attacks. In reality, the insider threat is well covered in these controls in two ways. First, specific controls such as network segmentation, control of administrative rights, enforcement of need to know, data leakage protection, and effective incident response all directly address the key ways that insider threats can be mitigated. Second, the insider and outsider threats are merging as outsiders are more and more easily penetrating the security perimeters and becoming “insiders.” All of the controls that limit unauthorized access within the organization work effectively to mitigate both insider and outsider threats. It is important to note that these controls are meant to deal with multiple kinds of computer attackers, including but not limited to malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation state actors, as well as mixes of these different threats.
Furthermore, these controls are not limited to blocking only the initial compromise of systems, but also address detecting already-compromised machines, and preventing or disrupting attacker’s actions. The defenses identified through these controls deal with decreasing the initial attack surface through improving architectures and hardening security, identifying already-compromised machines to address long-term threats inside an organization’s network, controlling so-called ‘superuser’ privileges on systems, and disrupting attackers’ command-and-control of implanted malicious code. Figure 1 illustrates the scope of different kinds of attacker activities that these controls are designed to help thwart.
The rings represent the actions computer attackers may take against target machines. These actions include initially compromising a machine to establish a foothold by exploiting one or more vulnerabilities (i.e., “Getting In”). Attackers can then maintain long-term access on a system, often by creating accounts, subverting existing accounts, or altering the software on the machine to include backdoors and rootkits (i.e., “Staying In”). Attackers with access to machines can also cause damage, which could include stealing, altering, or destroying information; impairing the system’s functionality to jeopardize its business effectiveness or mission; or using it as a jump-off point for compromise of other systems in the environment (i.e. “Acting”). Where these rings overlap, attackers have even more ability to compromise sensitive information or cause damage. Outside of each set of rings in the figure, various defensive strategies are presented, which are covered throughout the controls described in this document. Defenses in any of the rings helps to limit the abilities of attackers, but improved defenses are required across all three rings and their intersections. It is important to note that the CAG is designed to help improve defenses across each of these rings, rather than on merely preventing initial compromise.