NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION
SC-48 — Sensor Relocation
Relocate {{ insert: param, sc-48_odp.01 }} to {{ insert: param, sc-48_odp.02 }} under the following conditions or circumstances: {{ insert: param, sc-48_odp.03 }}.
Supplemental Guidance
Adversaries may take various paths and use different approaches as they move laterally through an organization (including its systems) to reach their target or as they attempt to exfiltrate information from the organization. The organization often only has a limited set of monitoring and detection capabilities, and they may be focused on the critical or likely infiltration or exfiltration paths. By using communications paths that the organization typically does not monitor, the adversary can increase its chances of achieving its desired goals. By relocating its sensors or monitoring capabilities to new locations, the organization can impede the adversary’s ability to achieve its goals. The relocation of the sensors or monitoring capabilities might be done based on threat information that the organization has acquired or randomly to confuse the adversary and make its lateral transition through the system or organization more challenging.
Practitioner Notes
Relocate sensors and monitoring capabilities to different points in the network to improve detection coverage and adapt to evolving threats.
Example 1: If your IDS sensors are all at the perimeter and you discover lateral movement inside your network, deploy additional sensors on internal segments between VLANs. Move monitoring from a perimeter-only model to a distributed model with visibility inside the network.
Example 2: Periodically reposition network taps and SPAN port mirrors to monitor different segments. This quarter, focus monitoring on the database segment. Next quarter, shift focus to the development environment. Rotate coverage to detect threats across all areas over time.