Blog

CIS Controls in the Real World

Ted Gruenloh
CEO @ Nomic Networks
October 20, 2021

In May 2021, the Center for Internet Security (CIS) released Version 8 of its Critical Security Controls (CIS Controls). You’ll recall from our earlier post that this new version did two things. First, it cut down the number of top-level Controls and accompanying Safeguards as part of a reorganization around how things are managed in today’s borderless networks. Second, it changed the content of the CIS Controls themselves to address cloud and mobile technologies as well as service provider management.

What do these changes give to organizations? They make it even easier for teams to drive security policy and resolve real-world security incidents using the CIS Controls. Let’s look at a few quick examples below to see how the Controls could have helped some of our customers.

Example #1: A State Agency in Texas

Some time ago, a state agency in Texas experienced a high volume of suspected Mirai-related events. An investigation into this activity confirmed that the IP behind the agency’s Sentinel Outpost had Telnet / Port 23 publicly exposed, thus leading it to being hammered with login attempts. What was curious was the fact that the agency’s firewall didn’t have Port 23 open. After taking a closer look at the traceroutes, we confirmed that the activity was targeting a network device outside the firewall. The customer thought it might be a VM Server or a third-party Internet of Things (IoT) vendor’s system. To be honest, they didn’t really know what it was. Now before you roll your eyes, understand that this happens all the time. Systems get set up, become “legacy”, and get forgotten. We’re all human.

All the more reason to highlight the importance of CIS Safeguard 1.1: Establish and maintain a detailed enterprise asset inventory. Organizations need to know what they have to protect them. Not only that, but they can use such an inventory to address unapproved devices and accounts.

Example #2: School District in the DFW Area

For this customer, we detected an unusually high volume of outbound spyware and malware events. We reviewed the events and passive logs, and in the process, we noticed the traffic was coming from all over the world. By taking a closer look, we found that a web proxy was open to the public Internet. It’s then when the customer said there was a patch for their shiny new content filtering proxy. So, they updated their software, and voilà, the events stopped.

CIS Safeguards 7.3 and 7.4 could have helped the school district in this scenario. Through automated OS and application patch management, the customer’s security team could have streamlined their ability to both scan for and patch security vulnerabilities—including issues affecting their web proxy.

Example #3: Transportation Company

This is an oldie from 2017. Amidst the global WannaCry ransomware outbreak, we observed an uptick of SMB-related alerts on specific customers’ networks. Our support team notified customers who were receiving those alerts, and in this specific case, we traced the notifications back to a misconfiguration on their firewall. Again, we’re all human. Holes get punched and ports get opened all the time on firewalls, and then those changes might not get logged or documented properly.

The transportation company would have benefitted from having used CIS Safeguard 4.5. It’s not enough to implement a firewall on end-user devices. Organizations also need to manage their firewall’s configurations to confirm that it’s dropping all services except those that are specifically allowed by the security policy.

Example #4: City in Texas

Finally, we observed a city in Texas experiencing some Emotet-related events, so we decided to reach out. The customer wasn’t immediately responsive. A few days later, we saw Dridex and Trickbot events on the customer’s systems … This was a typical pattern at the time: Emotet woud lead to Dridex, and then ultimately to Ryuk ransomware. Nasty stuff. It’s then that the customer requested a phone call, leading our support team to help them find the infected host. Once it was identified, the alerts stopped.

There are several tactics in a defense-in-depth strategy that could have prevented this one; let’s choose CIS Safeguard 9.2.: organizations need to use DNS filtering services to block access to known malicious domains – or maybe we should just look at all of CIS Control 14: Security Awareness and Skills Training. It’s no secret that a well-trained employee that avoids clicking that tempting malicious link is way more valuable than any security tool acting as a safety net.

What These Examples Have in Common

All the Safeguards discussed above fit into Implementation Group 1 (IG1). This group is the first of three IGs designed to help organizations prioritize their implementation of the CIS Controls. As such, its Safeguards consist of basic cyber hygiene that all organizations can use to establish a baseline level of security.

It’s not an accident that IG1 showed up in all our examples. If organizations don’t take care of their basic cyber hygiene, those weaknesses will manifest themselves as larger issues on their network at some point. That’s why organizations need to focus on the IG1 safeguards.

To do this, organizations can get creative with their existing tools to find symptoms of larger issues where you might not normally look – The examples above prove that theory. Even though Sentinel wasn’t necessarily meant to cover those specific CIS Controls, we helped uncover these issues and point the customer toward a more focused solution. They can now look beyond those symptoms for the root cause of whatever security incidents they’re investigating. Indeed, leaning on security/visibility tools isn’t the “solution.” Bottom line? Organizations need to keep working to solve the underlying security issues.

Take CIS Controls Version 8 to the real world with Sentinel IPS.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.