Q2 2024 Threat-Adaptive Evaluation for the HITRUST i1 Assessment

By Brent Zelinski, Standards Senior Manager, HITRUST 

Trending highlights  

• Compromise Accounts (T1586) 

• Indicator Removal (T1070)  

New technique in MITRE ATT&CK 

• Hide Infrastructure (T1665) 

After analyzing second-quarter cyber threat data, we’ve put our i1 assessment controls to the test. Our i1 controls are selected to ensure coverage against tried and true and emerging cyber threats alike. The Q2 threat data and corresponding analysis confirm the relevance of previously trending threats, as well as highlighting the continuing need for baseline security controls. 

Based on the top techniques and associated mitigations identified and addressed in the most recent version of the MITRE ATT&CK Framework (v15.1), the control requirements in the i1 assessment continue to address the top 20 cyber threats by volume identified during the second quarter of 2024 and address all techniques with associated MITRE mitigations including 99% of all cyber threats seen. 

Q2 2024 threat data analysis details  

Initial findings 

HITRUST noted the following MITRE ATT&CK techniques shown below had the largest increase in occurrence during Q2 2024, compared to the same data from Q1 2024.  

i1 status evaluation

For each of the threat techniques identified above, HITRUST explored in depth the existing i1 assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques. 

Overall technique coverage 

T1586: Compromise Accounts 

The T1586 attack technique was the top growing threat technique in Q2 of 2024.  

T1586: i1 Coverage Evaluation  

For the T1586: Compromise Accounts attack technique, MITRE associates a mitigation named Pre-compromise (M1056). The description of this mitigation states that “[t]his technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.” [emphasis added by HITRUST] 

The following HITRUST CSF requirements contained in the i1 provide coverage for this technique. 

• The organization (i) reviews the proposed content of information prior to posting on the publicly accessible information system and on a recurring bi-weekly basis to ensure non-public information is not included, and (ii) removes nonpublic information if discovered. 
• Dedicated phishing awareness training is developed as part of the organization’s onboarding program, is documented and tracked, and includes the recognition and reporting of potential phishing attempts. 
• The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline. 

T1586: Q2 Coverage Summary  

The expansive attack technique of compromising accounts will always be a popular primary step to gain a foothold in an environment. As MITRE suggests, it is nearly impossible to completely eradicate the possibility of compromised social media, email, cloud, or other account types. The above requirement statements from the HITRUST CSF framework provide sensible preventive controls to reduce attack surfaces and reduce the organization’s exposure to a potential cybersecurity incident. 

T1070: Indicator Removal 

The T1070 attack technique showed significant growth in Q2 of 2024.  

 T1070: i1 Coverage Evaluation  

For the T1070: Indicator Removal attack technique, the existing coverage is currently addressed in the i1 through four HITRUST CSF requirements. 

• Access to audit trails/logs is safeguarded from unauthorized access and use. 
• Access control rules and rights for each user or group of users are based on clearly defined requirements for information dissemination and authorization (e.g., need-to-know, need-to-share, least privilege, security levels, and information classification). The policy further defines logical and physical access control rules and rights for each user or group of users are considered together and clearly defined in standard user access profiles (e.g., roles). The access control program takes into account the security requirements of individual business applications and business units and ensures standard user access profiles for common job roles in the organization. 
• Covered and/or confidential information, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computers (laptops, desktops) portable digital media, backup media, servers, databases, or in logs. Exceptions to encryption requirements are authorized by management and documented. Encryption is implemented via one-way hashes, truncation, or strong cryptography and key-management procedures. For full-disk encryption, logical access is independent of O/S access. Decryption keys are not tied to user accounts. If encryption is not applied because it is determined to not be reasonable or appropriate, the organization documents its rationale for its decision or uses alternative compensating controls other than encryption if the method is approved and reviewed annually by the CISO. 
• Access to information systems audit tools is protected to prevent any possible misuse or compromise. 

T1070: Q2 Coverage Summary 

When an adversary executes action against a target, it is common practice to attempt to cover their trails and remove indications of their presence. Without adequate coverage to prevent and/or detect such actions, compromised targets can remain in an environment without detection and can continue to be used by attackers.  

New techniques 

T1665: Hide Infrastructure 

In addition to detecting ongoing and emerging trends of attacker techniques, it is also good practice to study new technique methods. In MITRE’s latest version release ATT&CK v15.1, the technique to Hide Infrastructure was added to the robust list of Enterprise Techniques. While similar methods such as the aforementioned T1070: Indicator Removal already existed for individual actions, T1665 expands on this line of malicious thinking. When utilizing this technique, adversaries manipulate network traffic in order to hide and evade detection of their command and control (C2) infrastructure. C2 infrastructure is a set of tools and protocols an attacker uses to maintain communication and manage their compromised machines. Since this infrastructure must live on the machine, common attempts to hide can include setting hostnames and domains to match the names of legitimate hostnames and/or services in the environment and using IP addresses within the victim’s correct address range as proxies or VPN to hide the true source of the attack.  

While we have not yet seen significant activity with this technique since its introduction to the ATT&CK framework, it is important to stay informed and up-to-date with detection methods. This technique is also of note as it cannot easily be mitigated with mitigating controls due to its simple nature of abusing legitimate system features.  

For a full breakdown of the new technique, refer to MITRE: T665: Hide Infrastructure. 

Conclusion 

As we continue to gather emerging cyber threat data and learn from real-world attack techniques, we will continue to update the HITRUST CSF framework and the preset controls in the i1 assessment. By committing to a dynamic and threat-adaptive control library, we can remain vigilant in a constantly evolving realm of cyber threats. This unique functionality sets the HITRUST i1 apart from other assessments.