By Andrew Russell, Vice President of Standards, HITRUST
Q1 2022 Threat-Adaptive Analysis: HITRUST Implemented, 1-Year (i1) Validated Assessment
The HITRUST i1 Assessment + Certification is an innovative, threat-adaptive, broad-based assessment that evolves over time to actively address the ever-changing cybersecurity landscape across industries. We made a commitment to the HITRUST community to reassess the coverage of i1 control section requirements every quarter against emerging cybersecurity threats. Partnering with a leading cyberthreat data provider, in the first quarter of 2022, our analysis shows strong continued coverage of general mitigations for prevalent and relevant threats.
Based upon the mitigations identified and addressed in MITRE ATT&CK Framework, the preselected i1 control requirements in the i1 Assessment continue to fully address the top 20 cyber threats identified during the first quarter of 2022 and address 99% of all cyber threats seen, including phishing and ransomware threats. Based upon our analysis, HITRUST concluded that adding two new requirement statements to the i1 Assessment would enhance the strength of coverage for MITRE Mitigations M1051 and M1017. Therefore, the two additional requirement statements will be included in i1 Assessments generated based upon the next release version of the HITRUST CSF framework expected later this year.
Q1 2022 Threat Data Analysis Details
Initial Findings: HITRUST noted the following MITRE Techniques shown below had a significant percentage of increase in occurrences during Q1 2022, as compared to the same data from Q4 2022.
i1 Status Evaluation: For each of the threat techniques identified above, HITRUST explored in depth the existing i1 Assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques.
Overall Technique Coverage
T1068: Exploitation for Privilege Escalation
During our review of overall i1 Assessment coverage, the HITRUST team determined that for cyberattack technique T1068, the coverage provided for a related mitigation could be enhanced through the inclusion of an additional requirement. The graphic below shows an example of how the current HITRUST requirements are mapped to MITRE Mitigations, which in turn map to MITRE Techniques.
For simplicity, we are only presenting the requirements relevant to M1051, which are discussed in greater detail below.
i1 Coverage Evaluation: Strong existing coverage for M1051 is currently addressed through three separate HITRUST requirements that are included in the i1 Assessment:
- A technical vulnerability management program is in place to monitor, assess, rank, and remediate vulnerabilities identified in systems.
- Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner.
- The organization centrally manages the flaw remediation process and installs software updates automatically where possible.
While these requirements address the need to perform ad-hoc software updates to mitigate exploitation risks and automatically performing regular updates where possible, they do not address the need to install regular software updates manually for systems that do not support automatic updates.
Future Action: An additional requirement addressing the need to install regular software updates manually for systems that do not support automatic updates will be included in i1 assessments generated based upon the next release version of the HITRUST CSF framework expected later this year.
i1 Coverage Evaluation: For the T1566 attack technique, which addresses phishing, the existing coverage of the related MITRE mitigation M1017, is currently addressed in the i1 through two HITRUST CSF requirements:
- Dedicated security and privacy awareness training is developed as part of the organization’s onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat.
- Employees and contractors receive documented initial training (as part of their onboarding within 60 days of hire), as well as annual and ongoing training on their roles related to security and privacy.
While these current i1 control requirements address the need for initial and ongoing security and privacy training to mitigate phishing cyberattacks, they do not specifically cover training on specific topics such as how to avoid phishing and ransomware, including: avoiding opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content.
Future Action: An additional requirement addressing the need to conduct user training with content specific to phishing and ransomware will be included in i1 assessments generated based on the next release version of the HITRUST CSF framework expected later this year.
Going-forward, HITRUST will continue to evaluate current and evolving cyberthreats and will update the HITRUST CSF framework and the preset controls in the i1 Assessment to address emerging attack techniques. This unique threat-adaptive functionality sets HITRUST apart from other methodologies to provide added assurance that information protection programs remain up to date.
Since the i1 is threat-adaptive with a control set that evolves over time, an i1 Assessment must use the then-current version of the HITRUST CSF (currently v9.6). Entities with i1 assessments underway (object created), and those with a valid i1 Certification, will not be affected by i1 control selection updates until their next HITRUST assessment effort.
T1068: Exploitation for Privilege Escalation
Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
M1051: Update Software
Perform regular software updates to mitigate exploitation risk.
All forms of phishing are electronically delivered social engineering. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms.
M1017: Application Deployment Software Mitigation
Grant access to application deployment systems only to a limited number of authorized administrators.
About the Author
Andrew Russell, Vice President of Standards, HITRUST
Andrew leads the HITRUST Standards group. With deep levels of expertise in information security controls mapping, controls testing, automation, and data analytics, Andrew is responsible for development enhancements and ongoing maintenance of the HITRUST CSF framework. Andrew has a decade of “Big 4” audit experience covering a wide range of standards and a diverse mixture of projects.