | √ | |||
13.1.3 Segregation in networks | √ | √ | √ | ||
14 SYSTEM ACQUISITION, DEVELOPMENT, AND MAINTENANCE | |||||
14.2 SECURITY IN DEVELOPMENT AND SUPPORT PROCESSES | |||||
14.2.1 Secure development policy | √ | √ | √ | ||
14.2.6 Secure development environment | √ | √ | √ | ||
14.3 TEST DATA | |||||
14.3.1 Protection of test data | √ | √ | √ | ||
16 INFORMATION SECURITY INCIDENT MANAGEMENT | |||||
16.1 MANAGEMENT OF INFORMATION SECURITY INCIDENTS AND IMPROVEMENTS | |||||
16.1.2 Reporting information security events | √ | √ | √ | ||
16.1.3 Reporting information security weaknesses | √ | √ | √ | ||
16.1.7 Collection of evidence | √ | √ | √ | ||
17 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT | |||||
17.1 INFORMATION SECURITY CONTINUITY | |||||
17.1.2 Implementing information security continuity | √ | √ | √ | ||
17.1.3 Verify, review, and evaluate information security continuity | √ | √ | √ | ||
18 COMPLIANCE | |||||
18.1 COMPLIANCE WITH LEGAL AND CONTRACTUAL REQUIREMENTS | |||||
18.1.2 Intellectual property rights | √ | √ | √ | ||
18.1.3 Protection of records | √ | √ | √ | ||
18.2 INFORMATION SECURITY REVIEWS | |||||
18.2.1 Independent review of information security | √ | √ | √ | ||
18.2.2 Compliance with security policies and standards | √ | √ | √ | ||
18.2.3 Technical compliance review | √ | √ | √ | ||
Security best practices have been adopted in almost every regulation and framework. ISO 27002 is no different when monitoring and managing privileges, and sessions form a fundamental part of managing the privileged attack vector and thwarting threat actors. Mapping these controls to your privileged access management deployment will help close off many of the attack vectors that we have discussed.
GDPR
The General Data Protection Regulation (GDPR) is one of the most important movements in the area of data protection in recent years. It was passed into European Union (EU) law on April 28, 2016, and became enforceable on May 25, 2018. Over several hundred million dollars in fines have already been levied for GDPR violations since the law went into effect.
In summary, the GDPR defines controls around how organizations store and process the personal data of EU citizens, irrespective of where the organization is based, owned, or operating. Anyone storing or processing the personal data of an EU citizen must comply with the GDPR or face significant fines in the event of a failed audit or data breach. Those fines can be up to 4% of the organization’s global turnover, or €10m, whichever is greater. With this level of impact, it is vital that all organizations understand their obligations under the GDPR and take appropriate measures to ensure they are compliant by demonstrating that the proper controls are in place to protect information.
Material Scope: How data is processed
Territorial Scope: Where data is processed
In material terms, GDPR applies to the processing of personal data wholly or partly by automated (electronically) means and to processing other than by automated means, that is, as part of a paper or manual filing system. Processing related to the prevention, investigation, detection, or prosecution of criminal offenses, execution of penalties, and safeguarding public security is excluded from the GDPR. This is an important differentiation since law enforcement and their investigations are not participatory entities and may have exclusions when collecting personal data from organizations normally governed by GDPR.
In territorial terms, GDPR applies to the processing of personal data for data subjects who are in the European Union (EU)—in particular, when related to the offering of goods and services (irrespective of whether payment is required) and monitoring of their personal behavior. The regulation also applies to the processing of data by a controller wherever Member State law applies, through public international law.
Consent of the Data Subject: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Beyond the pure collection and processing of personal data, the GDPR also lays out specific requirements around the consent of the data subject for both the collection and processing of their data. This consent requires affirmation by the data subject to show consent to each form of processing the collected data will undergo; consent can no longer be given in a blanket manner, that is, covering multiple processes. Consent can also be withdrawn at any time by the data subject. For more detailed information, see Article 7 of the GDPR.
Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. The regulation provides a much stronger response to personal data breaches than previous directives and regional legislations. It requires that the controller notify the supervisory authority of any personal data breach no later than 72 hours after having become aware of the breach. If the notification cannot be given within 72 hours, the controller will be required to provide the reasons for the delay. If the controller can demonstrate that the breach is unlikely to result in a risk to the rights and freedoms of the natural persons whose data has been breached, the need for notification within the timeframe is removed, but notification must still be made.
Accountability: The GDPR also defines clear accountability for the controller over the management of personal data. The controller must ensure that data is processed lawfully, fairly, and transparently; that data is only collected for specified, explicit, and legitimate purposes and adequate, relevant, and limited to only what’s necessary for the consented processing. The controller is also responsible for ensuring the personal data is accurate and, where necessary, kept up-to-date. The data should also be kept for no longer than is necessary for the purposes for which the personal data is processed. Also, the data must be processed in a manner that ensures appropriate security of the personal data, for example, not allowing it to be subject to a personal data breach. As a controller, you have responsibility for, and must be able to demonstrate, compliance with the defined regulation. As is clear from this, you must have control over who has access to personal data, when they accessed the data, and what was done with the data. Also, as far as possible, it’s also vital to ensure that there are no opportunities for unauthorized access to the personal data. This is where privileged access management becomes a critical component of your GDPR strategy.
A privileged password management solution can help control who has access to operating systems, applications, databases, infrastructure, and cloud resources and provide attestation reporting on complete session activity to avoid inappropriate activity and access at a controller.
Server least privilege management solutions can manage privileged access to commands and applications, eliminating the need for root access and sudo.
Endpoint least privilege management solutions can anonymize data collected around user and administrative activity, ensuring data cannot be linked to individuals within a single data store.
Remote access solutions can regulate and authorize access at a controller to sensitive data stores to prevent unauthorized access that might lead to a breach.
CCPA
The California Consumer Privacy Act (CCPA) has been quoted as the beginning of America’s GDPR-type data privacy laws. Similar to the GDPR, the CCPA requires organizations to focus first on consumer data in 2020 and then personal data shared between businesses in 2021. It requires organizations to provide transparency in how they are collecting, sharing, and using personal information based on an individual’s request. And remember, a privileged account typically can access this data en masse, making it relevant, from an incident or breach perspective, to secure.
A Comparison of GDPR to CCPA
Governance | GDPR | CCPA |
|---|---|---|
Scope | All personal data collected for European Union citizens | All California residents whose personal data is collected after January 2020 and for business-to-business data, starting January 2021 |
Right to Access | An individual has the right to review all European Union personal data processed for an individual | An individual has the right to access personal data in scope collected for the last 12 months with restrictions imposed on whether the data was stored, sold, or transferred between organizations |
Right to Portability | Data must be able to import and export in a user-friendly format. This is similar to US HIPAA regulations | All individual access requests must be exportable in a user-friendly format, but there is no requirement for importing data |
Right to Remediate | An individual reserves the right to correct and verify any personnel European Union data that has been collected | CCPA lacks a corrective actions provision for personal data |
Right to Halt Processing | An individual has the right to withdraw consent or stop processing, within an entity, of personally collected data | An individual has the right to “opt-out” of selling personal data and businesses must provide an opt-out link or procedure on their website or through a similar data collection vehicle |
Right to Stop Automation | An individual has the right to enforce a human decision in an automated process that may have a legal effect for the inquiring party | CCPA has no provisions to stop automated decision-making |
Right to Stop Information Sharing | An individual has the right to request the halting of third-party data transfers based on a specific category of data | An individual has the right to “opt-out” of selling their personal information to third parties |
Right to Information Erasure | A European Union citizen can request the right to erase personal data if specific conditions are met | An individual has the right to erase personally collected data only under specific conditions |
Individual Damages | No limits to pursue damages based on actions | Each consumer breach is limited to a minimum of $100 and a maximum of $750 per data breach event |
Enforcement Penalties | Global annual revenue is capped at 4% | Regulator penalties are limited to $2500 for unintentional violations and $7500 for intentional violations |
ASD
The Australian Signals Directorate (ASD) has developed a list of strategies to mitigate targeted cyber intrusions. The recommended mitigation strategies were developed in 2014 through ASD’s extensive experience in operational cybersecurity, including responding to serious cyber intrusions and performing vulnerability assessments and penetration testing for Australian Government Agencies.
In 2017, the ASD expanded the Top 4 recommendations to contain the Essential Eight. The dynamic nature of cybersecurity required a course correction to address the latest threats, like ransomware. Businesses and governments are accustomed to broad stroke changes occurring every few years, but rarely are recommendations made that are very precise to manage specific threats. The Essential Eight are the following:
- 1.
Application whitelisting of permitted/trusted programs, to prevent the execution of malicious or unapproved programs, including executables, scripts, and installers.
- 2.
Patch applications—for example, Java, PDF viewer, Flash, web browsers, and Microsoft Office. Patch/mitigate systems with “extreme risk” vulnerabilities within 2 days. Use the latest version of applications.
- 3.
Patch operating system vulnerabilities. Patch/mitigate systems with “extreme risk” vulnerabilities within 2 days. Use the latest suitable operating system version. Avoid Microsoft Windows XP.
- 4.
Restrict administrative privileges to operating systems and applications based on user duties. Such users should use a separate unprivileged account for email and web browsing.
- 5.
Disable untrusted Microsoft Office Macros, so malware cannot run unauthorized routines.
- 6.
Block web browser access to Adobe Flash, web advertisements, and untrusted Java code on the Internet. If possible, uninstall all browser plug-ins that are not required.
- 7.
Apply multi-factor authentication for all systems when possible to make it harder for an adversary to access a system and information.
- 8.
Perform daily backup of important data securely and offline to ensure even if data is compromised, protected versions are available for recovery.
Based on a threat actor’s methods to gain privileges, these recommendations are completely in line with the threats solved by privileged access management. The privileged attack vector mitigation is included in the Top 4 and Essential Eight (5–7) and represents a refined strategy to stop threats worldwide. Number eight is a backup discipline and is not a privileged attack vector. It can, however, be used for remediation for attacks like ransomware.
MAS
The Monetary Authority of Singapore (MAS) was founded in 1971 to oversee various monetary functions associated with financial and banking institutions. Throughout the years, their guidelines have been revised to manage emerging technologies and the evolving threat landscape. In June 2013, the MAS created a new set of guidelines for Internet Banking and Technology Risk Management (IBTRM). This addendum mandated certain requirements for Technology Risk Management (TRM) and contained a set of guidelines as well (TRM Guidelines), along with errata notices (TRM Notices).
The TRM Guidelines are statements of industry best practices to which financial institutions are expected to adhere. The guidance is not legally binding, but is used by MAS in risk assessment audits of financial institutions.
Section 4: Technology Risk Framework
Section 6: Acquisition and Development of Information Systems
Section 9: Operational Infrastructure Security Management
Section 11: Access Control
SWIFT
- Secure Your Environment
Restrict Internet Access
Protect Critical Systems from General IT Environment (Lateral Movement)
Reduce Attack Surface and Vulnerabilities
Physically Secure the Environment
- Know and Limit Access
Prevent Compromise of Credentials
Manage Identities and Segregate Privileges (PAM)
- Detect and Respond
Detect Anomalous Activity to Systems or Transaction Records
Plan for Incident Response and Information Sharing
1.1 Operating System Privileged Account Control
2.1 Internal Data Flow Security
2.2 Security Updates
2.3 System Hardening
2.6 Operator Session Confidentiality and Integrity
2.8 Critical Activity Outsourcing
4.1 Password Policy
4.2 Multi-Factor Authentication
5.1 Logical Access Control
5.4 Physical and Logical Password Storage
6.2 Software Integrity
6.4 Logging and Monitoring
Organizations can address their compliance and security requirements as defined in the SWIFT Customer Security Controls Framework by implementing PAM solutions. Please note, if your organization currently adheres to the NIST Cybersecurity Framework, ISO 27002, or PCI DSS, SWIFT provides mappings to other frameworks to expedite compliance verification and to help avoid duplication of efforts in attestation reporting.
MITRE ATT&CK
While technically not a regulatory compliance framework, the MITRE ATT&CK1 knowledge base is designed to help third parties discover, prioritize, categorize, and recommend strategies for threat remediation. It is a practical structure based on real-world attacks that are categorized by operating system, privileges, method, and technical details for classes of attack vectors. Not surprisingly, the vast majority of attacks can be mitigated by privileged access management solutions, especially when password management, endpoint least privileged management, and remote access capabilities are used in concert. Organizations are using the knowledge base as a guide to prove their risk mitigation strategies actually meet compliance objectives for risk reduction.
Initial Access (TA0001): Represents the vectors adversaries use to gain an initial foothold within a network.
Execution (TA0002): Represents techniques that result in execution of adversary-controlled code on a local or remote system. This tactic is often used in conjunction with initial access as the means of executing code once access is obtained, and lateral movement to expand access to remote systems on a network.
Persistence (TA0003): Any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.
Privilege Escalation (TA0004): The result of actions that allows an adversary to obtain a higher level of permissions on a system or network. Certain tools or actions require a higher level of privilege to work and are likely necessary at many points throughout an operation. Adversaries can enter a system with unprivileged access and must take advantage of a system weakness to obtain local administrator or SYSTEM/root-level privileges. A user account with administrator-like access can also be used. User accounts with permissions to access specific systems or perform specific functions necessary for adversaries to achieve their objective may also be considered an escalation of privilege.
Defense Evasion (TA0005): Consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.
Credential Access (TA0006): Represents techniques resulting in access to or control over system, domain, or service credentials that are used within an enterprise environment. Adversaries will likely attempt to obtain legitimate credentials from users or administrator accounts (local system administrator or domain users with administrator access) to use within the network. This allows the adversary to assume the identity of the account, with all of that account’s permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.
Discovery (TA0007): Consists of techniques that allow the adversary to gain knowledge about the system and internal network. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system provides many native tools that aid in this post-compromise information-gathering phase.
Lateral Movement (TA0008): Consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.
Collection (TA0009): Consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
Exfiltration (TA0010): Refers to techniques and attributes that result or aid in the adversary removing files and information from a target network. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.
Command and Control (TA0011): Represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication.
Impact (TA0040): The adversary is trying to manipulate, interrupt, or destroy your systems and data. Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach.
While each Enterprise Tactic is comprised of multiple Technique IDs,3 the detection, privileges, and mitigation detail provide a blueprint for using a tool, solution, policy, or configuration change to thwart each item as an attack vector. This alone is why many organizations embrace the MITRE ATT&CK framework, because it provides real-world guidance vs. theoretical aspirations like many legally binding regulatory compliance frameworks. And, if you manage to implement privilege security controls based on these real-world threats, it demonstrates compliance for many other regulatory initiatives.