A correlation between ATT&CK Mitigations and CIS Controls, often termed as a ‘high-level’ mapping, show case the count of mapped ATT&CK (Sub-)Techniques within each ATT&CK Mitigation. Additionally, it provides the total number of ATT&CK (Sub-)Techniques associated with the respective ATT&CK Mitigation.
Mitre attack mapping accurately and consistently maps adversary behaviors relevant to ATT&CK techniques as part of cyber threat intelligence (CTI).
CIS (Center for Internet Security) controls are a set of best practices for securing IT systems and data, while MITRE ATT&CK is a framework for understanding and identifying cyber threats. While both are important tools for improving cyber security, they serve different purposes and are not directly comparable.
The CIS controls provide a set of actionable steps that organizations can take to improve their security posture and best practices for securing various types of systems, including Windows, Linux, and mobile devices to ensure system conformance to CIS benchmarks; while MITRE ATT&CK is used to understand the tactics and techniques used by attackers and inform defense strategies. Mapping MITRE ATT&CK to CIS controls is important for establishing an organizational security strategy and prioritizing controls implementation.
It is important to keep in mind that implementing the CIS benchmarks is just one aspect of an overall security strategy, it is important to have a multi-layered approach that handles the baseline hardening and includes monitoring, incident response, regular testing, and incident review to ensure the security of an organization's systems.
How MITRE Attack Mapping & CIS Control Mapping Fortify Your Network
As distinct elements of a broader cybersecurity framework, the CIS controls and MITRE ATT&CK frameworks have different scopes and objectives, so there is not a direct one-to-one mapping between the two. However, it is possible to map certain CIS controls to specific tactics and techniques within the MITRE ATT&CK framework, for example:
CIS Control 1 (Inventory and Control of Enterprise Assets) corresponds to the MITRE ATT&CK tactics of Initial Access, because it helps organizations to identify and track all hardware assets on the network, which is a necessary step for an attacker to gain access to a target.
This control can help organizations maintain an inventory of devices that are connected to the network, which can be used to detect and prevent the use of unauthorized devices. This can help to mitigate against MITRE ATT&CK techniques such as T1082 - System Information Discovery, T1087 - Account Discovery, and T1089 - Discovery of Software and Hardware Configurations
CIS Control 2 (Inventory and Control of Software Assets) relates to the MITRE ATT&CK tactics of Initial Access, because it helps organizations to identify and track all software assets on the network, system information discovery, account discovery, permissions group discovery and Remote File Copy.
CIS Control 3 (Data Protection) relates to the MITRE ATT&CK tactics of Exploitation, because it helps organizations to identify and remediate vulnerabilities in their systems, which is a necessary step for an attacker to exploit vulnerabilities.
CIS Control 4 (Secure Configurations of Enterprise Assets and Software) relates to the MITRE ATT&CK tactics of Privilege Escalation, because it helps organizations to limit the number of users with administrative privileges, which is a necessary step for an attacker to obtain higher level privileges.
This control can help organizations ensure that the configurations of their devices are secure and that they are not vulnerable to known vulnerabilities. This can help to mitigate against MITRE ATT&CK techniques such as T1060 - Registry Run Keys / Startup Folder, T1520 - Exploitation for Client Execution.
CIS Control 5 (Account Management) This control can help organizations ensure that administrative privileges are not misused and that they are used only by authorized personnel. This can help to mitigate against MITRE ATT&CK techniques such as T1088 - Bypass User Account Control, T1098 - Account Manipulation
CIS offers tools to assist with the mapping and compliance of their best practices. These 2 tools are:
CIS-CAT Pro assesses conformance to best practices, monitors compliance scores, and enhances them progressively.
The CIS Controls Self Assessment Tool (CSAT) aids enterprises in evaluating, monitoring, and prioritizing the implementation of the CIS Controls.
Hardening: Develop and Update Secure Configuration
Experts advise actively develop update secure configurations to start secure and stay hardened to CIS benchmarks. Also to continuously update secure configuration guides to harden systems to CIS benchmarks as standards evolve.
CIS-CAT Pro assess system conformance to CIS through mitre attack mapping and cis control mapping.Since there is no direct mapping between the two frameworks, they can be used together to provide a more comprehensive security evaluation.
The CIS Benchmarks can be used to identify and implement appropriate controls to mitigate the risks associated with the tactics and techniques identified in the MITRE ATT&CK framework. Additionally, both frameworks can be used to identify gaps in an organization’s security posture and to prioritize efforts to improve security.
CIS Control 4 to Enterprise ATT&CK Master Mapping for security configurations
This discussion focuses on the mapping of CIS Controls to the Mitre benchmarks. Below we will unravel the nuanced connections between CIS Control 4 dealing with hardening by Establishing and Maintaining a Secure Configuration Process and the Mitre benchmarks, shedding light on the strategic integration of these frameworks to fortify our defenses in the face of evolving cyber risks. Displayed are a selection of the important configurations for CIS 4 controls with the Asset type and their mapping to Mitre Attack:
CIS Control 4.1 Applications
Security Function: Establish and Maintain a Secure Configuration Process
Title: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Mapped to Mitre Attack: M1015
Mitre ATT&CK Mitigation Title: Active Directory Configuration
CIS Control 4.1 Applications
Security Function: Establish and Maintain a Secure Configuration Process
Title: Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Mapped to Mitre Attack: M1052
Mitre ATT&CK Mitigation Title: User Account Control
CIS Control 4.2 Network
Security Function: Establish and Maintain a Secure Configuration Process for Network Infrastructure
Title: Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Mapped to Mitre Attack: M1035
Mitre ATT&CK Mitigation Title: Limit Access to Resource Over Network
CIS Control 4.3 Users
Security Function: Configure Automatic Session Locking on Enterprise Assets
Title: Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Mapped to Mitre Attack: M1036, M1047
Mitre ATT&CK Mitigation Title: Removed M1036; Removed M1047
CIS Control 4.4 Devices
Security Function: Implement and Manage a Firewall on Servers
Title: Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
Mapped to Mitre Attack: M1030
Mitre ATT&CK Mitigation Title: Network Segmentation
CIS Control 4.5 Devices
Security Function: Implement and Manage a Firewall on End-User Devices
Title: Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
Mapped to Mitre Attack: M1030
Mitre ATT&CK Mitigation Title: Network Segmentation
CIS Control 4.6 Network
Security Function: Securely Manage Enterprise Assets and Software
Title: Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Mapped to Mitre Attack: M1041
Mitre ATT&CK Mitigation Title: Encrypt Sensitive Information
CIS Control 4.7 Users
Security Function: Manage Default Accounts on Enterprise Assets and Software
Title: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
Mapped to Mitre Attack: M1018
Mitre ATT&CK Mitigation Title: User Account Management
CIS Control 4.8 Devices
Security Function: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software
Title: Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.
Mapped to Mitre Attack: M1042
Mitre ATT&CK Mitigation Title: Filter Network Traffic
CIS Control 4.9 Devices
Security Function: Configure Trusted DNS Servers on Enterprise Assets
Title: Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
Mapped to Mitre Attack: M1037
Mitre ATT&CK Mitigation Title: Account Use Policies
CIS Control 4.10 Devices
Security Function: Enforce Automatic Device Lockout on Portable End-User Devices
Title: Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
Mapped to Mitre Attack: M1036
Mitre ATT&CK Mitigation Title: Account Use Policies
