Bare Metal Cyber Presents: Framework

RS.AN-08 estimates and validates an incident’s magnitude by assessing its scope and impact, searching other targets for indicators of compromise or persistence. This involves manual reviews or automated tools to confirm the extent of damage or spread, refining initial assessments. It quantifies the incident’s true reach.

This subcategory aligns analysis with risk priorities, ensuring resources target the full breadth of an incident, from isolated to systemic effects. It supports effective mitigation by clarifying the scale of response needed. RS.AN-08 ensures a comprehensive grasp of incident consequences.

RS.AN-06 ensures that all investigative actions during an incident—like system checks or containment steps—are meticulously recorded, with integrity and provenance preserved. This involves immutable logs by responders and detailed documentation by the incident lead, safeguarding evidence for legal or audit purposes. It maintains a reliable investigation trail.

This subcategory supports accountability and forensics by ensuring records are tamper-proof and traceable, aligning with risk management needs. It enables accurate post-incident reviews and lessons learned, enhancing future responses. RS.AN-06 upholds the credibility of incident investigations.

RS.AN-03 conducts detailed analysis to reconstruct incident events, identify involved assets, and pinpoint root causes, such as exploited vulnerabilities or threat actors. This includes examining deception technologies for attacker behavior insights, aiming to understand both immediate triggers and systemic issues. It provides the foundation for effective response and prevention.

This subcategory enhances response by delivering actionable findings, aligning analysis with risk priorities to address critical weaknesses. It supports forensics and recovery by uncovering underlying causes, reducing recurrence risks. RS.AN-03 drives a thorough understanding of incident dynamics.

DE.CM-06 requires monitoring the activities and services of external providers—like cloud platforms or ISPs—to detect adverse events that could impact the organization. This includes tracking remote administration or onsite maintenance by third parties for deviations from expected behavior. It ensures external dependencies don’t become blind spots.

This subcategory mitigates risks from outsourced services by maintaining oversight, aligning monitoring with contractual security expectations. It supports a comprehensive security posture by extending vigilance beyond organizational boundaries. DE.CM-06 safeguards against threats originating in the supply chain.

DE.CM-02 involves monitoring the physical environment housing technology assets to detect adverse events, such as unauthorized access or tampering with controls like locks and alarms. This includes reviewing logs from badge readers and visitor records for unusual patterns, supplemented by tools like cameras and security guards. It protects the physical layer of cybersecurity.

This subcategory ensures that physical breaches, which could enable logical attacks, are identified quickly, aligning monitoring with risk levels for critical areas. It supports a holistic security approach by integrating physical oversight with digital defenses. DE.CM-02 safeguards assets from tangible threats that could compromise operations.