The CIS Critical Security Controls (CIS Controls) are a set of more than 170 cybersecurity defensive measures, called safeguards, organized into a set of 20 Control activities. A community of security experts cooperate to keep this list of safeguards up-to-date based on vendor summaries of recent attack activity described in reports like the Verizon Data Breach Investigations Report (DBIR) and their experiences defending actual networks. Enterprises can select safeguards from the CIS Controls to create a robust cyber defense mission for their organization.
The challenge is that most organizations do not need to implement every safeguard. Many enterprises ask for assistance prioritizing the safeguards. What should they do first as a foundation? Our CIS Controls community responded by placing the safeguards into three implementation groups (IGs). We call the first implementation group, IG1, basic cyber hygiene. These are the safeguards that show up on any to-do list for cybersecurity and should be implemented by most organizations.
CIS Community Defense Model
CIS wants to do more to help enterprises select the appropriate safeguards. The cost of cyber defense can increase dramatically as safeguards are chosen from IG2 and IG3. To help organizations decide, CIS created the Community Defense Model (CDM) to address two important questions.
The first question is: how robust of a defense can be achieved by IG1, basic cyber hygiene, safeguards? In other words, how effective are the IG1 safeguards? A second question we intend to answer is how to select additional safeguards from IG2 and IG3. The goal is to determine the role that a safeguard plays for defense for each attack stage. This information will help an organization weigh effectiveness, reducing possible harm from threats against the cost of implementing the safeguards.
The Community Defense Model relies on the MITRE ATT&CK Framework. The CIS Controls and the MITRE ATT&CK Framework complement each other perfectly for this effort. The MITRE ATT&CK Framework is platform-and product-independent and expresses all of the possible attack techniques employed at every phase of an attack. The CIS Controls are also platform-and vendor-neutral and can express most of the defensive options available to mitigate each phase of an attack.
The CDM model has three steps:
- Identify the most prevalent and damaging attack patterns from current industry investigative reports on incidents and breaches
- Normalize the attack patterns by expressing them in the MITRE ATT&CK model as the set of techniques deployed to accomplish each tactic for each phase of an attack (some industry reports already do this for some attacks and CIS will use those when available)
- Identify the safeguards that mitigate each phase of the attack
Many attack techniques have more than one mitigation. The three CIS Controls IGs correspond to three different levels of investment in security controls corresponding to the expected sophistication of the attacker, the importance of what is being protected, and the extent of anticipated harm. An enterprise can weigh the cost of a safeguard in context of all of the mitigation effects in place to address an attack technique.
MITRE provides some high-level mitigations to the attack techniques for each attack phase in its model. The list of MITRE mitigations allowed us to readily map our more implementable and granular safeguards to defensive measures against the attack techniques.
CIS ascertained that the safeguards in IG1 provide defense against approximately 62% of the Techniques identified in the ATT&CK Framework with a focus on the Initial Access, Execution, Persistence, Privilege Escalation, and Defense Evasion of the top attack patterns’ stages (or Tactics). If these top attack patterns’ stages are successfully defended against, organizations can mitigate subsequent impacts of an attack.
Most importantly, though, CIS determined that the safeguards in IG1 defend against the five most significant attack patterns from the 2019 Verizon DBIR. Any organization can start by implementing IG1 to create a solid foundation for cyber defense.
Future reports will apply the CDM to more current attack patterns. An assessment will be made on the effectiveness of IG1 to defend against each attack pattern and options for additional safeguards from IG2 and IG3 will be identified that will help protect enterprises against more capable attackers and to defend more valuable assets. Organizations can factor in the information about the contribution each safeguard makes for countering threats when they perform a risk assessment that balances the cost of a defense measure against the harm that could result from an attack.