RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense
CISA released their advisory on Akira Ransomware (CISA Advisory AA24-109a) on April 18, 2024. The advisory identifies initial attack methods used by Akira, MITRE ATT&CK Techniques T1078, T1190, T1133, and T1566:
Valid Accounts (T1078): Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit Public-Facing Application (T1190): Akira affiliates have exploited ConnectWise vulnerability CVE-2020-3259 and CVE-2023-20269 to obtain initial access.
External Remote Services (T1133): Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
Phishing (T1566): Akira affiliates have used spearphishing emails to obtain initial access.
In the previous blog: Mapping CISA's Black Basta Mitigations to RDI Controls, we discussed MITRE ATT&CK Techniques T1190 and T1566. In this blog, we will focus on the other two techniques: T1078 and T1133. The CISA advisory provides the following mitigations to defend against Akira ransomware:
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports.
Consider adding an email banner to emails received from outside of your organization.
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
We will analyze the MITRE ATT&CK techniques used by this ransomware family, starting with T1078, and show how RDI aligns with CISA's mitigation recommendations for proactive ransomware defense. This article will examine how RDI helps CISOS and cybersecurity leaders check their defenses against the Akira Ransomware threat. We'll show how RDI aligns with CISA's recommendations and improves overall cybersecurity by focusing on specific ways to stop the MITRE ATT&CK techniques used by Akira Ransomware.
Understanding T1078: Valid Accounts
With T1078, attackers can exploit compromised credentials to gain access, maintain persistence, escalate privileges, and evade detection. These credentials allow them to bypass network access controls and access remote systems and services like VPNs and Outlook Web Access. By using legitimate credentials, these attackers can avoid detection by not relying on malware or additional tools.
For this exercise, we will focus only on those CISA mitigation recommendations that apply to T1078:
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.
Mapping CISA's mitigation recommendations for T1078 to RDI Controls
The following matrix shows the mapping between RDI's controls to CISA's advisory for Akira:
CISA Mitigation
RDI Control
RDI Family
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security.
Implement Security Policies
Foundational
MFA
Advanced
Biometric-Based Authentication
Elite
Behavioral Biometrics
Elite
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
MFA
Advanced
Zero-Trust Architecture
Elite
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
Security Logging and Monitoring Controls
Foundational
Implement Security Policies
Foundational
SIEM
Advanced
EDR
Advanced
IAM
Advanced
PAM
Advanced
Network Traffic Analysis (NTA)
Advanced
Continuous Monitoring
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Artificial Intelligence and Machine Learning
Elite
Behavioral Analysis
Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege].
Implement Security Policies
Foundational
Role Based Access Control
AdvanceFoundationald
IAM
Advanced
PAM
Advanced
Implement time-based access for accounts set at the admin level and higher,
IAM
Advanced
PAM
Advanced
Zero-Trust Architecture
Elite
The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1078:
T1078
Family
RDI Control
Foundational
Security Logging and Monitoring Controls
Foundational
2FA
Foundational
Implement Security Policies
Foundational
Role Based Access Control
Advanced
Threat Intelligence Feeds
Advanced
SIEM
Advanced
Network Traffic Analysis (NTA)
Advanced
MFA
Advanced
EDR
Advanced
IDS/IPS
Advanced
SOAR
Advanced
Network Segmentation
Advanced
Deception Techniques
Advanced
IAM
Advanced
PAM
Advanced
DLP
Elite
Continuous Monitoring
Elite
Artificial Intelligence and Machine Learning
Elite
Behavioral Analysis
Elite
Memory-Based Analysis
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Behavioral Biometrics
Elite
Software-Defined Perimeter (SDP)
Elite
Zero-Trust Architecture
Elite
Quantum-Resistant security
Elite
Threat Hunting
Elite
Blockchain for security
Elite
Biometric-Based Authentication
Understanding T1133: External Remote Services
Let’s turn our attention now and apply the same approach to CISA’s mitigation recommendations specific to T1133:
Attackers use remote access services to break into networks or maintain their presence. These services let users connect to a company's internal systems from outside, typically managed by authentication systems that verify user identities. They typically use vectors such as exposed RDP, compromised VPN credentials, third-party remote access tools, SSH access, software vulnerabilities, misconfigured cloud services, social engineering, and credential dumping.
These are CISA mitigation recommendations that apply to T1133:
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
Disable unused ports
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Mapping CISA's mitigation recommendations for T1133 to RDI Controls
The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1133 and RDI's controls designed to detect and mitigate attacks leveraging T1133 as an attack vector.
CISA Mitigation
RDI Control
RDI Family
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
2FA
Foundational
MFA
Advanced
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems .
Apply Patches and Updates
Foundational
Conduct Regular Security Assessments
Foundational
EDR
Advanced
SOAR
Advanced
Threat Intelligence Feeds
Advanced
Continuous Monitoring
Elite
Artificial Intelligence and Machine Learning
Elite
Zero-Trust Architecture
Elite
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege
Role Based Access Control (RBAC)
Foundational
Implement Security Policies
Foundational
Conduct Regular Security Assessments
Foundational
SIEM (Security Information and Event Management)
Advanced
Network Access Control (NAC)
Advanced
EDR
Advanced
User and Entity Behavior Analytics (UEBA)
Elite
Continuous Monitoring
Elite
Zero-Trust Architecture
Elite
Artificial Intelligence and Machine Learning
Elite
Disable unused ports
Implement Security Policies
Foundational
Security Awareness
Foundational
Network Access Control (NAC)
Advanced
SIEM (Security Information and Event Management)
Advanced
EDR
Advanced
Continuous Monitoring
Elite
Zero-Trust Architecture
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Implement time-based access for accounts set at the admin level and higher.
Role Based Access Control (RBAC)
Foundational
Implement Security Policies
Foundational
EDR
Advanced
SIEM (Security Information and Event Management)
Advanced
Network Access Control (NAC)
Advanced
Zero-Trust Architecture
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Artificial Intelligence and Machine Learning
Elite
As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:
CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI's self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.
The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.
By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls, RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.