Attackers utilize a plethora of adversarial techniques in cyberattacks to compromise the confidentiality, integrity, and availability of the target organizations and systems. Information security standards such as NIST, ISO/IEC specify hundreds of security controls that organizations can enforce to protect and defend the information systems from adversarial techniques. However, implementing all the available controls at the same time can be infeasible and security controls need to be investigated in terms of their mitigation ability over adversarial techniques used in cyberattacks as well. The goal of this research is to aid organizations in making informed choices on security controls to defend against cyberthreats through an investigation of adversarial techniques used in current cyberattacks. In this study, we investigated the extent of mitigation of 298 NIST SP800-53 controls over 188 adversarial techniques used in 669 cybercrime groups and malware cataloged in the MITRE ATT\&CK framework based upon an existing mapping between the controls and techniques. We identify that, based on the mapping, only 101 out of 298 control are capable of mitigating adversarial techniques. However, we also identify that 53 adversarial techniques cannot be mitigated by any existing controls, and these techniques primarily aid adversaries in bypassing system defense and discovering targeted system information. We identify a set of 20 critical controls that can mitigate 134 adversarial techniques, and on average, can mitigate 72\% of all techniques used by 98\% of the cataloged adversaries in MITRE ATT\&CK. We urge organizations, that do not have any controls enforced in place, to implement the top controls identified in the study.
翻译:在网络攻击中,攻击者使用大量对抗性技术,以损害目标组织和系统的保密性、完整性和可用性; 信息安全标准,如NIST、ISO/IEC等,具体规定了各组织可以实施的数百项安全控制,以保护和捍卫信息系统不受对抗性技术的干扰; 然而,同时执行所有现有控制可能不可行,安全控制也需要根据对网络攻击中使用的对抗性技术的缓解能力进行调查; 本研究的目的是协助各组织在安全控制方面作出知情选择,通过调查当前网络攻击中使用的对抗性技术来防范网络威胁; 标准化组织/IEC等信息安全标准,具体规定了各组织可以针对669个网络犯罪集团使用的188项对抗性技术实施298项NIST SP800-53的缓解性控制; 在MITRE ATC框架内,根据控制和技术之间的现有绘图,对安全控制需要进行调查。 我们发现,在298项控制中,只有101项控制中的101项能够缓解敌对性技术。 然而,我们还确认53项对抗性技术不能通过任何现有控制来减缓,在18项对抗性战略中执行这些平均控制中采用这些技术。