The Center for Internet Security, Inc. (CIS®) released its Community Defense Model (CDM). The model shows that the CIS Controls® (Controls) – a prioritized and prescriptive set of safeguards that mitigate the most common cyberattacks against systems and networks – mitigate approximately 83 percent of all attack techniques found in the MITRE ATT&CK Framework. Furthermore, Implementation Group 1 (IG1) of the Controls, the definition of Basic Cyber Hygiene, provide mitigation against the attack techniques found in the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR), including ransomware. This is a critical finding for both public and private sector organizations that have been facing a rapid increase in cyber-attacks, especially ransomware, over the last several years.
The CDM maps the Controls to the MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework, and describes how data sources are used to support the mapping to specific Controls and their associated Sub-Controls (Safeguards). The CDM also formalizes the documentation of the specific attack patterns mitigated by the Controls to include: web-application hacking, insider and privilege misuse, malware, ransomware, and targeted intrusions.
“Consistent with our mission, CIS is committed to providing both public and private sector organizations with the tools they can use to help mitigate cyber-attacks," said CIS President and CEO, John Gilligan. "The rigorous and data-driven analysis mapping of the CIS Controls to the MITRE ATT&CK Framework in our Community Defense Model is the most recent step we're taking to help all organizations start secure and stay secure with basic cyber hygiene."
While ransomware attacks have received the most public notoriety over the last several years, there are several other attack techniques that can be just as challenging for any organization. The findings in the CDM also demonstrate the effectiveness of the Controls, which are separated into three Implementation Groups (IGs), against a variety of other attack techniques:
- Malware: Implementing IG1 of the CIS Controls can mitigate 79 percent of malware attack pattern techniques. Implementing IG1 is the definition of Basic Cyber Hygiene.
- Web-Application Hacking: 100 percent of instances of web-application hacking techniques can be defended against by implementing all of the CIS Controls.
- Insider Privilege & Misuse: 100 percent of the techniques can be defended against by properly implementing the CIS Sub-Controls in IG1.
- Targeted Intrusion: 80 percent of targeted intrusion techniques can be defended against by implementing all of the CIS Controls.
In developing this new model, CIS used publicly available data from sources including the Multi-State Information Sharing & Analysis Center® (MS-ISAC®), the 2019 Verizon DBIR, and CrowdStrike to identify the most relevant attack patterns and their frequency. Once the attack patterns were identified and analyzed, the MITRE ATT&CK Framework was used to select which attack techniques are associated with specific attack patterns.
"The data and analysis behind this model provide a defensible basis for applying specific best practices to mitigate cyber-attacks. This is an industry first, and we're proud to lead the way on behalf of the community of cybersecurity experts who have helped develop the CIS Controls with us," said Gilligan.
The CIS Controls are a prioritized set of safeguards to mitigate the most common cyber-attacks against systems and networks. The volunteer experts who develop the Controls come from a wide range of sectors including defense, education, government, healthcare, manufacturing, retail, transportation, and others. The findings in the CDM underscore why the Controls are the definition of an effective cybersecurity program. Through the mapping of the Controls, the new model also provides specific and concrete steps all organizations can take to better protect themselves against cyber-attacks, especially malware and ransomware. The overall goal of the CDM is to bring another level of rigor and detail to support the development of the CIS Controls, while taking advantage of the industry ecosystem that is developing around the MITRE ATT&CK Model.
Read the entire Community Defense Model whitepaper here.