By Brent Zelinski, Standards Senior Manager, HITRUST
Q3 2022 Threat-Adaptive Evaluation for the HITRUST Implemented, 1-Year (i1) Validated Assessment
- Data Encrypted for Impact (T1486)
- Active Scanning (T1595)
After analyzing third quarter cyberthreat data, we’ve once again put our i1 Assessment controls to the test. Our i1 controls are selected to ensure coverage against tried and true and emerging cyberthreats alike. The Q3 threat data and corresponding analysis confirms the relevance of previously trending threats, as well as highlights the continuing need for baseline security controls.
Based on the top techniques and associated mitigations identified and addressed in the MITRE ATT&CK Framework (v11), the control requirements in the i1 Assessment continue to address the top 20 cyber threats by volume identified during the third quarter of 2022 and address all threats with associated MITRE mitigations including 98% of all cyberthreats seen.
Q3 2022 Threat Data Analysis Details
Initial Findings: HITRUST noted the following MITRE attack techniques shown below had the largest increase of occurrence during Q3 2022, as compared to the same data from Q2 2022.
|Event Triggered Execution||Scheduled Task/Job||File and Directory Permissions Modification||Data Encrypted for Impact||Active Scanning||Obfuscated Files or Information||Hijack Execution Flow|
i1 Status Evaluation
For each of the threat techniques identified above, HITRUST explored in depth the existing i1 Assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques.
Overall Technique Coverage
T1595: Active Scanning
The T1595 attack technique was one of the top growing threats across both Q2 and Q3 of 2022.
T1595: i1 Coverage Evaluation
For the T1595: Active Scanning attack technique, MITRE associates a mitigation named Pre-compromise (M1056). The description of this mitigation states that “[t]his technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.” [emphasis added by HITRUST]
The following HITRUST CSF requirements contained in the i1 provide coverage for this technique:
- The organization (i) reviews the proposed content of information prior to posting onto the publicly accessible information system and on a recurring bi-weekly basis to ensure non-public information is not included, and (ii) removes nonpublic information if discovered.
- Ports, services, and similar applications installed on a computer or network systems which are not specifically required for business functionality are disabled or removed.
- The operating system has in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of its baseline.
T1595: Q3 Coverage Summary
The broad attack technique of active scanning may always be prevalent. As MITRE suggests, it is near impossible to completely eradicate malicious scanning activity. The above requirement statements from the HITRUST CSF framework provide sensible preventive controls to reduce attack surfaces and reduce the organization’s exposure to a potential cybersecurity incident.
T1486: Data Encrypted for Impact
The T1486 attack technique showed significant growth in Q3 of 2022.
T1486: i1 Coverage Evaluation
For the T1486: Data Encrypted for Impact attack technique, the existing coverage is currently addressed in the i1 through four HITRUST CSF requirements:
- Information systems generate audit records containing details to facilitate the reconstruction of events if unauthorized activity or malfunction is suspected in the audit records for audit events identified by type, location, or subject.
- Centrally-managed, up-to-date anti-spam and anti-malware protection is implemented at information system entry/exit points for the network and on all devices.
- Backup copies of information and software are made, and tests of the media and restoration procedures are regularly performed at appropriate intervals.
- The backups are stored in a physically secure remote location, at a sufficient distance to make them reasonably immune from damage to data at the primary site, and reasonable physical and environmental controls are in place to ensure their protection at the remote location.
T1486: Q3 Coverage Summary
Various attack techniques associated with ransomware continue to gain prominence. When an adversary encrypts an organization’s data for the purpose of malicious impact, this is the quintessential ransomware step. Without adequate coverage to prevent, detect, and respond to such a threat, the financial, operational, and reputational impact can be devastating to an organization. The HITRUST threat analysis team emphasizes the importance of the requirement statements discussed above as a proactive, defensive effort to fight the rising threat of ransomware, and Data Encrypted for Impact. Proper implementation of the recommended requirements will provide organizations coverage against the trending attack technique, T1486. HITRUST will continue to monitor this evolving threat and regularly evaluate its coverage in the i1 Assessment.
For a full breakdown and guide of ransomware attack detection, handling, and prevention, refer to the HITRUST eBook: A Proactive Guide to Detect, Fight, and Prevent Ransomware Attacks.
As we continue to gather emerging cyberthreat data and learn from real world attack techniques, we will continue to update the HITRUST CSF framework and the preset controls in the i1 Assessment. By committing to a dynamic and threat-adaptive control library, we can remain vigilant in a constantly evolving realm of cyber threats. This unique functionality sets the HITRUST i1 apart from other assessments.
T1595: Active Scanning
Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.
This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.
T1486: Data Encrypted for Impact
Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
About the Author
Brent Zelinski, Standards, Senior Manager, HITRUST
Brent brings deep levels of expertise in vulnerability and threat management, ethical hacking, and information security governance to the HITRUST Standards Group. His responsibilities include cyberthreat research along with correlating enhancements and maintenance to the HITRUST CSF framework. Brent’s decade of diverse consulting and support experience includes serving organizations and regulatory bodies of all size and function.<< All Blogs