A new white paper from the Center for Internet Security finds implementation of the “CIS Controls” mitigates approximately 83 percent “of all attack techniques found in the MITRE ATT&CK Framework,” and examines effectiveness against malware, targeted intrusions, insider threats and web-application hacking.
The paper, ”CIS Community Defense Model,” was released today in advance of a Friday webinar "Cleaning Up Our Cyber Hygiene," with CIS Senior Vice President and Chief Evangelist Tony Sager.
“This new model combines data from public reports about cybersecurity and attacker techniques and tactics as identified in the MITRE Enterprise ATT&CK Framework, and translates them into specific actions identified by the CIS Controls to mitigate real-world cyber-attacks,” according to a CIS spokesperson. “Among the key findings: The data and analysis in the model shows that 90% of the ransomware attack techniques identified in the MITRE framework can be defended against by organizations that implement the CIS Controls.”
According to CIS, its Community Defense Model “was constructed using the following process:”
- From the Verizon DBIR and other sources, we identified the five most important attack types we want to defend against: Web-Application Hacking, Insider and Privilege Misuse, Malware, Ransomware, and Targeted Intrusions.
- For each type of attack, we determined an attack pattern - the set of ATT&CK Model Techniques required to execute the Tactics used in that attack.
- We identified the specific security value of Safeguards in the CIS Controls against the Techniques found in each attack. We did this by going through the class of Mitigations associated with each Technique.
- We then stood back to examine the security value (in terms of mitigating attacks) of implementing the Sub-Controls comprising the CIS Controls.
The report finds “Implementation Group 1 (IG1) of the Controls, the definition of Basic Cyber Hygiene, provide mitigation against the attack techniques found in the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware. This is a critical finding for both public and private sector organizations that have been facing a rapid increase in cyber-attacks, especially ransomware, over the last several years.”
The white paper says “Implementing IG1 of the CIS Controls can mitigate 79% of malware attack pattern techniques”; “100% of instances of web-application hacking techniques can be defended against by implementing all of the CIS Controls”; “100% of the [insider privilege and misuse] techniques can be defended against by properly implementing the CIS Sub-Controls in IG1”; and “80% of targeted intrusion techniques can be defended against by implementing all of the CIS Controls.”
CIS President and CEO, John Gilligan said in a statement: “Consistent with our mission, CIS is committed to providing both public and private sector organizations with the tools they can use to help mitigate cyber-attacks. The rigorous and data-driven analysis mapping of the CIS Controls to the MITRE ATT&CK Framework in our Community Defense Model is the most recent step we're taking to help all organizations start secure and stay secure with basic cyber hygiene.”
The report says, “The initial version of the CIS CDM is not the final answer for modelling cyber defense. However, we believe that this version represents a major step forward in providing greater rigor to support prudent decision-making regarding cyber defense strategies for organizations.” -- Charlie Mitchell (cmitchell@iwpnews.com)