Staying ahead of emerging threats is crucial for organizations looking to protect their data and systems. HITRUST assessments are designed to help organizations maintain strong defenses.

As part of our commitment to threat-adaptive requirements, we continually evaluate and refine our assessment framework to address trending and emerging attack methods. We recently examined the latest Q3 2024 threat data to ensure our requirements in the HITRUST i1 assessment remain effective and serve as a baseline for the rigorous r2 assessment.

We focused on the prominent cyberattack techniques and analyzed them using the MITRE ATT&CK Framework. This model allows us to map threat techniques to specific mitigations and tailor requirements that counteract real-world tactics.

If you are seeking to understand the technical depth of each requirement, read our detailed blog post: Q3 2024 Threat-Adaptive Evaluation for the HITRUST i1 and r2 Assessments.

Here are the quick highlights.

Top Trending Threats for Q3 2024

• Exfiltration Over Web Service (T1567): This technique involves cybercriminals stealing data using web services as a transfer medium. It is one of the top trending threats. Aligning with MITRE recommendations, the HITRUST i1 requires data categorization, protection of covered and confidential information, and restrictions on accessing certain websites and domains. These requirements help prevent unauthorized data from leaving the network by forcing traffic through secure, monitored pathways and restricting access where necessary.
• Browser Session Hijacking (T1185): This technique allows attackers to hijack active web sessions and gain unauthorized access to information. HITRUST i1 addresses this threat by requiring the implementation of strict user permissions, restricting high-integrity processes, and educating users on the importance of securely closing browser sessions.

Emerging Threat Techniques

In addition to trends, we track emerging threats that could grow in relevance. We focused on the following three techniques.

• Data From Network Shares (T1039): Attackers may attempt to access sensitive data stored on network shares, typically used for sharing within organizations. This cyberattack technique can be challenging to control because it abuses legitimate system features. HITRUST i1 mitigates this risk by advising organizations to carefully categorize data and restrict access to only authorized users, limiting potential exposure.
• Debugger Evasion (T1622): Attackers often attempt to avoid detection by bypassing debugging tools. Debugging tools are used by security teams to analyze malware, and evasion makes analysis harder. HITRUST i1 recommends proactive monitoring and regular reviews of potential malware signatures.
• Escape to Host (T1611): Containers are intended to isolate applications from the host environment, but some attackers try to break out of these isolated environments to access the broader system. HITRUST i1 addresses this by enforcing strict application and network control policies, alongside anti-malware protections that ensure containers remain separated from host systems.

Adaptive Requirements to Stay Prepared

The adaptive nature of HITRUST assessments is a critical feature that sets it apart from static compliance frameworks. As cyber threats evolve, so do our requirements, ensuring that organizations using the assessment benefit from a library of requirements that aligns with current threat intelligence. HITRUST i1 requirements are built to address the most common cyberattack techniques, covering over 99% of identified threats in the latest MITRE ATT&CK analysis. As an added benefit, these requirements also serve as the foundation for the HITRUST r2 assessment, a more advanced framework offering comprehensive protection for high-risk environments.

Our Q3 analysis underlines the effectiveness of HITRUST’s threat-adaptive requirement set, equipping organizations to navigate a complex and fast-changing cyber landscape. For a deeper dive into the technical details of requirements, explore our blog post: Q3 2024 Threat-Adaptive Evaluation for the HITRUST i1 and r2 Assessments.

By Brent Zelinski, Standards Senior Manager, HITRUST 

Trending highlights  

• Exfiltration over Web Service (T1567) 
• Browser Session Hijacking (T1185)

Emerging highlights 

• T1039: Data From Network Shares 
• T1622: Debugger Evasion 
• T1611: Escape to Host 

After analyzing Q3 cyber threat data, we’ve put our i1 assessment controls to test. Our i1 controls are selected to ensure coverage against existing and emerging cyber threats and additionally serve as a baseline of the r2 assessment. The Q2 threat data and corresponding analysis confirm the relevance of previously trending threats and highlight the continuing need for the r2 baseline security controls. 

Based on the top techniques and associated mitigations identified and addressed in the most recent version of the MITRE ATT&CK Framework (v15.1), the control requirements in the i1 assessment continue to address the top 20 cyber threats by volume identified during the third quarter of 2024 and address all techniques with associated MITRE mitigations, including 99% of all cyber threats seen. 

Q3 2024 threat data analysis details  

Initial findings 

HITRUST noted that the MITRE ATT&CK techniques shown below had the largest increase in occurrence during Q2 2024, compared to the same data from Q1 2024. 

 i1 status evaluation

For each of the threat techniques identified above, HITRUST explored the existing i1 assessment control set and found that the requirement statements currently included provided significant coverage against each of these techniques.

Overall technique coverage 

T1567: Exfiltration over Web Service 

The T1567 attack technique was a top-growing threat technique in Q3 of 2024.  

T1567: i1 Coverage Evaluation  

For the T1567 Exfiltration over Web Service technique, MITRE associates two mitigations with the attack technique. M1057 (Data Loss Prevention) instructs to “use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personally identifiable information (PII), and restrict exfiltration of sensitive data” and M1021 (Restrict Web-Based Content) describes to “restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.” 

The following HITRUST CSF requirements contained in the i1 provide coverage for this technique. 

• The organization ensures that security gateways (e.g., a firewall) are used to validate source and destination addresses at internal and external network control points. The organization designs and implements network perimeters so that all outgoing network traffic to the internet must pass through at least one application layer filtering proxy server. The application-layer filtering proxy supports decrypting network traffic, logging individual TCP sessions, blocking specific URLs, domain names, and IP addresses to implement a disallow list, or applying lists of allowed sites that can be accessed through the proxy while blocking all other sites. The organization forces outbound traffic to the internet through an authenticated proxy server on the enterprise perimeter. Internal directory services and IP addresses are protected and hidden from any external access. Requirements for network routing control are based on the access control policy. 
• Technologies are implemented for the timely installation, upgrade, and regular updating of anti-malware protective measures. Periodic reviews/scans are required of the installed software and the data content of systems to identify and, where possible, remove any unauthorized software. The organization employs anti-malware software that offers a centralized infrastructure compiling information on file or having administrators manually push updates to all machines. After applying a malicious code detection and repair software update, automated systems verify that each system has received its signature update. The checks carried out by the malicious code detection and repair software to scan computers and media include checking: any files on electronic or optical media, and files received over networks, for malicious code before use; and electronic mail attachments and downloads for malicious code before use or file types that are unnecessary for the organization’s business before use; Web traffic, such as HTML, JavaScript, and HTTP, for malicious code; removable media (e.g., USB tokens and hard drives, CDs/DVDs, external serial advanced technology attachment devices) when inserted. The check of electronic mail attachments and downloads for malicious code is carried out at different places (e.g., at electronic mail servers, desktop computers, and when entering the organization’s network). Bring your own device (BYOD) users are required to use anti-malware software (where supported). Server environments for which the server software developer specifically recommends not installing host-based anti-virus and anti-spyware software are addressed via a network-based malware detection (NBMD) solution. 
• The organization augments endpoint protection strategies with additional solutions — including those built into the operating system, if available — to mitigate exploitation of unknown vulnerabilities where traditional antivirus may be ineffective; and where applicable, target the solutions to protect commonly exploited applications (e.g., web browsers, office productivity suites, Java plugins). 
• Covered and/or confidential information, at minimum, is rendered unusable, unreadable, or indecipherable anywhere it is stored, including on personal computers (laptops, desktops) portable digital media, backup media, servers, databases, or logs. Exceptions to encryption requirements are authorized by management and documented. Encryption is implemented via one-way hashes, truncation, or strong cryptography and key-management procedures. For full-disk encryption, logical access is independent of O/S access. Decryption keys are not tied to user accounts. If encryption is not applied because it is determined not to be reasonable or appropriate, the organization documents its rationale for its decision or uses alternative compensating controls other than encryption if the method is approved and reviewed annually by the CISO. 
• The encryption policy addresses the type and strength of the encryption algorithm and when used to protect the confidentiality of information. The organization employs cryptographic modules that are certified and adhere to the minimum applicable standards.

T1567: Q3 Coverage Summary  

The attack technique of exfiltrating information via a web service can be a difficult technique to protect against as the definition of web-based is rapidly evolving. As MITRE suggests, controlling interactions with often abused web-based content (M1021) and implementing Data Loss Prevention strategies (M1057) can help to provide assurance. The above requirement statements from the HITRUST CSF framework provide sensible preventive controls to reduce potential attack surfaces and the severity of web-based exfiltration. 

T1185: Indicator Removal 

The T1185 attack technique showed significant growth in Q3 of 2024.

T1185: i1 Coverage Evaluation  

To protect against the T1185 attack technique, MITRE associates two mitigations. M1018 (User Account Management) provides, “since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and Bypass User Account Control opportunities can limit the exposure to this technique”. While M1017 (User Training) instructs to “close all browser session regularly and when they are no longer needed”. 

For the T1185: Browser Session Hijacking attack technique, the existing coverage is currently addressed in the i1 through three HITRUST CSF requirements. 

• Dedicated phishing awareness training is developed as part of the organization’s onboarding program, is documented and tracked, and includes the recognition and reporting of potential phishing attempts. 
• The organization provides role-based security-related training, especially for personnel with significant security responsibilities (e.g., system administrators), prior to accessing the organization’s information resources, when required by system or environment changes, when entering into a new position that requires additional role-specific training, and no less than annually, thereafter.
• The allocation of privileges for all systems and system components is controlled through a formal authorization process. The organization ensures access privileges associated with each system product (e.g., operating system, database management system, and each application), and the users associated with each system product that need to be allocated are identified. Privileges are allocated to users on a need-to-use basis and event-by-event basis in line with the access control policy (e.g., the minimum requirement for their functional role as user or administrator, only when needed).

T1185: Q3 Coverage Summary 

There is inherent risk when users engage with an internet browser. Educating users on ways their sessions can be compromised (M1017) along with implementing security controls to discourage and limit potential damage from session hijacking (M1018) are major ways to reduce risk and protect assets. The HITRUST CSF requirement statements associated here provide a blueprint for mitigation and protection.  

Emerging techniques 

In addition to analyzing the top volume and trending techniques, we also take into consideration attack techniques that we have not seen in recent analyses. Below we’ve highlighted three techniques that can help give insights into the evolving minds of adversaries. 

T1039: Data From Network Shares 

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. 

While we have not yet seen a significant uptick in activity with this technique, it is important to stay informed and up-to-date with detection methods. This technique is also of note as it cannot easily be mitigated with mitigating controls due to its simple nature of abusing legitimate system features. Controls within the CSF that describe appropriate data categorization can help to limit potential damage. 

T1622: Debugger Evasion 

Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace and/or analyze the execution of potential malware payloads. 

While we have not yet seen significant activity for this technique, it is important to stay informed and up-to-date with detection methods. This technique is also of note as it cannot easily be mitigated with mitigating controls due to its simple nature of abusing legitimate system features.  

T1611: Escape to Host 

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment. 

Requirement statements within the CSF such as implementing malicious code and spam protection, maintaining vendor software security, application allowing listing technology, and privileged role discipline are effective to mitigate this attack technique. 

Conclusion 

As we continue to gather emerging cyber threat data and learn from real-world attack techniques, we will continue to update the HITRUST CSF framework and the preset controls in the i1 assessment. By committing to a dynamic and threat-adaptive control library, we can remain vigilant in a constantly evolving realm of cyber threats. This unique functionality sets the HITRUST i1 apart from other assessments. 

Do you often scramble to balance key business priorities: security, stability, and delivery? While all three are essential, security must come first.

Here's why it’s strategically necessary to prioritize security.

1. Security: The Bedrock of Trust

Security breaches don’t just compromise data; they erode trust and tarnish reputations. Organizations deprioritizing security face long-term consequences that can impact customer confidence, financial stability, and brand integrity. A security-first approach focuses on identifying vulnerabilities, mitigating risks, and protecting what matters the most — your business’s reputation and customers’ trust. Ensure that you have a robust security strategy focusing on having the right controls in place to protect data.

Why Security Before Stability? Think of it like building a house. If the foundation (security) is weak, even the most stable walls won’t hold.

2. Stability: Building Reliable Infrastructure

A stable infrastructure is crucial for operational efficiency. However, stability must be built on a secure foundation. Check if you have the right resources to enable smooth processes. Maintain a resilient infrastructure that can withstand potential threats. Monitor constantly to detect anomalies early and respond swiftly to prevent disruptions.

Stable infrastructure creates reliability, but without proper security measures in place, stability may be temporary. Thus, the key is to ensure that the stability of systems, networks, and processes is grounded in robust security practices.

3. Delivery: Driving Results with Confidence

With a secure and stable environment, delivery becomes a smoother process. Delivery is important to keep the customers happy and boost the business. The final product/service output leads to better results and generates revenue.

When the first two priorities are set, teams can confidently focus on achieving their goals and delivering value to customers without worrying about unexpected disruptions or security threats.

The Consequences of Neglecting Security

When security is deprioritized, the impacts extend far beyond technical damage. Breaches result in reputational harm, customer distrust, legal liabilities, and financial losses. Recovering from a security incident can be a prolonged and costly journey, affecting the organization’s long-term growth and resilience.

Closed-Loop Management: A Critical Element

Security efforts should be managed in a closed-loop system, where risks are continually assessed, mitigated, and reviewed. This approach creates a culture of accountability and allows businesses to stay agile in responding to evolving threats.

For more insights, listen to Mike Connly in the podcast episode “The Trust Partnership with the Board - Closing the Loop through Accountability and Engagement.” Mike shares key strategies for improving board-level communication and fostering a collaborative approach to cybersecurity.

In Conclusion

In business, a secure foundation isn’t just essential — it’s non-negotiable. By prioritizing security over stability, organizations can build resilience and deliver results with confidence. Remember, a breach’s impact extends beyond immediate disruption; it threatens the trust that businesses work so hard to earn.