By Brent Zelinski, Standards Senior Manager, HITRUST
Q2 2022 Threat-Adaptive Evaluation for the HITRUST Implemented, 1-Year (i1) Validated Assessment
Trending Highlights:
- Internal Spearphishing (T1534)
- Exploitation for Privilege Escalation (T1068)
When the HITRUST i1 Assessment + Certification was introduced in late 2021, we committed to the HITRUST community to reassess the coverage of the i1 control section requirements against emerging cybersecurity threats each quarter. Our ongoing quarterly threat analysis is meant to verify and reinforce additional controls that may be introduced.
After Q1 2022 analysis, we stated specific action items planned for inclusion in our next release coming later in the year, and this is still the case. Our analysis of Q2 2022 cyberthreat data against the i1 control section requirements confirms our Q1 conclusions.
Based upon the top techniques and associated mitigations identified and addressed in MITRE ATT&CK Framework, the i1 control requirements in the i1 Assessment continue to address the top 20 cyber threats identified during the second quarter of 2022 and address 99% of cyber threats seen.
As a result of our most recent Q2 analysis, HITRUST confirmed its Q1 conclusion to introduce two new requirement statements to enhance the strength of coverage for MITRE Mitigations M1051 and M1017. In addition, with the increase of T1534 Internal Spearphising activity in Q2, the new requirement statement initially proposed to enhance M1017 will be further expanded to include internal spearphishing. Both enhancements are scheduled for introduction alongside the release version of the HITRUST CSF framework expected later this year.
Q2 2022 Threat Data Analysis Details
Initial Findings: HITRUST noted the following MITRE Techniques shown below had the largest increase of occurrence during Q2 2022, as compared to the same data from Q1 2022.
| T1499 | T1498 | T1059 | T1595 | T1490 | T1534 | T1068 |
|---|---|---|---|---|---|---|
| Endpoint Denial of Service | Network Denial of Service | Command and Scripting Interpreter | Active Scanning | Inhibit System Recovery | Internal Spearphishing | Exploitation for Privilege Escalation |
i1 Status Evaluation: For each of the threat techniques identified above, HITRUST explored in depth the existing i1 Assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques.
Overall Technique Coverage
T1534: Internal Spearphishing
i1 Coverage Evaluation: For T1534: Internal Spearphishing attack technique, the existing coverage is currently addressed in the i1 through two HITRUST CSF requirements:
- The organization provides specialized security and privacy education and training appropriate to the employee’s roles/responsibilities, including organizational business unit security POCs and system/software developers.
- Personnel with significant security responsibilities receive specialized education and training on their roles and responsibilities: (i) prior to being granted access to the organization’s systems and resources; (ii) when required by system changes; (iii) when entering into a new position that requires additional training; and, (iv) no less than annually thereafter.
In Q1 of 2022, the HITRUST threat analysts noted T1566: Phishing as a prevalent threat technique and concluded that while our current i1 control requirements address the need for initial and ongoing security and privacy training to mitigate phishing cyberattacks, the requirements do not specifically address how to avoid phishing and ransomware attacks, including: avoiding opening files, clicking on links, etc. from unknown sources without first checking them for suspicious content. With T1534: Internal Spearphishing emerging as a top threat this quarter, we emphasize the importance of the above requirement statements related to training of individuals with significant and specialized roles.
Future Action: An additional requirement addressing the need to conduct user training with content specific to phishing, internal spearphishing, and ransomware will be included in i1 assessments generated based on the next release version of the HITRUST CSF framework expected later this year.
T1068: Exploitation for Privilege Escalation
The T1068 attack technique was the only threat to show top growth increases across both Q1 and Q2 of 2022.
Future Action: This continuing threat increase reinforces our prior decision to introduce an additional requirement addressing the need to install regular software updates manually for systems that do not support automatic updates.
For more information on our current i1 control coverage for related MITRE mitigations visit our Q1 post.
Summary
Going-forward, HITRUST will continue to evaluate current and evolving cyberthreats and will update the HITRUST CSF framework and the preset controls in the i1 Assessment to address emerging attack techniques. This unique threat-adaptive functionality sets HITRUST apart from other methodologies to provide added assurance that information protection programs remain up to date.
Since the i1 is threat-adaptive with a control set that evolves over time, an i1 Assessment must use the then-current version of the HITRUST CSF (currently v9.6). Entities with i1 assessments underway (object created), and those with a valid i1 Certification, will not be affected by i1 control selection updates until their next HITRUST assessment effort.
Learn More about the HITRUST i1 Threat-Adaptive Assessment.
Follow HITRUST on Twitter.
Follow HITRUST on LinkedIn.
Glossary
T1068: Exploitation for Privilege Escalation
Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.
M1051: Update Software
Perform regular software updates to mitigate exploitation risk.
T1534: Internal Spearphishing
Internal Spearphishing is a multi-staged campaign where an email account is owned either by controlling the user’s device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.
T1566: Phishing
All forms of phishing are electronically delivered social engineering. Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms.
About the Author
Brent Zelinski, Standards, Senior Manager, HITRUST
Brent brings deep levels of expertise in vulnerability and threat management, ethical hacking, and information security governance to the HITRUST Standards Group. His responsibilities include cyberthreat research along with correlating enhancements and maintenance to the HITRUST CSF framework. Brent’s decade of diverse consulting and support experience includes serving organizations and regulatory bodies of all size and function.