The Following information is meant to provide a more detailed and in-depth view of compliance items that BloodHound Enterprise can provide coverage for.
Identify(ID)Asset Management(ID.AM)
Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
ID.AM-01
Requirement
Inventories of hardware managed by the organization are maintained.
Solution
BloodHound Enterprise collects information on all physical systems operating within a Windows Active Directory environment/Azure Environment. Bloodhound Enterprise monitors the addition/removal of physical assets connecting to the organizations environment.
References/Previous Versions
NIST Cybersecurity Framework v1.1: ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-02
Requirement
Inventories of software, services, and systems managed by the organization
are maintained
Solution
Bloodhound Enterprise collects information on all Systems in a domain that are connected to the organizations Active Directory/Azure Environment. BloodHound Enterprise monitors the environment for the addition/removal of systems from the organizations environment.
References
NIST Cybersecurity Framework v1.1: ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-05
Requirement
Assets are prioritized based on classification, criticality, resources, and impact on the mission
Solution
Bloodhound Enterprise allows organizations to assign assets to Tier Zero (T0) based on the organizations classification, criticality, and business value. Prioritized resources are audited and accounted for during BloodHound Enterprise collection scans.
References
NIST Cybersecurity Framework v1.1: ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
Identity(ID)Risk Assessment(ID.RA)
The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
ID.RA-01
Requirement
Vulnerabilities in assets are identified, validated, and recorded
Solution
Bloodhound Enterprise analyzes the Active Directory/Azure environment for identity attack paths that potentially impact an organizations security posture. All Identity vulnerabilities are identified during BloodHound collection activities and presented in the reporting dashboard with additional information to support documenting threats.
References
NIST Cybersecurity Framework v1.1: ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-03
Requirement
Internal and external threats to the organization are identified and recorded.
Solution
Bloodhound Enterprise analyzes the Active Directory/Azure environment for identity attack paths that potentially impact an organizations security posture. All Identity threat vectors are identified during BloodHound collection activities and presented in the reporting dashboard with additional information to support documenting threats.
References
NIST Cybersecurity Framework v1.1: ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-05
Requirement
Threats, vulnerabilities, likelihoods, and impacts are used to understand inherent risk and inform risk response prioritization.
Solution
BloodHound Enterprise analyzes the organizational environment for identity attack path vectors and assigns a quantifiable risk metric and category to each detected identity attack path. The assigned risk metric is calculated by determining what percentage of the environment could be impacted by a specific identity vulnerability which will be quantified as percentage and assigned a criticality rating.
References
NIST Cybersecurity Framework v1.1: ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Protect(PR) Identity Management, Authentication, and Access Control (PR.AA)
Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AA-5
Requirement
Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Solution
Bloodhound Enterprise audits and reports the health of organizational privilege access models and identifies potential vulnerable attack paths and misconfigurations within the privilege access architecture scheme.
References
NIST Cybersecurity Framework v1.1: PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
NIST Cybersecurity Framework v1.1: PR.AC-3: Remote access is managed
NIST Cybersecurity Framework v1.1: PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.
CSC v8 : 3.3, 6.8
Protect(PR) Platform Security(PR.PS)
The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability
PR.PS-01
Requirement
Configuration management practices are established and applied
Solution
BloodHound Enterprise’s data collection activities gathers and audits asset configurations for identity attack path analysis. The collected data can be used to validate configuration architecture throughout the Active Directory/Azure environment. BloodHound Enterprise automatically highlights misconfigurations in your environment and assigns them a quantifiable risk metric and criticality rating based on the level of exposure detected.
References
NIST Cybersecurity Framework v1.1: PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
NIST Cybersecurity Framework v1.1: PR.IP-3: Configuration change control processes are in place
NIST Cybersecurity Framework v1.1: PR.PT-2: Removable media is protected and its use restricted according to policy
NIST Cybersecurity Framework v1.1: PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
CSC v8: 4.1, 4.2
Detect(PR) Adverse Event Analysis(DE.AE)
Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents
DE.AE-02
Requirement
Potentially adverse events are analyzed to better understand associated activities
Solution
BloodHound Enterprise reports identity attack paths and assigns a risk exposure severity rating to each vector based on the percentage of the organizations environment that is exposed to risk. Additional information pertaining to specific events is included in the BloodHound Enterprise GUI.
References
NIST Cybersecurity Framework v1.1: DE.AE-2: Detected events are analyzed to understand attack targets and methods
CSC v8: 8.11
DE.AE-04
Requirement
The estimated impact and scope of adverse events are understood.
Solution
BloodHound Enterprise reports identity attack paths and assigns a risk exposure severity rating to each vector based on the percentage of the organizations environment that is exposed to risk. Additional information pertaining to specific events is included in the BloodHound Enterprise GUI.
References
NIST Cybersecurity Framework v1.1: DE.AE-4: Impact of events is determined
DE.AE-08
Requirement
Incidents are declared when adverse events meet the defined incident criteria.
Solution
BloodHound Enterprise allows Tier Zero to be defined per the needs of the organization in order to correctly define the individual organizations Tier Zero asset group. During analysis, BloodHound Enterprise will enumerate all detectable identity attack paths and assign and risk exposure rating to each vulnerable identity/asset/object allowing for the establishment of organizational incident alert thresholds and aid in the definition of incident alert criteria.
References
NIST Cybersecurity Framework v1.1: DE.AE-5: Incident alert thresholds are established.
Detect(DE) Adverse Event Analysis(DE.CM)
Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
DE.CM-01
Requirement
Networks and network services are monitored to find potentially adverse events.
Solution
BloodHound Enterprise collects information on all physical systems and Active Directory/Azure users operating within a Windows Active Directory environment/Azure Environment. Bloodhound Enterprises configurable scan options allows organizations to establish and monitor their organizational baseline of systems, users, and groups and monitor that baseline via the reporting dashboard to identify adverse and unsafe events.
References
NIST Cybersecurity Framework v2.0: DE.CM-01: Networks and network services are monitored to find potentially adverse events
DE.CM-09
Requirement
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Solution
BloodHound Enterprise collects information on all Active Directory/Azure systems operating within a Windows Active Directory environment/Azure Environment. Bloodhound Enterprise monitors the various assets for trust violations and other identity based events.
References
Subcategory is new to this version of the framework and incorporates the following items from the previous version:
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
DE.CM-4: Malicious code is detected
DE.CM-5: Unauthorized mobile code is detected
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed.
Risk(RS) Incident Analysis(RS.AN)
Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events.
RS.AN-03
Requirement
Analysis is performed to establish what has taken place during an incident and the root cause of the incident.
Solution
BloodHound Enterprise collects information on all physical systems and Active Directory/Azure users operating within a Windows Active Directory environment/Azure Environment. Bloodhound Enterprises configurable scan options and reporting features provide insights for determining the impact of an incident and understanding the root cause.
References
NIST Cybersecurity Framework v1.1: RS.AN-3: Forensics are performed
RS.AN-08
Requirement
An incident’s magnitude is estimated and validated
Solution
Bloodhound Enterprise will audit all identities and objects within your AD environment/Azure environment and provide risk metrics quantifying exposure to identity vulnerabilities as part of your incident validation and estimation activities.
References
NIST Special Publication 800-53 Revision 5: IR-4, IR-8, RA-3. RA-7
Risk(RS) Incident Mitigation(RS.MI)
Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events and remediation guidance is provided to mitigate incidents when risk is detected.
RS.MI-02
Requirement
Mitigation is performed to restore what has taken place during an incident and address root cause of the incident.
Solution
BloodHound Enterprise collects information on all physical systems and Active Directory/Azure users operating within a Windows Active Directory environment/Azure Environment. Bloodhound Enterprises configurable scan options and reporting features provide insights for determining the impact of an incident and understanding the root cause. BloodHound Enterprise provides actionable remediation guidance which enables analysts and responders to proactively prevent and mitigate incidents as they are discovered.
References
NIST Cybersecurity Framework v1.1: RS.AN-3: Forensics are performed
Updated