Organizations in any industry can benefit from threat intelligence, or information that helps identify, analyze, categorize, and ultimately mitigate cybersecurity threats. The HITRUST threat catalogue, a publication of the HITRUST Alliance, is designed with these aims in mind. It breaks down the most common and dangerous kinds of threats into manageable categories, so that an organization can swiftly determine how to address a given threat before it becomes a full event.
A Guide to the HITRUST Threat Catalogue
The HITRUST Threat Catalogue, formally titled HITRUST Enumerated Threat List, is available for free download pending a service agreement. It’s one resource the institution provides as part of the HITRUST Approach, and it breaks down into three primary categories of threats:
- Logical Threats, which break down further into Intentional and Unintentional threats
- Organizational Threats, which comprise legal and regulatory compliance factors
- Physical Threats, which may be Force Majeure, Intentional, or Unintentional
Understanding each of these categories, along with the individual threats enumerated within them, facilitates HITRUST CSF control mapping to help mitigate all threats.
HITRUST Threat Catalogue Category #1: Logical Threats
Logical threats within the HITRUST Threat Catalogue are those that primarily target Information Technology (IT) assets, whether through direct or indirect means. These are the most critical for organizations building out cyberdefense systems, both because of relevance and because this category houses the greatest number and variety of threats.
Request a Free Consultation
HITRUST’s Enumerated Intentional Logical Threats
The list of Intentional Logical threats covers:
- Conflict – These threats derive from the struggles around different parties’ conflicting needs or expectations, which lead one party to directly victimize the other, such as in:
-
-
- LIC1: Sabotage of IT assets
- LIC2: Terrorism directed at IT assets
- LIC3: Vandalism of IT assets
- LIC4: Warfare targeting IT assets
-
- Misappropriation – These threats all involve an individual (internal or external to the organization) knowingly taking or using resources that don’t belong to them, as in:
-
-
- LIM 1: Embezzlement of IT assets
- LIM 2: Extortion related to IT assets
- LIM 3: Fraud using IT assets
- LIM 4: Theft of IT assets
-
- Nefarious – These threats are outright attacks used by cybercriminals in clear breaches of both internal policies and, typically, various laws. The near-exhaustive list includes:
-
- LIN 1: Authorization abuse
- LIN 2: Address space hacking
- LIN 3: Software alteration
- LIN 4: Anonymous proxies
- LIN 5: Autonomous hijacking
- LIN 6: Brute force
- LIN 7: Code injections
- LIN 8: Command injection
- LIN 9: Compromised credentials
- LIN 10: Denial of service
- LIN 11: Distributed denial of service (DDoS)
- LIN 12: DNS spoofing
- LIN 13: Drive-by download
- LIN 14: Privilege elevation
- LIN 15: Emission attacks
- LIN 16: HTML script injection
- LIN 17: Information Sharing
- LIN 18: IP Spoofing
- LIN 19: LDAP injection
- LIN 20: MAC spoofing
- LIN 21: Malicious code execution
- LIN 22: Man in the middle
- LIN 23: Encryption manipulation
- LIN 24: Data manipulation
- LIN 25: Pretext/masquerade
- LIN 26: Message Replay
- LIN 27: Audit tool misuse
- LIN 28: Network intrusion
- LIN 29: Network sniffing
- LIN 30: Phishing
- LIN 31: Quid pro quo
- LIN 32: Ransomware
- LIN 33: Remote access
- LIN 34: Repudiation of actions
- LIN 35: Reverse engineering
- LIN 36: Rogue access points
- LIN 37: Rogue certificates
- LIN 38: Rogue software
- LIN 39: Rootkits
- LIN 40: Routing table manipulation
- LIN 41: Search engine poisoning
- LIN 42: Server-side includes (SSI) injection
- LIN 43: SPAM
- LIN 44: Spear phishing
- LIN 45: Spyware
- LIN 46: SQL Injection
- LIN 47: Trojan
- LIN 48: Unacceptable use
- LIN 49: Unauthorized access
- LIN 50: Unauthorized encryption
- LIN 51: Unauthorized installation
- LIN 52: Virus
- LIN 53: Vishing
- LIN 54: War Driving
- LIN 55: Watering holes
- LIN 56: Web spoofing
- LIN 57: Whaling
- LIN 58: Wiretapping
- LIN 59: Worms
HITRUST’s Enumerated Unintentional Logical Threats
The list of Unintentional Logical threats covers:
- Failure – These threats arise from unexpected flaws or failures inherent to IT assets or other critical infrastructure. In particular, any failure of the following is most dangerous:
-
-
- LUF 1: Third-party services
- LUF 2: Database systems
- LUF 3: Network bandwidth
- LUF 4: Network routing
- LUF 5: Software or code
- LUF 6: Storage (media, etc.)
- LUF 7: Virtual components
-
- Human – These threats have to do with good-faith errors made by humans, whether internal staff, integrated third parties, or clients with accounts connected to IT systems:
-
-
- LUH 1: Data sharing or leakage
- LUH 2: Improper modifications
- LUH 3: Data misclassification
- LUH 4: Password mishandling
-
- Misuse – These threats are similar to human errors just above, but they involve uses that may be correct in different circumstances. The near-misses HITRUST lists include:
-
- LUM 1: Certificate integrity loss
- LUM 2: Compromised credentials
- LUM 3: Data remanence
- LUM 4: Loss of storage media
- LUM 5: Database integrity loss
- LUM 6: Elevated privileges
- LUM 7: Improper system design
- LUM 8: Improper network design
- LUM 9: Inappropriate key management
- LUM 10: Insufficient release procedures
- LUM 11: Insufficient or lacking logging
- LUM 12: Unauthorized storage losses
- LUM 13: Audit tool misuses
- LUM 14: Mobile device app data leaks
- LUM 15: System configuration errors
- LUM 16: Unacceptable use cases
- LUM 17: Unmanaged information
- LUM 18: Web app data leaks
HITRUST Threat Catalogue Category #2: Organizational Threats
Organizational threats within the HITRUST Threat Catalogue relate to compliance with different contractual, regulatory, legal, and other requirements. This is the smallest category, with the fewest total threats, but they are extremely critical. These threats can lead to several immediate consequences through noncompliance. And, in the case of certain cybersecurity requirements, other vulnerabilities may arise in the absence of required controls or protocols.
HITRUST’s Enumerated Organizational Compliance Threats
The list of Organizational Compliance threats covers:
- Contractual – The first element of compliance relates to contractual agreements between organizations and their business or other partners, which can result in:
-
-
- Civil disputes, regarding performances not delivered
-
- Regulatory – The second and most significant element of compliance in terms of cybersecurity threats comprises applicable regulatory requirements, which inform threats related to:
-
-
- Administrative decisions, regarding operations, etc.
- Civil disputes, related to regulatory expectations
- Criminal cases, involving severe noncompliance
-
- Statutory – The third element of compliance threats covered by HITRUST involves requirements or expectations related to local laws or regulations, which may cause:
-
- Civil disputes, related to local legal obligations
- Criminal cases involving local regulations or laws
HITRUST Threat Catalogue Category #3: Physical Threats
The last category in the HITRUST Threat Catalogue pertains to physical threats. These are the farthest removed from cybersecurity—in that many involve natural phenomena that cannot be foreseen or prevented. Still, preparing for them involves creating contingency plans to prevent the spread of any impacts on physical and virtual assets exposed to events’ lingering effects.
HITRUST’s Enumerated Force Majeure Physical Threats
The list of Force Majeure Physical threats covers:
- Climatological – The one kind of threat in this subcategory is HITRUST’s only example of a naturally occurring climate process that impacts a large area (and assets therein):
-
-
- PFC 1: Drought
-
- Environmental – These threats are similar to climatological ones, but they typically impact a smaller geographical area and thus have more localized impacts. They are:
-
-
- PFE 1: Contaminants
- PFE 2: Corrosion
- PFE 3: Humidity
-
- Geological – These threats involve natural processes of the earth itself (rather than the climate or weather conditions), but they can have similar adverse effects on assets:
-
-
- PFG 1: Avalanche
- PFG 2: Earthquake
- PFG 3: Landslide
- PFG 4: Sinkhole
- PFG 5: Volcano
- PFG 6: Wildfires
-
- Hydrological – These threats involve naturally occurring processes of bodies of water, such that they may impact physical or virtual assets. These kinds of threats include:
-
-
- PFH 1: Erosion
- PFH 2: Flood
- PFH 3: Tsunami
-
- Meteorological – This last class of naturally occurring incidents involves those related to weather events, to the extent that they can affect physical and virtual assets:
-
- PFM 1: Blizzards
- PFM 2: Cyclonic storms
- PFM 3: Hailstorms
- PFM 4: Heatwaves
- PFM 5: Ice storms
- PFM 6: Lightning
HITRUST’s Enumerated Intentional Physical Threats
The list of Intentional Physical threats covers:
- Conflict – These threats mirror the impact of those above, but their causes differ, as they are intentionally set in motion by threat actors as a result of a dispute. They include:
-
-
- PIC 1: Arson impacting physical assets
- PIC 2: Large events impacting physical assets
- PIC 3: Sabotage of physical assets
- PIC 4: Terrorism impacting physical assets
- PIC 5: Vandalism of physical assets
- PIC 6: Warfare impacting physical assets
-
- Misappropriation – These threats mirror the misappropriation class within the Logical category, but they specifically involve physical assets rather than exclusively IT ones:
-
-
- PIM 1: Embezzlement of physical assets
- PIM 2: Extortion of physical assets
- PIM 3: Fraud of physical assets
- PIM 4: Theft of physical assets
-
- Nefarious – Similarly, these threats are a much smaller set of possible attacks than the Logical – Intentional nefarious set, as they target physical assets directly or indirectly:
-
- PIN 1: Authority abuse
- PIN 2: Dumpster diving
- PIN 3: Information sharing
- PIN 4: Hardware manipulation
- PIN 5: Pretext/masquerade
- PIN 6: Quid pro quo
- PIN 7: Reverse engineering
- PIN 8: Rogue hardware
- PIN 9: Tailgating
- PIN 10: Unacceptable use
- PIN 11: Unauthorized access
HITRUST’s Enumerated Unintentional Physical Threats
The list of Unintentional Physical threats covers:
- Failure – These threats involve physical assets or the systems connected to them failing to operate as expected, which could compromise the assets:
-
-
- PUF 1: Third-party services
- PUF 2: Cables
- PUF 3: Cross-talk
- PUF 4: Electric power
- PUF 5: Equipment fire
- PUF 6: Heating, ventilation, and air conditioning
- PUF 7: Information technology hardware
- PUF 8: Plumbing (malfunctions)
- PUF 9: Voltage (malfunctions)
- PUF 10: Wireless (malfunctions)
-
- Human – These threats involve good-faith errors and omissions made by individuals handling physical assets or systems connected to them, which could impact the assets:
-
-
- PUH 1: Personnel absence
- PUH 2: Accidental damages
- PUH 3: Accidental fires
- PUH 4: Loss of assets
- PUH 5: Password mishandling
- PUH 6: Unintentional information sharing
-
- Misuse – These threats involve incorrect uses of assets that might be correct in different circumstances, similar to Logical – Unintentional misuses. The kinds of threats include:
-
- PUM 1: Configuration errors
- PUM 2: Improper system design
- PUM 3: Improper network design
- PUM 4: Hardware manipulation
- PUM 5: Rogue hardware
- PUM 6: Tailgating
- PUM 7: Unacceptable use
Mapping HITRUST CSF Controls onto Threats
As noted above, the HITRUST Threat Catalogue is just one part of the broader HITRUST Approach. To mitigate all the threats it enumerates, companies should consider implementing some or all of the HITRUST CSF framework, depending on their specific threat environment.
The CSF comprises 14 Control Categories, which house its 49 Control Objectives. Objectives break down further into Control References, or specific implementation details. These include different Implementation Requirement Levels that depend on size and regulatory requirements.
As of the most recent version, HITRUST V9.5, the Control Categories break down as follows:
- 0.0: Security Management – One Control Objective and one Reference
- 0.1: Access Control – Seven Control Objectives and 25 References
- 0.2: Human Resources Security – Four Control Objectives and nine References
- 0.3: Risk Management Policy – One Control Objective and four References
- 0.4: Information Security Policy – One Control Objective and two References
- 0.5: Information Security Organization – Two Control Objectives and 11 References
- 0.6: Regulatory Compliance – Three Control Objectives and 10 References
- 0.7: Asset Management Security – Two Control Objectives and five References
- 0.8: Physical Environmental Security – Two Control Objectives and 13 References
- 0.9: Communications and Operations – 10 Control Objectives and 32 References
- 0.10: Information System Management – Six Control Objectives and 13 References
- 0.11: Incident Management – Two Control Objectives and five References
- 0.12: Continuity Management – One Control Objective and five References
- 0.13: Privacy Security Practices – Seven Control Objectives and 21 References
In terms of correspondence to the Threat Catalogue, Categories 0.0, 0.2, and 0.11 are the most applicable to the Intentional Logical threats above. Categories 0.0 and 0.4 should prevent most Unintentional Logical and Physical threats. Category 0.6 is directly related to Organizational threats, which include various compliance requirements, and Category 0.8 should cover most if not all Force Majeure and Intentional Physical threats (alongside Categories 0.7 and 0.11).
Protect Against All Threats to Your Organization
The best way to address all threats in the HITRUST threat catalogue is to implement the CSF in its entirety. The CSF is an extremely comprehensive framework that offers robust protection and streamlines many other compliance requirements. However, implementation can be challenging for many companies.
RSI Security’s HITRUST advisory services begin with thorough readiness assessment and advisory, then continue through complete implementation, leading to HITRUST CSF certification.
We’ll help your organization with rethinking your approach to compliance and overall cyberdefense. To get started protecting against all threats, contact RSI Security today!