Cyber-attack defense: CIS Benchmarks + CDM + MITRE ATT&CK
Victims lost $6.9 billion to cybercrime in 2021, according to FBI’s Internet Crime Complaint Center.
To take a bite out of that number, the Center for Internet Security (CIS) is committed to validating our standards against recognized cyber defense frameworks. Starting today, with the CIS Microsoft Windows 10 Benchmark, the CIS Benchmarks will map to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework and CIS Community Defense Model (CDM) 2.0. These mappings will improve the use, understanding, and effectiveness of the CIS Benchmarks. And that will help organizations strengthen their security posture and prevent top cyber-attacks.
CIS Benchmarks and CIS Community defense model
CIS Benchmarks are consensus-developed, industry best practices for securely configuring operating systems, cloud services, applications, networks, and more. A global community of information technology (IT) security professionals from academia, government, and industry drive the development and maintenance of the CIS Benchmarks. CIS relies on the contributions of these passionate industry experts to create and maintain the CIS Benchmarks. Interested in contributing? Sign up for CIS WorkBench and join a community.
The CIS CDM v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know, “how effective are the CIS Critical Security Controls (CIS Controls) against the top cyber-attacks?” The CDM helps answer that. This model leverages industry threat data to determine the top five cyber-attack types and creates comprehensive attack patterns (the set of attacker (sub-)techniques that are required to execute an attack). CDM v2 builds on the original version by mapping the Safeguards from the CIS Controls v8 to the MITRE Enterprise ATT&CK® v8.2 framework. This methodology measures which Safeguards are most effective for defending across attack types.
Unifying the CIS Benchmarks, CDM, and MITRE ATT&CK against cyber-attacks
To start these new mappings, CIS focused on two of the most downloaded CIS Benchmarks – Microsoft Windows 10 and Red Hat Enterprise Linux 7 – and drilled in to MITRE ATT&CK (sub-)techniques. This level of granularity provides CIS Benchmarks users a more detailed look into the effectiveness of the CIS Benchmarks against the top five attack types found in the CIS CDM. Combining technology-specific, security focused configuration settings from the CIS Benchmarks, with the prioritized enterprise cyber defense guidance from the CIS CDM provides users with a more holistic view of their cybersecurity program.
With the addition of mapping the MITRE ATT&CK framework to the CIS Benchmarks, this highlights the effectiveness of the CIS Microsoft Windows 10 v1.11.0 Benchmark, not only as security focused configuration recommendations, but in quantifying its ability to reduce the risk and impact of a range of cyber-attacks. CIS SecureSuite Members can also visit CIS WorkBench to view the MITRE ATT&CK framework mappings, which can be found in the Excel version of the Benchmarks. CIS will continue refining and expanding this methodology, which will further support unification across other frameworks as CIS updates and expands the mappings offered.
CIS Benchmarks’ effectiveness against common cyber-attacks
The CIS Microsoft Windows 10 v1.11.0 Benchmark protects against the top cyber-attack types found in the CIS CDM:
- Malware: 67% of recommendations map to a parent or (sub-)technique
- Ransomware: 74% of recommendations map to a parent or (sub-)technique
- Web application hacking: 41% of recommendations map to a parent or (sub-)technique
- Insider and privilege misuse: 64% of recommendations map to a parent or (sub-)technique
- Targeted intrusion: 59% of recommendations map to a parent or (sub-)technique
- Combined attack types: 83% of recommendations map to a parent or (sub-)technique when the above attack types are combined
The CIS Microsoft Windows 10 v1.11.0 Benchmark incorporates all parents of (sub-)techniques mapped to a given recommendation. In addition, the Microsoft Windows 10 v1.11.0 Benchmark is mapped to a subset of techniques within the Community Defense Model as a number of them do not apply to the Windows operating system.
When a Benchmark recommendation maps to a given parent or (sub-)technique it means that the given recommendation potentially mitigates, or disrupts, that step in a cyber-attack.
CIS continues to refine this effort to help align CIS resources with industry frameworks. CIS is currently working to expand MITRE ATT&CK mappings to our catalog of technology specific CIS Benchmarks, starting with those that are used most commonly.