CIS Introduces v2.0 of the CIS Community Defense Model

The Center for Internet Security (CIS) Community Defense Model (CDM) v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know how effective the CIS Critical Security Controls (CIS Controls) are against the most prevalent types of attacks. The CDM was created to help answer that and other questions about the value of the Controls based on currently available threat data from industry reports.

This guide is the second edition of the CIS Community Defense Model (CDM). The same security experts who help create the CIS Controls work with CIS to apply the CDM to current threat data.

Enterprises that adopt the CIS Controls have repeatedly asked us to identify “What should we do first?” In response, the Controls Community sorted the Safeguards in the CIS Controls into three Implementation Groups (IGs) based on their difficulty and cost to implement.

Implementation Group 1 (IG1), the group that is least costly and difficult to implement, is what we call essential cyber hygiene and are the Safeguards we assert that every enterprise should deploy. For enterprises that face more sophisticated attacks or that must protect more critical data or systems, these Safeguards also provide the foundation for the other two Implementation Groups (IG2 and IG3).

Backs up the CIS Controls with Real Data

Our methodology is straightforward.

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework allows us to express any attack type as a set of attack techniques, which we refer to as attack patterns. For each of the five most prevalent attack types, such as ransomware, we collect the corresponding attack patterns through analysis of industry threat data. We then track which Safeguards defend against each of the techniques found in those attack patterns. This methodology allows us to measure which Safeguards are most effective overall for defense across attack types.

CDM v2.0 can be used by any enterprise to design, prioritize, implement, and improve an enterprise’s security program. Our work with the CIS Controls and ATT&CK framework, combined with using industry threat data to back our analysis, is the backbone of the CDM. We at CIS understand that not all enterprises will be able to perform this type of analysis on their own, which is why we created the CDM.

Where to Start?

The CDM tells us that IG1 defends against the top five attacks. The CDM can also help an enterprise focus on which technical IG1 Safeguards are most effective in defending against specific attacks. We at CIS feel that this is a powerful approach to an enterprise’s risk management strategy.

For CDM v2.0, the top five attack types are: Malware, Ransomware, Web Application Hacking, Insider Privilege and Misuse, and Targeted Intrusions. Our analysis found that, overall, implementing IG1 Safeguards defends against 77% of ATT&CK (sub-)techniques used across the top five attack types. That percentage goes up to 91% if all CIS Safeguards are implemented. These results strongly reinforce the value of a relatively small number of well-chosen and basic defensive steps (IG1) and also support IG1 as the preferred on-ramp to implementing the CIS Controls. We also found that CIS Safeguard 4.1 “Establish and Maintain a Secure Configuration Process” is most effective in defending against the top five attacks, reinforcing the importance of secure configurations, such as those contained within the CIS Benchmarks.

Additionally, independent of any specific attack type, implementing IG1 Safeguards defends against 74% of ATT&CK (sub-)techniques in the MITRE ATT&CK framework, and implementation of all CIS Safeguards defends against 86% of ATT&CK (sub-)techniques in the framework. Since many ATT&CK (sub-)techniques are used across multiple attack types, we can extrapolate that the CIS Controls defend against more than the top five attacks mentioned in this guide.

We also analyzed each attack type individually. As an example, our analysis determined that implementing IG1 Safeguards defends against 78% of Ransomware ATT&CK (sub-)techniques, and implementing all CIS Safeguards defends against 92% of those techniques.

While this is just the tip of the iceberg, this and other in-depth analysis can be found in the CDM v2.0 guide.

What the Numbers Say

Overall, our analysis provides us with three key findings:

• IG1 provides a viable defense against the top five attack types. Enterprises achieve a high level of protection and are well-positioned to defend against the top five attack types through implementation of essential cyber hygiene, or IG1. These results strongly reinforce the value of a relatively small number of well-chosen and basic defensive steps (IG1). As such, enterprises should aim to start with IG1 to obtain the highest value and work up to IG2 and IG3, as appropriate.
• Independent of any specific attack type, the CIS Controls are effective at defending against a wide array of attacks. Specifically, the CIS Controls are effective at defending against 86% of the ATT&CK (sub-)techniques found in the ATT&CK framework. More importantly, the Controls are highly effective against the five attack types found in industry threat data. The bottom line, the CIS Controls, and specifically IG1, are a robust foundation for your cyber security program.
• Establishing and maintaining a secure configuration process (CIS Safeguard 4.1) is a linchpin Safeguard for all five attack types. CIS Safeguard 4.1 is most effective in defending against the top five attack types, reinforcing the importance of secure configurations, such as those contained within the CIS Benchmarks.

CDM v2.0 affirms the prioritization of the CIS Controls and Implementation Groups. In particular, CDM data backs the premise that all enterprises should start with essential cyber hygiene, or IG1, as a way to defend against the top five attacks.