Q3 2024 Threat-Adaptive Evaluation for the HITRUST i1 and r2 Assessments

By Brent Zelinski, Standards Senior Manager, HITRUST 

Trending highlights  

• Exfiltration over Web Service (T1567) 
• Browser Session Hijacking (T1185)

Emerging highlights 

• T1039: Data From Network Shares 
• T1622: Debugger Evasion 
• T1611: Escape to Host 

After analyzing Q3 cyber threat data, we’ve put our i1 assessment controls to test. Our i1 controls are selected to ensure coverage against existing and emerging cyber threats and additionally serve as a baseline of the r2 assessment. The Q2 threat data and corresponding analysis confirm the relevance of previously trending threats and highlight the continuing need for the r2 baseline security controls. 

Based on the top techniques and associated mitigations identified and addressed in the most recent version of the MITRE ATT&CK Framework (v15.1), the control requirements in the i1 assessment continue to address the top 20 cyber threats by volume identified during the third quarter of 2024 and address all techniques with associated MITRE mitigations, including 99% of all cyber threats seen. 

Q3 2024 threat data analysis details  

Initial findings 

HITRUST noted that the MITRE ATT&CK techniques shown below had the largest increase in occurrence during Q2 2024, compared to the same data from Q1 2024. 

 i1 status evaluation

For each of the threat techniques identified above, HITRUST explored the existing i1 assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques.

Overall technique coverage 

T1567: Exfiltration over Web Service 

The T1567 attack technique was a top-growing threat technique in Q3 of 2024.  

T1567: i1 Coverage Evaluation  

For the T1567 Exfiltration over Web Service technique, MITRE associates two mitigations with the attack technique. M1057 (Data Loss Prevention) instructs to “use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personally identifiable information (PII), and restrict exfiltration of sensitive data” and M1021 (Restrict Web-Based Content) describes to “restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.” 

The following HITRUST CSF requirements contained in the i1 provide coverage for this technique. 

• The organization ensures that security gateways (e.g., a firewall) are used to validate source and destination addresses at internal and external network control points. The organization designs and implements network perimeters so that all outgoing network traffic to the internet must pass through at least one application layer filtering proxy server. The application-layer filtering proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a disallow list, or applying lists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the internet through an authenticated proxy server on the enterprise perimeter. Internal directory services and IP addresses are protected and hidden from any external access. Requirements for network routing control are based on the access control policy. 
• Technologies are implemented for the timely installation, upgrade, and regular updating of anti-malware protective measures. Periodic reviews/scans are required of the installed software and the data content of systems to identify and, where possible, remove any unauthorized software. The organization employs anti-malware software that offers a centralized infrastructure compiling information on file or having administrators manually push updates to all machines. After applying a malicious code detection and repair software update, automated systems verify that each system has received its signature update. The checks carried out by the malicious code detection and repair software to scan computers and media include checking: any files on electronic or optical media, and files received over networks, for malicious code before use; and electronic mail attachments and downloads for malicious code before use or file types that are unnecessary for the organization’s business before use; Web traffic, such as HTML, JavaScript, and HTTP, for malicious code; removable media (e.g., USB tokens and hard drives, CDs/DVDs, external serial advanced technology attachment devices) when inserted. The check of electronic mail attachments and downloads for malicious code is carried out at different places (e.g., at electronic mail servers, desktop computers, and when entering the organization’s network). Bring your own device (BYOD) users are required to use anti-malware software (where supported). Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. 
• The organization augments endpoint protection strategies with additional solutions — including those built into the operating system, if available — to mitigate exploitation of unknown vulnerabilities where traditional antivirus may be ineffective; and where applicable, target the solutions to protect commonly exploited applications (e.g., web browsers, office productivity suites, Java plugins). 
• Covered and/or confidential information, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computers (laptops, desktops) portable digital media, backup media, servers, databases, or logs. Exceptions to encryption requirements are authorized by management and documented. Encryption is implemented via one-way hashes, truncation, or strong cryptography and key-management procedures. For full-disk encryption, logical access is independent of O/S access. Decryption keys are not tied to user accounts. If encryption is not applied because it is determined not to be reasonable or appropriate, the organization documents its rationale for its decision or uses alternative compensating controls other than encryption if the method is approved and reviewed annually by the CISO. 
• The encryption policy addresses the type and strength of the encryption algorithm and when used to protect the confidentiality of information. The organization employs cryptographic modules that are certified and adhere to the minimum applicable standards.

T1567: Q3 Coverage Summary  

The attack technique of exfiltrating information via a web service can be a difficult technique to protect against as the definition of web-based is rapidly evolving. As MITRE suggests, controlling interactions with often abused web-based content (M1021) and implementing Data Loss Prevention strategies (M1057) can help to provide assurance. The above requirement statements from the HITRUST CSF framework provide sensible preventive controls to reduce potential attack surfaces and the severity of web-based exfiltration. 

T1185: Indicator Removal 

The T1185 attack technique showed significant growth in Q3 of 2024.

T1185: i1 Coverage Evaluation  

To protect against the T1185 attack technique, MITRE associates two mitigations. M1018 (User Account Management) provides, “since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique”. While M1017 (User Training) instructs to “close all browser session regularly and when they are no longer needed”. 

For the T1185: Browser Session Hijacking attack technique, the existing coverage is currently addressed in the i1 through three HITRUST CSF requirements. 

• Dedicated phishing awareness training is developed as part of the organization’s onboarding program, is documented and tracked, and includes the recognition and reporting of potential phishing attempts. 
• The organization provides role-based security-related training, especially for personnel with significant security responsibilities (e.g., system administrators), prior to accessing the organization’s information resources, when required by system or environment changes, when entering into a new position that requires additional role-specific training, and no less than annually, thereafter.
• The allocation of privileges for all systems and system components is controlled through a formal authorization process. The organization ensures access privileges associated with each system product (e.g., operating system, database management system, and each application), and the users associated with each system product that need to be allocated are identified. Privileges are allocated to users on a need-to-use basis and event-by-event basis in line with the access control policy (e.g., the minimum requirement for their functional role as user or administrator, only when needed).

T1185: Q3 Coverage Summary 

There is inherent risk when users engage with an internet browser. Educating users on ways their sessions can be compromised (M1017) along with implementing security controls to discourage and limit potential damage from session hijacking (M1018) are major ways to reduce risk and protect assets. The HITRUST CSF requirement statements associated here provide a blueprint for mitigation and protection.  

Emerging techniques 

In addition to analyzing the top volume and trending techniques, we also take into consideration attack techniques that we have not seen in recent analyses. Below we’ve highlighted three techniques that can help give insights into the evolving minds of adversaries. 

T1039: Data From Network Shares 

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. 

While we have not yet seen a significant uptick in activity with this technique, it is important to stay informed and up-to-date with detection methods. This technique is also of note as it cannot easily be mitigated with mitigating controls due to its simple nature of abusing legitimate system features. Controls within the CSF that describe appropriate data categorization can help to limit potential damage. 

T1622: Debugger Evasion 

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. 

While we have not yet seen significant activity for this technique, it is important to stay informed and up-to-date with detection methods. This technique is also of note as it cannot easily be mitigated with mitigating controls due to its simple nature of abusing legitimate system features.  

T1611: Escape to Host 

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment. 

Requirement statements within the CSF such as implementing malicious code and spam protection, maintaining vendor software security, application allowing listing technology, and privileged role discipline are effective to mitigate this attack technique. 

Conclusion 

As we continue to gather emerging cyber threat data and learn from real-world attack techniques, we will continue to update the HITRUST CSF framework and the preset controls in the i1 assessment. By committing to a dynamic and threat-adaptive control library, we can remain vigilant in a constantly evolving realm of cyber threats. This unique functionality sets the HITRUST i1 apart from other assessments.