NIST_CSFRESPONDvoice-validated
NIST_CSF RS: RESPOND
NIST_CSF
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Actions regarding a detected cybersecurity incident are taken. RESPOND supports the ability to contain the effects of cybersecurity incidents.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1.0 confidence. Incident response protocols address vulnerabilities in public-facing applications, including patching and isolation, to contain and prevent further exploitation. | 100% |
| T1053.005 | 1.0 confidence. Response teams identify and remove malicious scheduled tasks used for persistence, eradicating adversary footholds. | 100% |
| T1068 | 1.0 confidence. Incident response involves identifying and patching vulnerabilities exploited for privilege escalation, limiting adversary capabilities. | 100% |
| T1070.004 | 0.9 confidence. Forensic analysis during incident response aims to recover or identify deleted indicators, despite adversary attempts to evade detection. | 90% |
| T1003.001 | 1.0 confidence. Response actions include isolating compromised systems, resetting credentials, and enhancing endpoint security to counter credential dumping. | 100% |
| T1087.001 | 0.9 confidence. Incident response involves monitoring for unusual account activity and isolating compromised systems to limit adversary discovery. | 90% |
| T1021.001 | 1.0 confidence. Response teams block RDP access from compromised hosts and implement network segmentation to contain lateral movement. | 100% |
| T1005 | 1.0 confidence. Incident response includes isolating systems and monitoring data exfiltration channels to prevent or detect data collection. | 100% |
| T1071.001 | 1.0 confidence. Response actions involve blocking malicious C2 domains/IPs and implementing network segmentation to disrupt command and control. | 100% |
| T1041 | 1.0 confidence. Incident response monitors network traffic for unusual data transfers and blocks C2 channels to prevent data exfiltration. | 100% |
| T1486 | 1.0 confidence. Response protocols focus on restoring from backups and isolating affected systems to recover from data encryption for impact. | 100% |
| T1566.001 | 0.8 confidence. Post-incident analysis often identifies spearphishing as the initial access vector, leading to improved user education and email gateway controls as part of response. | 80% |
| T1098 | 1.0 confidence. Incident response includes account lockout, password resets, and multi-factor authentication enforcement to counter account manipulation. | 100% |
| T1547.001 | 1.0 confidence. Response teams identify and remove malicious autostart entries to eradicate persistence mechanisms. | 100% |
| T1059.003 | 0.9 confidence. Incident response involves monitoring command execution and enhancing endpoint detection to identify and respond to malicious use of command shells. | 90% |
Defending mitigations · 6
| Mitigation | What it does | Confidence |
|---|---|---|
| M1031 | 1.0 confidence. Network segmentation is a primary containment strategy, limiting an adversary's ability to move laterally and isolate compromised assets during an incident. | 100% |
| M1047 | 1.0 confidence. Comprehensive auditing provides crucial forensic data, enabling incident responders to understand the scope, timeline, and impact of a cybersecurity incident. | 100% |
| M1049 | 0.9 confidence. Antivirus and antimalware solutions assist in the eradication phase of incident response by detecting and removing malicious software from affected systems. | 90% |
| M1038 | 1.0 confidence. Effective user account management, including password resets and account disabling, is essential for remediating compromised credentials during an incident. | 100% |
| M1050 | 0.8 confidence. Post-incident vulnerability scanning helps identify and patch weaknesses exploited by adversaries, preventing recurrence and improving overall security posture. | 80% |
| M1048 | 1.0 confidence. Reliable data backups are fundamental for the recovery phase of incident response, enabling restoration of systems and data after an attack. | 100% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-287 | 1.0 confidence. Weak or improper authentication mechanisms are frequently exploited for initial access, necessitating robust response actions to secure accounts. | 100% |
| CWE-798 | 1.0 confidence. Hard-coded credentials provide adversaries with persistent access, requiring incident response to identify and eliminate such vulnerabilities. | 100% |
| CWE-200 | 1.0 confidence. Incident response protocols directly address the detection, containment, and remediation of sensitive information exposure during a breach. | 100% |
| CWE-78 | 0.9 confidence. Command injection vulnerabilities allow adversaries to execute arbitrary commands, which incident response aims to detect and mitigate through patching and system hardening. | 90% |
| CWE-862 | 1.0 confidence. Lack of proper authorization allows unauthorized actions, which incident response teams must identify and correct to prevent further compromise. | 100% |
| CWE-306 | 1.0 confidence. Critical functions lacking authentication are prime targets for adversaries, requiring immediate attention during incident response to secure access. | 100% |
| CWE-502 | 0.8 confidence. Exploitation of deserialization vulnerabilities can lead to remote code execution, demanding incident response to identify affected systems and apply patches. | 80% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0179 compute · voice-rubric self-validated · 1 hallucination(s) dropped at validation