Category Archives: News

Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK

Read Time:4 Minute, 3 Second

By Jennifer Jarose, CIS Cybersecurity Engineer, CIS Benchmarks

Six trillion dollars…that’s the amount global cybercrime is expected to cost this year, according to Cyber Security Ventures. The Center for Internet Security (CIS) is committed to validating our standards against recognized cyber defense frameworks in the hopes to help reduce this amount in the future. Starting today, with the CIS Microsoft Windows 10 Benchmark, the CIS Benchmarks will map to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework and CIS Community Defense Model (CDM) 2.0. These mappings will improve the use, understanding, and effectiveness of the CIS Benchmarks, in turn strengthening security posture and providing more support to prevent top cyber-attacks.

CIS Benchmarks and CIS Community Defense Model

CIS Benchmarks are consensus-developed, industry best practices for securely configuring operating systems, cloud services, applications, networks, and more. A global community of information technology (IT) security professionals that range from academia, government, industry, and individuals drive the development and maintenance of the CIS Benchmarks. CIS relies on the contributions of passionate industry experts to create and maintain the CIS Benchmarks. Interested in contributing? Sign up for CIS WorkBench and join a community.

The CIS CDM v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know, “how effective are the CIS Critical Security Controls (CIS Controls) against the top cyber-attacks?” The CDM can help answer that. This model leverages industry threat data to determine the top five cyber-attack types and creates comprehensive attack patterns (the set of attacker (sub-)techniques that are required to execute an attack). CDM v2 builds on the original version, by mapping the Safeguards from the CIS Controls v8 to the MITRE Enterprise ATT&CK® v8.2 framework. This methodology measures which Safeguards are most effective overall for defense across attack types.

Unifying the CIS Benchmarks, CDM, and MITRE ATT&CK Against Cyber-Attacks

To start these new mappings, CIS focused on two of the most downloaded CIS Benchmarks – Microsoft Windows 10 and Red Hat Enterprise Linux 7 – and drilled in to MITRE ATT&CK (sub-)techniques. This level of granularity provides CIS Benchmarks users a more detailed look into the effectiveness of the CIS Benchmarks against the top five attack types found in the CIS CDM. Combining technology-specific, security focused configuration settings from the CIS Benchmarks, with the prioritized, enterprise cyber defense guidance from the CIS CDM allows users a more holistic view of their cybersecurity program.

With the addition of mapping the MITRE ATT&CK framework to the CIS Benchmarks, this highlights the effectiveness of the CIS Microsoft Windows 10 v1.11.0 Benchmark, not only as security focused configuration recommendations, but quantifies its ability to reduce the risk and impact of a range of cyber-attacks. Additionally, CIS SecureSuite Members can visit CIS WorkBench to view the MITRE ATT&CK framework mappings, which can be found in the Excel version of the Benchmarks. CIS will continue refining and expanding this methodology which will further support unification across other frameworks as CIS updates and expands the mappings offered.

CIS Benchmarks’ Effectiveness Against Common Cyber-Attacks

The following findings demonstrate the security value of the CIS Microsoft Windows 10 v1.11.0 Benchmark against the top five cyber-attack types found in the CIS CDM:

Malware: 67% of recommendations map to a parent or (sub-)technique
Ransomware: 74% of recommendations map to a parent or (sub-)technique
Web Application Hacking: 41% of recommendations map to a parent or (sub-)technique
Insider and Privilege Misuse: 64% of recommendations map to a parent or (sub-)technique
Targeted Intrusion: 59% of recommendations map to a parent or (sub-)technique
Combined Attack Types: 83% of recommendations map to a parent or (sub-)technique when the above attack types are combined

The CIS Microsoft Windows 10 v1.11.0 Benchmark incorporates all parents of (sub-)techniques mapped to a given recommendation. In addition, the Microsoft Windows 10 v1.11.0 Benchmark is mapped to a subset of techniques within the Community Defense Model as a number of them do not apply to the Windows operating system.

When a Benchmark recommendation maps to a given parent or (sub-)technique it means that the given recommendation potentially mitigates, or disrupts, that step in a cyber-attack.

This effort is ongoing to further support unity of CIS resources with industry frameworks. CIS is currently working to expand MITRE ATT&CK mappings to our catalog of technology specific CIS Benchmarks, starting with the most commonly used. Next up is Red Hat Enterprise Linux 7. Stay tuned for an even more detailed report on the effectiveness of the Microsoft Windows 10 and Red Hat Enterprise Linux mappings to the Community Defense Model’s top five cyber-attack types.

Read More

Join the Center for Internet Security at AWS re:Invent 2021

Read Time:4 Minute, 13 Second

This year, Amazon Web Services (AWS) returns to hosting its cloud computing conference, AWS re:Invent 2021, in person. Cloud professionals from around the globe will gather in Las Vegas to learn the latest news in AWS cloud computing. The five-day conference is packed with sessions on containers, DevOps, end user computing, IoT, and much more.

The Center for Internet Security (CIS) is a proud sponsor of AWS re:Invent, which will be held November 29 – December 3. Find us at Booth #732 on the Expo Floor at The Venetian. Not only is CIS sponsoring the event, but we’ve also highlighted several must-see sessions that leverage our best practices.

AWS re:Invent 2021 Essential Sessions

Workshop | WPS203 – Simplifying compliance with AWS GovCloud (US)

Tuesday, November 30 | 5:00 – 7:15 P.M.

AWS GovCloud (US) gives customers the flexibility to architect secure cloud workloads that comply with some of the strictest U.S. compliance regulations. From Controlled Unclassified Information (CUI), personally identifiable information (PII), sensitive patient medical records, and financial data to law enforcement data and export-controlled data, AWS GovCloud (US) can help address some of the most stringent security and compliance requirements. Join this workshop to dive into the basics of how AWS and AWS GovCloud (US) Regions can help address these stringent security, compliance, and governance requirements.

Furthermore, CIS offers CIS Hardened Images, pre-hardened virtual machine (VM) images, a trusted resource to help secure cloud workloads on AWS Cloud in the AWS GovCloud (US) Region. They’re available for Windows and Linux operating systems.

See full list of CIS Hardened Images on AWS Cloud – Free trials available

Chalk Talk | SEC312 – Develop a strategy for automated remediation and response

Wednesday, December 1 | 12:15 – 1:15 P.M.

In this chalk talk, you’ll consider a framework to use with AWS Security Hub to determine which findings should be auto-remediated. For example, the CIS AWS Foundations Benchmark is available within AWS Security Hub. This framework provides recommendations to securely configure your AWS account. It covers actions like identity and access management, networking, and more.

This session will explore whether a remediation is a destructive action and how to tag findings to automate these decisions. When auto-remediation isn’t appropriate or should include approvals, learn how to auto-respond to findings. You’ll learn how to enrich these findings with assignee information based on resource tags; you can then use that assignee information in email, Slack, or ticket notifications.

Chalk Talk | SEC305 – Automate vulnerability management with Amazon Inspector

Thursday, December 2 | 11:30 A.M. – 12:30 P.M.

Amazon Inspector is a vulnerability management service that scans AWS workloads for software vulnerabilities and unintended network exposure. In this chalk talk, learn how to get the most out of Amazon Inspector. This includes how to prioritize the most critical vulnerabilities to help increase remediation response efficiency.

Windows and Linux users can apply the knowledge from this session and run assessments to check the configurations of their Amazon EC2 instances against CIS Benchmarks. The findings within the Amazon Inspector assessment will detail the steps needed to remediate vulnerabilities.

From the CIS Booth: New CIS AWS Resources to Secure Cloud Workloads

Foundational Security for AWS

CIS Benchmarks are a set of prescriptive guides to help organizations securely configure a variety of technologies. They cover more than 25 vendor product families, helping to safeguard systems against today’s evolving cyber threats. Because of CIS’s deep partnership with AWS, CIS Benchmarks are integrated with several AWS services:

AWS Audit Manager
AWS Config
AWS Inspector
AWS Security Hub

These integrations allow AWS customers to audit and test the security of their AWS environments against CIS Benchmarks. Within these four AWS services, cloud consumers will find the CIS AWS Foundations Benchmark and CIS Benchmarks for various operating systems.

AWS Graviton2

At AWS re:Invent 2021, stop by our booth to learn how to implement the latest cloud security resources and provide feedback to the CIS team. First, CIS built two CIS Hardened Images on AWS Graviton2 processors. In addition to the compliance they offer to CIS Benchmarks standards, they also deliver 40% better price performance compared to current generation x86-based instances.

DISA STIG Compliance

For organizations and industries that require compliance to DISA Security Technical Implementation Guides (STIGs), CIS has created four Benchmarks. These are also available as pre-configured CIS Hardened Images in AWS Marketplace. Notably, CIS recently released a new hardened VM secured to STIG standards for Microsoft Windows Server 2019. STIG Benchmarks and CIS Hardened Images are also available for:

Amazon Linux 2
Microsoft Windows Server 2016
Red Hat Enterprise Linux 7
Ubuntu Linux 20.04

The team plans to release additional STIG Benchmarks and VMs for Apple macOS 11 and Red Hat Enterprise Linux 8 in the coming months.

These are just a few of the many cloud security resources that CIS provides. Stop by Booth #732 at AWS re:Invent 2021 to learn how you can incorporate CIS cloud security resources into your cybersecurity program.

Read More

CIS Benchmarks November 2021 Update

Read Time:2 Minute, 13 Second

The following CIS Benchmark updates have been released.  We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made.

CIS AlmaLinux OS 8 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for AlmaLinux OS 8 Linux distribution systems running on x86_64 platforms.

Special thanks to Jack Aboutboul and Simon John for their contributions to the initial development of the benchmark and thanks to the CIS AlmaLinux Community for their time and expertise toward this release. Your contributions are invaluable to our consensus process.

Download the AlmaLinux OS 8 Benchmark PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS PostgreSQL 14 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for PostgreSQL 14. This guide was tested against PostgreSQL 14 running on RHEL 8, but applies to other Linux distributions as well.

Special thanks to Doug Hunley and Crunchy Data for their significant contributions, and thanks to the CIS PostgreSQL Community who participated in general and ticket-specific discussions.

Download the PostgreSQL 14 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 5 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version(s) 5.x. This guide was tested against MongoDB 5.0.2 running on Ubuntu Linux, Linux Red Hat, and Windows, but applies to other distributions as well.

Download the MongoDB 5 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 3.6 Benchmark v1.1.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version 3.6. This guide was tested against MongoDB 3.6 running on Ubuntu Linux and Windows, but applies to other distributions as well.

Thanks to the CIS Mongo DB community for their support, and special thanks to Vinesh Redkar, Pralhad Chaskar, Emad Al-Mousa, and Matthew Reagan

Download the MongoDB 3.6 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

Volunteers Needed for CIS Benchmarks

Get involved by helping us develop content, review recommendations, and test CIS Benchmarks. Join a community today! We’re looking for contributors for the following technologies:

Google Kubernetes Engine
Google Cloud Computing – Container-Optimized OS Benchmark
IBM AIX
Microsoft Windows

EMS Gateway
Windows Server 2022
Windows 11
Windows 10 21H

Interested in learning more about the CIS Benchmarks development process or how you can get involved? Reach out to us at benchmarkinfo@cisecurity.org. You can also learn more on the CIS Benchmarks Community page.

Read More

CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8

Read Time:5 Minute, 30 Second

Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster.

The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.

When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.

CIS RAM Can Help Your Enterprise Demonstrate “Due Care”

If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.

CIS RAM helps you answer questions like:

What are my enterprise’s risks?
What constitutes “due care” or “reasonableness?”
How much security is enough?

What’s New for CIS RAM v2.0

CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment.

As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise.

And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard.

CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first.

All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.

The CIS RAM Core Process

CIS RAM Core risk assessments involve the following activities:

Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.

Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Taking the Next Step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.

 
CIS has recently released CIS RAM v2.1.Click here to see what’s new.
 
Join the CIS RAM Community on CIS WorkBench.
 
Questions about CIS RAM? Email controlsinfo@cisecurity.org.

Read More