Introducing the Community Defense Model
The CIS Critical Security Controls (CIS Controls) are a set of more than 170 cybersecurity defensive measures, called safeguards, organized into a set of 20 Control activities. A community of security experts cooperate to keep this list of safeguards up-to-date based on vendor summaries of recent attack activity described in reports like the Verizon Data Breach Investigations Report (DBIR) and their experiences defending actual networks. Enterprises can select safeguards from the CIS Controls to create a robust cyber defense mission for their organization.
The challenge is that most organizations do not need to implement every safeguard. Many enterprises ask for assistance prioritizing the safeguards. What should they do first as a foundation? Our CIS Controls community responded by placing the safeguards into three implementation groups (IGs). We call the first implementation group, IG1, basic cyber hygiene. These are the safeguards that show up on any to-do list for cybersecurity and should be implemented by most organizations.
CIS Community Defense Model
CIS wants to do more to help enterprises select the appropriate safeguards. The cost of cyber defense can increase dramatically as safeguards are chosen from IG2 and IG3. To help organizations decide, CIS created the Community Defense Model (CDM) to address two important questions.
The first question is: how robust of a defense can be achieved by IG1, basic cyber hygiene, safeguards? In other words, how effective are the IG1 safeguards? A second question we intend to answer is how to select additional safeguards from IG2 and IG3. The goal is to determine the role that a safeguard plays for defense for each attack stage. This information will help an organization weigh effectiveness, reducing possible harm from threats against the cost of implementing the safeguards.
The Community Defense Model relies on the MITRE ATT&CK Framework. The CIS Controls and the MITRE ATT&CK Framework complement each other perfectly for this effort. The MITRE ATT&CK Framework is platform-and product-independent and expresses all of the possible attack techniques employed at every phase of an attack. The CIS Controls are also platform-and vendor-neutral and can express most of the defensive options available to mitigate each phase of an attack.
The CDM model has three steps:
- Identify the most prevalent and damaging attack patterns from current industry investigative reports on incidents and breaches
- Normalize the attack patterns by expressing them in the MITRE ATT&CK model as the set of techniques deployed to accomplish each tactic for each phase of an attack (some industry reports already do this for some attacks and CIS will use those when available)
- Identify the safeguards that mitigate each phase of the attack
Many attack techniques have more than one mitigation. The three CIS Controls IGs correspond to three different levels of investment in security controls corresponding to the expected sophistication of the attacker, the importance of what is being protected, and the extent of anticipated harm. An enterprise can weigh the cost of a safeguard in context of all of the mitigation effects in place to address an attack technique.
MITRE provides some high-level mitigations to the attack techniques for each attack phase in its model. The list of MITRE mitigations allowed us to readily map our more implementable and granular safeguards to defensive measures against the attack techniques.
CIS ascertained that the safeguards in IG1 provide defense against approximately 62% of the Techniques identified in the ATT&CK Framework with a focus on the Initial Access, Execution, Persistence, Privilege Escalation, and Defense Evasion of the top attack patterns’ stages (or Tactics). If these top attack patterns’ stages are successfully defended against, organizations can mitigate subsequent impacts of an attack.
Most importantly, though, CIS determined that the safeguards in IG1 defend against the five most significant attack patterns from the 2019 Verizon DBIR. Any organization can start by implementing IG1 to create a solid foundation for cyber defense.
Future reports will apply the CDM to more current attack patterns. An assessment will be made on the effectiveness of IG1 to defend against each attack pattern and options for additional safeguards from IG2 and IG3 will be identified that will help protect enterprises against more capable attackers and to defend more valuable assets. Organizations can factor in the information about the contribution each safeguard makes for countering threats when they perform a risk assessment that balances the cost of a defense measure against the harm that could result from an attack.
About the Author
Executive Vice President & General Manager, Security Best Practices
Curtis W. Dukes joined CIS as the Executive Vice President and General Manager of the Best Practices and Automation Group in January 2017. The CIS Benchmarks™ and CIS Controls™ program provides vendor-agnostic, consensus-based best practices to help organizations assess and improve their security. Prior to CIS, Curtis served as the Deputy National Manager (DNM) for National Security Systems (NSS). On behalf of the Director of NSA, the DNM is charged with securing systems that handle classified information or are otherwise critical to military and intelligence activities.
Dukes joined the National Security Agency in 1984 as a Computer Scientist. He served in a variety of organizations within NSA and earned the Distinguished Executive, Meritorious Executive, as well as Exceptional Performance and Meritorious Civilian Service Awards. He completed an overseas assignment and an intelligence community assignment for the Department of Defense. In Germany, Curtis had operational responsibilities for implementing Information Assurance activities across the European command. Following his community assignment, he became Deputy, then Chief of the Network Architecture and Applications Division, then Chief of the Systems and Network Attack Center. He later led highly skilled technical workforces as Director NSA/CSS Commercial Solutions Center. His last roles of responsibility at NSA were Deputy Director, then Director, of the Information Assurance Directorate.
Dukes earned a Bachelor’s Degree in Computer Science from the University of Florida, and a Master’s Degree in Computer Science from Johns Hopkins University. He is a 2004 graduate of the Intelligence Community Officer Training Program.