NIST_CSFDETECTvoice-validated
NIST_CSF DE: DETECT
NIST_CSF
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Possible cybersecurity attacks and compromises are found and analysed. DETECT enables the timely discovery and analysis of anomalies, indicators of compromise, and other potentially adverse events that may indicate that cybersecurity attacks and incidents are occurring.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1009 | 1. Detection systems identify unusual web traffic patterns, suspicious downloads, or client-side exploit attempts. 2. Anomalies in network flows or endpoint activity indicate potential drive-by compromises, aligning with the DETECT function's goal of timely discovery. | 90% |
| T1035 | 1. Monitoring for new or modified service executions and unusual process parent-child relationships enables detection. 2. The DETECT function identifies suspicious service activity that indicates potential compromise. | 90% |
| T1004 | 1. Changes to Winlogon registry keys or suspicious DLL loads are monitored for detection. 2. The DETECT function identifies unauthorized modifications that establish persistence. | 80% |
| T1037.001 | 1. Modifications to logon scripts or unusual script execution are detected through system monitoring. 2. This control enables the discovery of persistence mechanisms established via logon scripts. | 80% |
| T1038 | 1. Unusual DLL loads, process injections, or file modifications are indicators for detection. 2. The DETECT function identifies attempts to hijack DLL search order for privilege escalation. | 80% |
| T1014 | 1. Kernel-level modifications, hidden processes, or unusual system calls are detected. 2. The DETECT function identifies rootkit presence, crucial for uncovering advanced defense evasion. | 90% |
| T1015 | 1. Detection systems monitor for API hooking, unusual code injection, or process memory modifications. 2. This enables the discovery of techniques used to evade security controls. | 80% |
| T1036.003 | 1. Renamed system binaries or execution from unusual paths are detected through process monitoring. 2. The DETECT function identifies masquerading attempts to hide malicious activity. | 90% |
| T1003.001 | 1. Process access to LSASS memory, specific API calls, or file access patterns are monitored. 2. This control facilitates the timely discovery of credential dumping attempts. | 90% |
| T1046 | 1. Network scanning activity, port sweeps, or unusual connection attempts are detected. 2. The DETECT function identifies reconnaissance efforts by adversaries mapping network services. | 90% |
| T1033 | 1. Command execution for user enumeration or unusual access to user directories is detected. 2. This enables the discovery of adversary attempts to understand system users and privileges. | 80% |
| T1021.001 | 1. Anomalous RDP logins, multiple failed attempts, or connections from unusual sources are detected. 2. The DETECT function identifies lateral movement attempts using remote desktop protocols. | 90% |
| T1005 | 1. Unusual file access, large data transfers, or staging activities are detected. 2. This control enables the discovery of data collection efforts on local systems. | 90% |
| T1011.001 | 1. Unusual outbound network connections, proxy configurations, or encrypted tunnels are detected. 2. The DETECT function identifies multi-hop proxy usage for command and control. | 80% |
| T1048.003 | 1. Large data transfers over non-standard ports or protocols are detected. 2. The DETECT function identifies exfiltration attempts using unencrypted, non-C2 channels. | 90% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1013 | 1. Centralised event log management ensures security events are collected and available for analysis. 2. Timely log aggregation enables rapid detection of anomalies and indicators of compromise, directly supporting the DETECT function. | 100% |
| M1015 | 1. Software configuration management establishes baselines for system components. 2. Deviations from these baselines are detected, indicating potential unauthorized changes or malicious activity, supporting the DETECT function. | 90% |
| M1016 | 1. Account use policies define expected user behavior and access patterns. 2. Anomalous account usage, such as logins from unusual locations or at odd hours, is detected against these policies. | 90% |
| M1028 | 1. Secure operating system configurations reduce the attack surface and provide better logging. 2. Deviations from these configurations are detected, indicating potential compromise or misconfiguration, aiding the DETECT function. | 90% |
| M1031 | 1. Network segmentation limits the scope of compromise and isolates critical assets. 2. Unauthorized communication attempts between segments are detected, indicating potential lateral movement. | 80% |
| M1047 | 1. Comprehensive auditing mechanisms record system and user activities. 2. These audit records provide essential data for the DETECT function to identify suspicious events and analyze potential attacks. | 100% |
Underlying weaknesses · 6
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-778 | 1. Inadequate logging prevents the collection of critical security event data. 2. Without sufficient logs, detection systems lack the necessary information to identify attacks and compromises, directly hindering the DETECT function. | 100% |
| CWE-284 | 1. Improper access control allows unauthorized actions to occur without triggering alerts. 2. If an attacker gains access due to weak controls, their subsequent actions may appear legitimate, evading detection. | 90% |
| CWE-306 | 1. Missing authentication for critical functions means no user identity is recorded for access. 2. This absence of authentication data severely limits the ability of detection systems to attribute or flag suspicious activity. | 80% |
| CWE-200 | 1. Exposure of sensitive information can occur without specific detection mechanisms in place. 2. If detection systems are not configured to monitor for this specific type of data exposure, the compromise may go unnoticed. | 80% |
| CWE-668 | 1. Resources exposed to the wrong sphere can be accessed without triggering typical alerts. 2. This misconfiguration can lead to unauthorized access that bypasses expected detection points, hindering timely discovery. | 80% |
| CWE-78 | 1. Improper neutralization of OS command elements allows arbitrary command execution. 2. While execution may be detected, the underlying vulnerability makes it easier for attackers to bypass initial defenses, requiring robust detection to catch the resulting activity. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0186 compute · voice-rubric self-validated