For the better part of a decade, I have spent a good amount of time analyzing security and compliance frameworks. There is beauty to be found in every one of them. Some are very high level and leave the organization to interpret how to implement the various controls, such as the CIS Critical Security Controls. Others are incredibly prescriptive and provide step-by-step instructions on how to enable or disable various settings, such as the hardening benchmarks from CIS or DIS.
Most fall somewhere in between, which dictate what should be done without providing technical implementation steps.
I have talked with a lot of folks who are already implementing a compliance framework, such as PCI or NIST SP800-53, and are looking where to start on implementing the Critical Security Controls. When this happens, I often refer to an excellent poster which was made available from CIS. This mapped some of the more popular compliance frameworks to the twenty Critical Controls. (I am hoping that now that version 7 of the Critical Security Controls has been released, we will see an updated poster from CIS in the coming months.)
Beginning last year, the MITRE ATT&CK Framework has gained a lot of recognition around the industry. This framework splits out 10 tactics into hundreds of techniques. What I particularly love about it is that each technique lists out mitigation and detection mechanisms you can put in place.
Additionally, each technique has real-world examples of threat actors or malware campaigns that have used the technique. ATT&CK is an incredible repository of actionable information.
What I wanted to see was a mapping of the Critical Security Controls to ATT&CK. I couldn’t find anything available on the Internet, so I went about it myself.
Last month, I went through and reviewed each individual Critical Security Control. Next, I compared those results with ATT&CK. For this first pass, I focused only on techniques that applied to Windows. I then crawled through each technique and looked at the mitigating and detection guidance to try and map them to specific Critical Security Controls.
After going through this exercise, there were a few findings I had which were surprising. The first is that there are five controls which I did not find any mappings for, and two controls which only had one mapping.
Control 1 was surprising to me. This had zero mappings to the ATT&CK framework. What surprised me was that there was no mention of firmware or bios anywhere in the Critical Security Controls. Mentions of the firmware are spread across various Tactics in ATT&CK, and attacking the firmware is something criminals are known to do from time to time. I would hope to see CIS add mentions of documenting firmware revisions in Controls 1 or 2 with mentions later in the document of monitoring for integrity.
Controls 17, 18, 19, and 20 had only one mapping between all of them, which was a brief mention of separating development and production environments in the Shared Webroot technique. These four controls are known as organizational controls and tie more closely to response than they do to mitigating or detecting threats.
Control 10 had only one mention in ATT&CK, which was Exfiltration over Alternative Protocol. This control is for secure configurations of networking equipment, so seeing references to networking devices in a Windows-based framework should be minimal. However, I think there should be some parity in other similar techniques in ATT&CK, for example, mentioning network hardening guidance in the other network-based attack techniques.
Finally, control 15 had no mappings either. This control is for wireless access controls, so again it would have minimal impact on a Windows framework. After further review, I feel that there probably couple be a mapping or two in here, for example, in Exfiltration over Other Network Medium which calls for disabling services such as Bluetooth.
There were, however, three technologies that stood out after completing the analysis.
The first was implementing application whitelisting. Even before this activity, I knew that whitelisting was one of the most impactful technologies in terms of blocking cyber-attacks. By limiting what can run on an endpoint, you are forcing an attacker to play by your rules. Using tools built into the operating system for malicious purposes isn’t all that unheard of; neither is bypassing whitelisting technologies.
However, one of the biggest wins will come from adopting whitelisting in some manner. It’s not surprising to see a blanket statement about whitelisting in nearly every technique.
The next biggest mapping was to Control 6 to monitor audit logs. I have a long history in logs, and I firmly believe that all of the intelligence about your enterprise will be in your logging product. From a high-level perspective, you shrink the attack surface down to as small as possible then monitor the rest. That last part lies almost solely on gathering and inspecting log data.
Finally, control 14 had the third most mappings. This is because in Version 7 of the Critical Security Controls, file integrity monitoring was moved from Secure Configuration Management to Controlled Access. I also lumped monitoring files and registry entries into this category as well.
In ATT&CK, one of the nice pieces of data comes in the Data Sources field, which mentioned where to gather data from. Windows Registry and File Monitoring is common across quite a few of the techniques. It’s why Tripwire Enterprise’s largest policy is based on ATT&CK. File (and registry) Integrity Monitoring is a foundational control that will provide a ton of value if properly implemented and utilized.
For those interested, I utilized the ATT&CK Navigator to build out the mappings. I have uploaded all of the JSON files to my GitHub account here. I know that I have probably missed mappings or improperly missed mappings, as well. I would love for this to be a collective knowledge that anyone can contribute to so we can all secure our networks a little better than we did yesterday.
If you are interested in learning more, download this guide which outlines where the MITRE ATT&CK framework intersects with the CIS controls, and shows how Tripwire solutions can help you battle cyber adversaries.