Mapping CISA's Akira Mitigations to RDI Controls

CISA released their advisory on Akira Ransomware (CISA Advisory AA24-109a) on April 18, 2024. The advisory identifies initial attack methods used by Akira, MITRE ATT&CK Techniques T1078, T1190, T1133, and T1566:

• Valid Accounts (T1078): Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
• Exploit Public-Facing Application (T1190): Akira affiliates have exploited ConnectWise vulnerability CVE-2020-3259 and CVE-2023-20269 to obtain initial access.
• External Remote Services (T1133): Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
• Phishing (T1566): Akira affiliates have used spearphishing emails to obtain initial access.

In the previous blog: Mapping CISA's Black Basta Mitigations to RDI Controls, we discussed MITRE ATT&CK Techniques T1190 and T1566. In this blog, we will focus on the other two techniques: T1078 and T1133. The CISA advisory provides the following mitigations to defend against Akira ransomware:

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
• Install, regularly update, and enable real time detection for antivirus software on all hosts.
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Disable unused ports.
• Consider adding an email banner to emails received from outside of your organization.
• Disable hyperlinks in received emails.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
• Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data.
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

We will analyze the MITRE ATT&CK techniques used by this ransomware family, starting with T1078, and show how RDI aligns with CISA's mitigation recommendations for proactive ransomware defense. This article will examine how RDI helps CISOS and cybersecurity leaders check their defenses against the Akira Ransomware threat. We'll show how RDI aligns with CISA's recommendations and improves overall cybersecurity by focusing on specific ways to stop the MITRE ATT&CK techniques used by Akira Ransomware.

Understanding T1078: Valid Accounts

With T1078, attackers can exploit compromised credentials to gain access, maintain persistence, escalate privileges, and evade detection. These credentials allow them to bypass network access controls and access remote systems and services like VPNs and Outlook Web Access. By using legitimate credentials, these attackers can avoid detection by not relying on malware or additional tools.

For this exercise, we will focus only on those CISA mitigation recommendations that apply to T1078:

• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Mapping CISA's mitigation recommendations for T1078 to RDI Controls

The following matrix shows the mapping between RDI's controls to CISA's advisory for Akira:

CISA Mitigation	RDI Control	RDI Family
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.	Implement Security Policies	Foundational
	MFA	Advanced
	Biometric-Based Authentication	Elite
	Behavioral Biometrics	Elite
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.	MFA	Advanced
	Zero-Trust Architecture	Elite
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.	Security Logging and Monitoring Controls	Foundational
	Implement Security Policies	Foundational
	SIEM	Advanced
	EDR	Advanced
	IAM	Advanced
	PAM	Advanced
	Network Traffic Analysis (NTA)	Advanced
	Continuous Monitoring	Elite
	User and Entity Behavior Analytics (UEBA)	Elite
	Artificial Intelligence and Machine Learning	Elite
	Behavioral Analysis	Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege].	Implement Security Policies	Foundational
	Role Based Access Control	AdvanceFoundationald
	IAM	Advanced
	PAM	Advanced
Implement time-based access for accounts set at the admin level and higher,	IAM	Advanced
	PAM	Advanced
	Zero-Trust Architecture	Elite

The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1078:

T1078
Family	RDI Control
Foundational	Security Logging and Monitoring Controls
Foundational	2FA
Foundational	Implement Security Policies
Foundational	Role Based Access Control
Advanced	Threat Intelligence Feeds
Advanced	SIEM
Advanced	Network Traffic Analysis (NTA)

Understanding T1133: External Remote Services

Let’s turn our attention now and apply the same approach to CISA’s mitigation recommendations specific to T1133:

Attackers use remote access services to break into networks or maintain their presence. These services let users connect to a company's internal systems from outside, typically managed by authentication systems that verify user identities. They typically use vectors such as exposed RDP, compromised VPN credentials, third-party remote access tools, SSH access, software vulnerabilities, misconfigured cloud services, social engineering, and credential dumping.

These are CISA mitigation recommendations that apply to T1133:

• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
• Disable unused ports
• Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

Mapping CISA's mitigation recommendations for T1133 to RDI Controls

The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1133 and RDI's controls designed to detect and mitigate attacks leveraging T1133 as an attack vector.

CISA Mitigation	RDI Control	RDI Family
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.	2FA	Foundational
	MFA	Advanced
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems .	Apply Patches and Updates	Foundational
	Conduct Regular Security Assessments	Foundational
	EDR	Advanced
	SOAR	Advanced
	Threat Intelligence Feeds	Advanced
	Continuous Monitoring	Elite
	Artificial Intelligence and Machine Learning	Elite
	Zero-Trust Architecture	Elite
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement	Network Segmentation in the DMZ	Foundational
	Network Security Controls (Firewalls/VPNS/Proxy servers)	Foundational
	Network Segmentation	Advanced
	Network Traffic Analysis (NTA)	Advanced
	Deception Techniques	Advanced
	Continuous Monitoring	Elite
	Zero-Trust Architecture	Elite
	Software-Defined Perimeter (SDP)	Elite
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence	Network Security Controls (Firewalls/VPNS/Proxy servers)	Foundational
	Implement Security Policies	Foundational
	IDS/IPS	Advanced
	Network Access Control (NAC)	Advanced
	Network Traffic Analysis (NTA)	Advanced
	Zero-Trust Architecture	Elite
	Software-Defined Perimeter (SDP)	Elite
	Artificial Intelligence and Machine Learning	Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege	Role Based Access Control (RBAC)	Foundational
	Implement Security Policies	Foundational
	Conduct Regular Security Assessments	Foundational
	SIEM (Security Information and Event Management)	Advanced
	Network Access Control (NAC)	Advanced
	EDR	Advanced
	User and Entity Behavior Analytics (UEBA)	Elite
	Continuous Monitoring	Elite
	Zero-Trust Architecture	Elite
	Artificial Intelligence and Machine Learning	Elite
Disable unused ports	Implement Security Policies	Foundational
	Security Awareness	Foundational
	Network Access Control (NAC)	Advanced
	SIEM (Security Information and Event Management)	Advanced
	EDR	Advanced
	Continuous Monitoring	Elite
	Zero-Trust Architecture	Elite
	User and Entity Behavior Analytics (UEBA)	Elite
Implement time-based access for accounts set at the admin level and higher.	Role Based Access Control (RBAC)	Foundational
	Implement Security Policies	Foundational
	EDR	Advanced
	SIEM (Security Information and Event Management)	Advanced
	Network Access Control (NAC)	Advanced
	Zero-Trust Architecture	Elite
	User and Entity Behavior Analytics (UEBA)	Elite
	Artificial Intelligence and Machine Learning	Elite

As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:

T1133
Family	RDI Control
Foundational	Use Web Application Firewall
Foundational	Security Logging and Monitoring Controls
Foundational	Vulnerability Scanning
Foundational	Software and Firmware Security Standards
Foundational	Anti-Virus and Anti-Malware Software
Foundational	Apply Patches and Updates
Foundational	Network Segmentation in the DMZ
Foundational	Security Awareness