CIS Community Defense Model for CIS Controls v7.1

This paper presents the CIS Community Defense Model (CDM)—our way to bring more rigor, analytics, and transparency to the security recommendations found in CIS Controls. The CDM leverages the open availability of comprehensive summaries of attacks and security incidents (e.g., the Verizon Data Breach Investigations Report DBIR), and the industry-endorsed ecosystem that is developing around the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Model. In particular, the ATT&CK Model comprehensively lists the Tactics used by attackers (roughly, the steps in an attack) as well as the many Techniques that an attacker could use at each step (Tactic).


The CIS CDM was constructed using the following process:
  • From the Verizon DBIR and other sources, we identified the five most important attack types we want to defend against: Web-Application Hacking, Insider and Privilege Misuse, Malware, Ransomware, and Targeted Intrusions.
  • For each type of attack, we determined an attack pattern – the set of ATT&CK Model Techniques required to execute the Tactics used in that attack.
  • We identified the specific security value of Safeguards in the CIS Controls against the Techniques found in each attack. We did this by going through the class of Mitigations associated with each Technique.
  • We then stood back to examine the security value (in terms of mitigating attacks) of implementing the Sub-Controls comprising CIS Controls v7.1.