CIS Community Defense Model v2.0…Coming to a Computer Near You: Summer 2021


Changes and advances in technology (and changes in workplace circumstances) have prompted a revamp of the CIS Community Defense Model (CDM). Set to go live in a few months, the new and improved CIS CDM v2.0 plays off of the foundational principles that made v1.0 so great!

While the first version primarily leveraged two well-known industry resources – the 2019 Verizon Data Breach Investigations Report (DBIR) and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3 – the updated version uses those sources (2020 Verizon DBIR and MITRE ATT&CK Framework v8.2) along with other national and international threat reports in an effort to better validate the findings.

CIS CDM v1.0 Findings: Mitigating Attack Techniques

The findings in v1.0 show that the CIS Controls – a prioritized and prescriptive set of Safeguards that mitigate the most common cyber-attacks against systems and networks – are effective at mitigating approximately 83% of all the ATT&CK Techniques, and more specifically 90% of the ransomware ATT&CK Techniques identified in the framework.

CIS CDM v1.0 demonstrates the effectiveness of the CIS Controls v7.1 – and the three Implementation Groups (IGs) against a variety of other attack techniques:

  • Malware: Implementing IG1 (basic cyber hygiene) of the CIS Controls can mitigate 79% of ATT&CK Techniques in the malware attack pattern.
  • Insider Privilege & Misuse: 100% of the techniques can be defended against by properly implementing the CIS Safeguards in IG1.
  • Web-Application Hacking: 100% of instances of web-application hacking techniques can be defended against by implementing all of the CIS Controls.
  • Targeted Intrusion: 80% of targeted intrusion techniques can be defended against by implementing all of the CIS Controls.

Improving Security Mappings: v1.0 vs. v2.0

For CIS CDM v1.0, CIS created a master mapping between ATT&CK Mitigations and CIS Safeguards (formerly known as Sub-Controls), identifying the security function. Using the Verizon DBIR, CIS then identified the top five attack types: Web-Application Hacking, Insider and Privilege Misuse, Malware, Ransomware, and Targeted Intrusions. An attack pattern, comprised of a specific set of ATT&CK Techniques, was then created for each attack type. The master mapping was then used to map each attack pattern back to the CIS Safeguards, identifying the security value each CIS Safeguard provided against the ATT&CK Techniques.

In order to improve the fidelity of v2.0’s mapping, CIS made some improvements:

  • Mapping down to the ATT&CK Technique & Sub-Technique level
  • Only including the specific ATT&CK Techniques & Sub-Techniques within the ATT&CK Mitigations that can be mitigated or detected by implementing a CIS Safeguard
  • Using additional well-known industry resources to derive attack pattern mappings for each attack type

Community Defense Model v2.0 Findings

Drum roll please…v2.0 shows that—wait, did you really think we’d give the results away right now?!

Stay tuned; CIS CDM v2.0 is coming to a computer near you this summer! We’re very excited to provide you with this valuable and unique resource once again, and to finally share our findings.

While you’re waiting on the big reveal, join the CIS Community Defense Model Community to learn more and to get involved.