The CIS (Community Defense Model) CDM was constructed using the following process:
• From the Verizon DBIR and other sources, we identified the five most important attack
types we want to defend against: Web-Application Hacking, Insider and Privilege
Misuse, Malware, Ransomware, and Targeted Intrusions.
• For each type of attack, we determined an attack pattern – the set of ATT&CK Model
Techniques required to execute the Tactics used in that attack.
• We identified the specific security value of Safeguards in the CIS Controls against the
Techniques found in each attack. We did this by going through the class of Mitigations
associated with each Technique.
• We then stood back to examine the security value (in terms of mitigating attacks) of
implementing the Sub-Controls comprising the CIS Controls.
IG1 is effective in mitigating 62% of all Techniques in the MITRE ATT&CK model
The CIS Controls (IG1, IG2 and IG3) are effective in mitigating 83% of all Techniques in the MITRE ATT&CK Model
The analysis shows that applying Implementation Group 1 (IG1) Safeguards is enough
to defend against the top five most frequently occurring attacks as described in the
2019 Verizon DBIR. That is, for each of the five attack patterns, the Safeguards in IG1
provide mitigation against all of the Techniques found in two or more steps (Tactics)
of that attack pattern resulting in complete mitigation of these attack patterns. These
attacks are:
• Web-application hacking
• Insider and privilege misuse
• Malware
• Ransomware
• Targeted intrusions
For some time now, frameworks have enabled security professionals to understand the
granular steps an attacker must perform in order to obtain unauthorized access to a
computer system. The ATT&CK Model provides similar capabilities, and supports a robust
data model that is gaining momentum throughout the cybersecurity community. The
ATT&CK Model also supports a visualization tool known as the MITRE ATT&CK Navigator
that allows a professional to view the steps taken by an attack to access a system all
at one time. We refer to a collection of ATT&CK Techniques visualized by the ATT&CK
Navigator as an attack pattern.
CIS took the following steps to create the CDM:
1 Map Safeguards to ATT&CK Mitigations: The ATT&CK Model contains a list of
Mitigations which can be used to associate Enterprise Techniques to the Safeguards.
2 Map ATT&CK Mitigations to ATT&CK Techniques: MITRE provides a mapping of
Techniques to Mitigations that can be put into the acceptable format for this effort.
3 Identify Threat Sources: Choose a specific set of data sources for the CDM.
4 Analyze and Vet Data Sources: Understand the background and methodological
information for each source.
5 Identify Attack Patterns: From the relevant reports and data sources, assess attack
patterns and determine their priority for the CDM.
6 Define Selected Attack Patterns: Use the ATT&CK Model to select which Enterprise
Techniques are associated with specific attack patterns.
7 Identify Safeguards to Defend Against Attack Patterns: Using the mappings from
Step 2, lists of Safeguards can be created to defend against specific categories of
attacks, such as ransomware.
ATT&CK Mitigations is a list of uniquely numbered defensive mitigations contained
within the broader ATT&CK Model. The ATT&CK Mitigations are easily identified as they
begin with the letter “M” followed by a unique number (e.g., M1047). These 41 defensive
actions are mapped to each of the ATT&CK Techniques and are included as part of the
overarching ATT&CK Model. If you view each Mitigation on the ATT&CK webpage, a
description is available for the Mitigation. Note that if you view a Technique on the
ATT&CK website, you will see a list of Mitigations with unique guidance that assists in
defending against a specific Technique. The Controls mapping to ATT&CK Mitigations is
available separately from this document within CIS WorkBench and via the CIS website.
An important caveat when considering the ATT&CK Mitigations is that they represent
defensive cybersecurity actions at a different level of abstraction than the Controls.
Ultimately, this section shows that the Controls cover a larger number of defensive
cybersecurity concepts than the ATT&CK Mitigations.
This difference in granularity is perhaps best demonstrated by the number of defensive actions within each collection: the Controls contain 171 Safeguards, whereas ATT&CK contains 41 Mitigations.
