Mapping CISA's Akira Mitigations to RDI Controls

RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense

CISA released their advisory on Akira Ransomware (CISA Advisory AA24-109a) on April 18, 2024. The advisory identifies initial attack methods used by Akira, MITRE ATT&CK Techniques T1078, T1190, T1133, and T1566:

  • Valid Accounts (T1078): Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
  • Exploit Public-Facing Application (T1190): Akira affiliates have exploited ConnectWise vulnerability CVE-2020-3259 and CVE-2023-20269 to obtain initial access.
  • External Remote Services (T1133): Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
  • Phishing (T1566): Akira affiliates have used spearphishing emails to obtain initial access.

In the previous blog: Mapping CISA's Black Basta Mitigations to RDI Controls, we discussed MITRE ATT&CK Techniques T1190 and T1566. In this blog, we will focus on the other two techniques: T1078 and T1133. The CISA advisory provides the following mitigations to defend against Akira ransomware:

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports.
  • Consider adding an email banner to emails received from outside of your organization.
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
  • Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data.
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

We will analyze the MITRE ATT&CK techniques used by this ransomware family, starting with T1078, and show how RDI aligns with CISA's mitigation recommendations for proactive ransomware defense. This article will examine how RDI helps CISOS and cybersecurity leaders check their defenses against the Akira Ransomware threat. We'll show how RDI aligns with CISA's recommendations and improves overall cybersecurity by focusing on specific ways to stop the MITRE ATT&CK techniques used by Akira Ransomware.

Understanding T1078: Valid Accounts

With T1078, attackers can exploit compromised credentials to gain access, maintain persistence, escalate privileges, and evade detection. These credentials allow them to bypass network access controls and access remote systems and services like VPNs and Outlook Web Access. By using legitimate credentials, these attackers can avoid detection by not relying on malware or additional tools.

For this exercise, we will focus only on those CISA mitigation recommendations that apply to T1078:

  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Mapping CISA's mitigation recommendations for T1078 to RDI Controls

The following matrix shows the mapping between RDI's controls to CISA's advisory for Akira:

CISA Mitigation RDI Control RDI Family
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security. Implement Security Policies Foundational
MFA Advanced
Biometric-Based Authentication Elite
Behavioral Biometrics Elite
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. MFA Advanced
Zero-Trust Architecture Elite
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. Security Logging and Monitoring Controls Foundational
Implement Security Policies Foundational
SIEM Advanced
EDR Advanced
IAM Advanced
PAM Advanced
Network Traffic Analysis (NTA) Advanced
Continuous Monitoring Elite
User and Entity Behavior Analytics (UEBA) Elite
Artificial Intelligence and Machine Learning Elite
Behavioral Analysis Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege]. Implement Security Policies Foundational
Role Based Access Control AdvanceFoundationald
IAM Advanced
PAM Advanced
Implement time-based access for accounts set at the admin level and higher, IAM Advanced
PAM Advanced
Zero-Trust Architecture Elite

The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1078:

T1078
Family RDI Control
Foundational Security Logging and Monitoring Controls
Foundational 2FA
Foundational Implement Security Policies
Foundational Role Based Access Control
Advanced Threat Intelligence Feeds
Advanced SIEM
Advanced Network Traffic Analysis (NTA)
Advanced MFA
Advanced EDR
Advanced IDS/IPS
Advanced SOAR
Advanced Network Segmentation
Advanced Deception Techniques
Advanced IAM
Advanced PAM
Advanced DLP
Elite Continuous Monitoring
Elite Artificial Intelligence and Machine Learning
Elite Behavioral Analysis
Elite Memory-Based Analysis
Elite User and Entity Behavior Analytics (UEBA)
Elite Behavioral Biometrics
Elite Software-Defined Perimeter (SDP)
Elite Zero-Trust Architecture
Elite Quantum-Resistant security
Elite Threat Hunting
Elite Blockchain for security
Elite Biometric-Based Authentication
Understanding T1133: External Remote Services

Let’s turn our attention now and apply the same approach to CISA’s mitigation recommendations specific to T1133:

Attackers use remote access services to break into networks or maintain their presence. These services let users connect to a company's internal systems from outside, typically managed by authentication systems that verify user identities. They typically use vectors such as exposed RDP, compromised VPN credentials, third-party remote access tools, SSH access, software vulnerabilities, misconfigured cloud services, social engineering, and credential dumping.

These are CISA mitigation recommendations that apply to T1133:

  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Mapping CISA's mitigation recommendations for T1133 to RDI Controls

The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1133 and RDI's controls designed to detect and mitigate attacks leveraging T1133 as an attack vector.

CISA Mitigation RDI Control RDI Family
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems. 2FA Foundational
MFA Advanced
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems . Apply Patches and Updates Foundational
Conduct Regular Security Assessments Foundational
EDR Advanced
SOAR Advanced
Threat Intelligence Feeds Advanced
Continuous Monitoring Elite
Artificial Intelligence and Machine Learning Elite
Zero-Trust Architecture Elite
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement Network Segmentation in the DMZ Foundational
Network Security Controls (Firewalls/VPNS/Proxy servers) Foundational
Network Segmentation Advanced
Network Traffic Analysis (NTA) Advanced
Deception Techniques Advanced
Continuous Monitoring Elite
Zero-Trust Architecture Elite
Software-Defined Perimeter (SDP) Elite
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence Network Security Controls (Firewalls/VPNS/Proxy servers) Foundational
Implement Security Policies Foundational
IDS/IPS Advanced
Network Access Control (NAC) Advanced
Network Traffic Analysis (NTA) Advanced
Zero-Trust Architecture Elite
Software-Defined Perimeter (SDP) Elite
Artificial Intelligence and Machine Learning Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege Role Based Access Control (RBAC) Foundational
Implement Security Policies Foundational
Conduct Regular Security Assessments Foundational
SIEM (Security Information and Event Management) Advanced
Network Access Control (NAC) Advanced
EDR Advanced
User and Entity Behavior Analytics (UEBA) Elite
Continuous Monitoring Elite
Zero-Trust Architecture Elite
Artificial Intelligence and Machine Learning Elite
Disable unused ports Implement Security Policies Foundational
Security Awareness Foundational
Network Access Control (NAC) Advanced
SIEM (Security Information and Event Management) Advanced
EDR Advanced
Continuous Monitoring Elite
Zero-Trust Architecture Elite
User and Entity Behavior Analytics (UEBA) Elite
Implement time-based access for accounts set at the admin level and higher. Role Based Access Control (RBAC) Foundational
Implement Security Policies Foundational
EDR Advanced
SIEM (Security Information and Event Management) Advanced
Network Access Control (NAC) Advanced
Zero-Trust Architecture Elite
User and Entity Behavior Analytics (UEBA) Elite
Artificial Intelligence and Machine Learning Elite

As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:

T1133
Family RDI Control
Foundational Use Web Application Firewall
Foundational Security Logging and Monitoring Controls
Foundational Vulnerability Scanning
Foundational Software and Firmware Security Standards
Foundational Anti-Virus and Anti-Malware Software
Foundational Apply Patches and Updates
Foundational Network Segmentation in the DMZ
Foundational Security Awareness
Foundational Use Security Software on Mobile Devices
Foundational 2FA
Foundational Network Security Controls (Firewalls/VPNS/Proxy servers)
Foundational Implement Security Policies
Foundational Conduct Regular Security Assessments
Foundational Role Based Access Control
Advanced Use Threat Intelligence Feeds
Advanced SIEM
Advanced Use Network Traffic Analysis (NTA)
Advanced APT Detection and Response
Advanced MFA
Advanced EDR
Advanced IDS/IPS
Advanced Browser Isolation or Virtual Browser solutions
Advanced Network Access Control (NAC)
Advanced SOAR
Advanced Network Segmentation
Advanced Deception Techniques
Elite Continuous Monitoring
Elite Artificial Intelligence and Machine Learning
Elite Behavioral Analysis
Elite Memory-Based Analysis
Elite Network Forensics
Elite User and Entity Behavior Analytics (UEBA)
Elite Software-Defined Perimeter (SDP)
Elite Zero-Trust Architecture
Elite Quantum-Resistant security
Elite Threat Hunting
Elite Blockchain for Security

Conclusion

CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI's self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.

The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.

By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls, RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.