NIST_CSFRECOVERvoice-validated
NIST_CSF RC: RECOVER
NIST_CSF
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Assets and operations affected by a cybersecurity incident are restored. RECOVER supports the timely restoration of normal operations to reduce the effects of cybersecurity incidents and enable appropriate communication during recovery efforts.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1485 | 1. Data Destruction directly necessitates recovery actions to restore affected assets and operations, aligning with the control's objective to restore normal operations. | 90% |
| T1490 | 1. Inhibit System Recovery directly targets the ability to restore systems, making this technique highly relevant to the RECOVER function by hindering its core purpose. | 95% |
| T1561.001 | 1. Disk Content Wipe is a specific method of data destruction, requiring comprehensive restoration of data and systems to achieve recovery objectives. | 90% |
| T1561.002 | 1. Disk Structure Wipe, by corrupting file systems, directly causes the need for full system and data recovery, aligning with the control's aim to restore operations. | 90% |
| T1562.001 | 1. Disabling or Modifying System Recovery mechanisms directly undermines the RECOVER function, making restoration efforts significantly more challenging or impossible. | 95% |
| T1529 | 1. System Shutdown/Reboot can cause service disruption, requiring recovery procedures to bring systems back online and restore normal operations. | 80% |
| T1498 | 1. Environmental Keying renders systems unusable, directly leading to the need for recovery actions to regain control and functionality of affected assets. | 85% |
| T1491 | 1. Defacement of public-facing assets requires restoration of original content and integrity, falling under the scope of recovering affected operations. | 80% |
| T1005 | 1. Data from Local System, if compromised or exfiltrated, can necessitate recovery efforts to restore data integrity, confidentiality, or availability. | 75% |
| T1041 | 1. Exfiltration Over C2 Channel indicates data loss, which often requires recovery actions to address data integrity, privacy, and rebuild trust. | 75% |
| T1071.001 | 1. Persistent Command and Control via Web Protocols can hinder recovery by allowing an attacker to re-establish access or continue disruption after initial remediation. | 70% |
| T1053.005 | 1. Scheduled Task persistence allows an attacker to re-execute malicious code, potentially disrupting recovery efforts or causing re-infection, thus hindering restoration. | 70% |
| T1098 | 1. Account Manipulation can lead to unauthorized access or disruption, requiring recovery of legitimate access and system integrity to restore normal operations. | 75% |
| T1531 | 1. Account Access Removal prevents legitimate users from accessing systems, directly hindering recovery teams from performing necessary restoration tasks. | 80% |
| T1565.001 | 1. Stored Data Manipulation on Primary Drive directly impacts data integrity, necessitating recovery actions to restore accurate and reliable information. | 85% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1049 | 1. Data Backup is fundamental to the RECOVER function, providing the means to restore lost or corrupted data and systems, directly enabling timely restoration of operations. | 100% |
| M1013 | 1. Application Isolation and Sandboxing limits the impact of an incident, reducing the scope and complexity of recovery efforts by containing threats. | 80% |
| M1015 | 1. Software Configuration ensures systems are built and maintained in a resilient state, simplifying and accelerating the restoration process post-incident. | 85% |
| M1031 | 1. Network Segmentation limits the spread of an attack, reducing the number of affected assets and making recovery more manageable and targeted. | 85% |
| M1047 | 1. Audit logs provide critical information for understanding incident scope and impact, which is essential for effective recovery planning and execution. | 75% |
| M1038 | 1. Service Hardening reduces vulnerabilities, making systems more resilient to attacks and thus easier to restore to a secure state during recovery. | 80% |
| M1051 | 1. Account Use Policies prevent misuse and compromise of accounts, which could otherwise hinder recovery efforts by providing attackers with persistent access. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-400 | 1. Uncontrolled Resource Consumption can lead to denial of service, directly causing system unavailability and necessitating recovery actions to restore functionality. | 80% |
| CWE-404 | 1. Improper Resource Shutdown or Release can leave systems in an unstable or vulnerable state, complicating or prolonging recovery efforts after an incident. | 75% |
| CWE-426 | 1. Untrusted Search Path vulnerabilities could allow an attacker to execute malicious code during system startup or recovery processes, hindering restoration. | 70% |
| CWE-502 | 1. Deserialization of Untrusted Data can lead to remote code execution, resulting in system compromise that requires extensive recovery to restore integrity. | 75% |
| CWE-787 | 1. Out-of-bounds Write can corrupt memory or lead to system crashes, directly causing service disruption and requiring recovery to restore stable operations. | 80% |
| CWE-798 | 1. Use of Hard-coded Credentials makes systems vulnerable to compromise, which can hinder recovery by allowing attackers to maintain access or disrupt restoration. | 85% |
| CWE-200 | 1. Exposure of Sensitive Information to an Unauthorized Actor often necessitates recovery actions to address data integrity, privacy, and rebuild trust with stakeholders. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0181 compute · voice-rubric self-validated