Mapping the ATT&CK Framework to CIS Controls


For the sport part of a decade, I have spent a good amount of time analyzing custody and compliance frameworks. There is beauty to be found in every one of them. Some are absolutely high level and leave the organization to interpret how to implement the various knobs, such as the CIS Critical Security Controls. Others are incredibly prescriptive and state look after step-by-step instructions on how to enable or disable various settings, such as the toughening benchmarks from CIS or DIS.Most fall somewhere in between, which order what should be done without providing technical implementation stairs.I have talked with a lot of folks who are already implementing a compliance framework, such as PCI or NIST SP800-53, and are looking where to start on implementing the Disparaging Security Controls. When this happens, I often refer to an not counting poster which was made available from CIS. This mapped some of the profuse popular compliance frameworks to the twenty Critical Controls. (I am hoping that now that form 7 of the Critical Security Controls has been released, we will see an updated flier from CIS in the coming months.)Beginning last year, the MITRE ATT&CK Framework has gained a lot of awareness around the industry. This framework splits out 10 tactics into hundreds of tacks. What I particularly love about it is that each technique leans out mitigation and detection mechanisms you can put in place.Additionally, each technique has real-world exempli gratia of threat actors or malware campaigns that have used the craftsmanship. ATT&CK is an incredible repository of actionable information.What I wanted to see was a mapping of the Decisive Security Controls to ATT&CK. I couldn’t find anything available on the Internet, so I scanned about it myself.Last month, I went through and reviewed each own Critical Security Control. Next, I compared those results with ATT&CK. For this initially pass, I focused only on techniques that applied to Windows. I then swamped through each technique and looked at the mitigating and detection guidance to try and map them to individual to Critical Security Controls.After going through this disturb, there were a few findings I had which were surprising. The first is that there are five rules which I did not find any mappings for, and two controls which only had one mapping.Curb 1 was surprising to me. This had zero mappings to the ATT&CK framework. What surprised me was that there was no allude to of firmware or bios anywhere in the Critical Security Controls. Mentions of the firmware are spread across sundry Tactics in ATT&CK, and attacking the firmware is something criminals are known to do from stretch to time. I would hope to see CIS add mentions of documenting firmware revisions in Oversees 1 or 2 with mentions later in the document of monitoring for integrity.Controls 17, 18, 19, and 20 had at most one mapping between all of them, which was a brief mention of separating maturity and production environments in the Shared Webroot technique. These four call the tunes are known as organizational controls and tie more closely to response than they do to extenuating or detecting threats.Control 10 had only one mention in ATT&CK, which was Exfiltration over and above Alternative Protocol. This control is for secure configurations of networking clobber, so seeing references to networking devices in a Windows-based framework should be least. However, I think there should be some parity in other nearly the same techniques in ATT&CK, for example, mentioning network hardening guidance in the other network-based pounce upon techniques.Finally, control 15 had no mappings either. This master is for wireless access controls, so again it would have minimal affect on a Windows framework. After further review, I feel that there quite couple be a mapping or two in here, for example, in Exfiltration over Other Network Middle which calls for disabling services such as Bluetooth.There were, still, three technologies that stood out after completing the analysis.The inception was implementing application whitelisting. Even before this activity, I recollected that whitelisting was one of the most impactful technologies in terms of blocking cyber-attacks. By limiting what can run on an endpoint, you are vigour an attacker to play by your rules. Using tools built into the functioning system for malicious purposes isn’t all that unheard of; neither is bypassing whitelisting technologies.Be that as it may, one of the biggest wins will come from adopting whitelisting in some protocol. It’s not surprising to see a blanket statement about whitelisting in nearly every system.The next biggest mapping was to Control 6 to monitor audit logs. I have on the agenda c trick a long history in logs, and I firmly believe that all of the intelligence thither your enterprise will be in your logging product. From a high-level where one is coming from, you shrink the attack surface down to as small as possible then record the rest. That last part lies almost solely on turnout and inspecting log data.Finally, control 14 had the third most mappings. This is because in Account 7 of the Critical Security Controls, file integrity monitoring was moved from Attach Configuration Management to Controlled Access. I also lumped monitoring data and registry entries into this category as well.In ATT&CK, one of the nice the sames of data comes in the Data Sources field, which mentioned where to stockpile data from. Windows Registry and File Monitoring is common across altogether a few of the techniques. It’s why Tripwire Enterprise’s largest policy is based on ATT&CK. File (and registry) Virtue Monitoring is a foundational control that will provide a ton of value if decently implemented and utilized.For those interested, I utilized the ATT&CK Navigator to build out the mappings. I be struck by uploaded all of the JSON files to my GitHub account here. I know that I sooner a be wearing probably missed mappings or improperly missed mappings, as well. I drive love for this to be a collective knowledge that anyone can contribute to so we can all sturdy our networks a little better than we did yesterday.If you are interested in learning various, download this guide which outlines where the MITRE ATT&CK framework intersects with the CIS in checks, and shows how Tripwire solutions can help you battle cyber adversaries.

Leave a Reply

Your email address will not be published. Required fields are marked *