The CISA advisory provides the following mitigations to defend against Black Basta ransomware:
CISA offers solid advice for fighting ransomware, but what RDI brings to the table is different - it maps these recommendations to specific RDI controls based on the MITRE ATT&CK techniques that attackers use. By connecting these dots, organizations can see exactly which security controls they need to defend against the specific techniques that ransomware groups are using against them.
MITRE ATT&CK T1190 involves exploiting vulnerabilities in Internet-facing applications to gain unauthorized access leading to data breaches and system compromises. Common attack methods include exploiting outdated software, misconfigurations, and unpatched vulnerabilities.
The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1190 and RDI's controls designed to detect and mitigate attacks leveraging T1190 as an attack vector.
| CISA Mitigation |
RDI Control |
RDI Family |
| Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. |
Apply Patches and Updates |
Foundational |
| Vulnerability Scanning |
Foundational |
| Security Logging and Monitoring Controls |
Foundational |
| Software and Firmware Security Standards |
Foundational |
| Application Security Testing Tools |
Advanced |
| Network Detect and Respond (NDR) |
Advanced |
| SOAR (Security Orchestration, Automation, and Response) |
Advanced |
| Security Information and Event Management (SIEM) |
Advanced |
| APT Detection and Response |
Advanced |
| Advanced Threat Intelligence |
Elite |
| Continuous Monitoring |
Elite |
| Network Forensics |
Elite |
| Threat Hunting |
Elite |
| Zero-Trust Architecture |
Elite |
| Secure remote access software by applying mitigations from the joint Guide to Securing Remote Access Software. |
Secure Remote Access |
Foundational |
| Network Security Controls (Firewalls/VPNs/Proxy Server |
Foundational |
| Apply Patches and Updates |
Foundational |
| Software and Firmware Security Standards |
Foundational |
| Security Logging and Monitoring Controls |
Foundational |
| Vulnerability Scanning |
Foundational |
| RBAC (Role-Based Access Control) |
Foundational |
| Use Encryption |
Foundational |
| Application Security Testing Tools |
Advanced |
| SIEM (Security Information and Event Management) |
Advanced |
| EDR (Endpoint Detection and Response) |
Advanced |
| NTA (Network Traffic Analysis) |
Advanced |
| Threat Intelligence Feeds |
Advanced |
| IDS/IPS (Intrusion Detection/Prevention Systems) |
Advanced |
| NAC (Network Access Control) |
Advanced |
| RASP (Runtime Application Self-Protection) |
Advanced |
| NDR (Network Detect and Respond) |
Advanced |
| PAM (Privileged Access Management) |
Advanced |
| Implementing DevSecOps |
Advanced |
| Advanced Threat Intelligence |
Elite |
| Continuous Monitoring |
Elite |
| AI/ML (Artificial Intelligence and Machine Learning) |
Elite |
| Behavioral Analysis |
Elite |
| UEBA (User and Entity Behavior Analytics) |
Elite |
| SDP (Software-Defined Perimeter) |
Elite |
| Zero-Trust Architecture |
Elite |
| Threat Hunting |
Elite |
| Network Forensics |
Elite |
| Vulnerability Management and Assessment |
Vulnerability Scanning |
Foundational |
| Apply Patches and Updates |
Foundational |
| Security Logging and Monitoring Controls |
Foundational |
| Software and Firmware Security Standards |
Foundational |
| Conduct Regular Security Assessments |
Foundational |
| WAF (Use Web Application Firewall) |
Foundational |
| Network Security Controls (Firewalls/VPNs/Proxy servers) |
Foundational |
| Threat Intelligence Feeds |
Advanced |
| Security Testing and Red Teaming Exercises |
Advanced |
| Application Security Testing Tools |
Advanced |
| SIEM (Security Information and Event Management) |
Advanced |
| NTA (Network Traffic Analysis) |
Advanced |
| FIM (File Integrity Monitoring) |
Advanced |
| IDS/IPS (Intrusion Detection/Prevention Systems) |
Advanced |
| Implementing DevSecOps |
Advanced |
| NDR (Network Detect and Respond) |
Advanced |
| SBOM (Software Bill of Materials) |
Advanced |
| SOAR (Security Orchestration, Automation, and Response) |
Advanced |
| Advanced Threat Intelligence |
Elite |
| Continuous Monitoring |
Elite |
| AI/ML (Artificial Intelligence and Machine Learning) |
Elite |
| Behavioral Analysis |
Elite |
| Network Forensics |
Elite |
| Threat Hunting |
Elite |
| UEBA (User and Entity Behavior Analytics) |
Elite |
| Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. |
Network Segmentation in the DMZ |
Foundational |
| Network Security Controls (Firewalls/VPNs/Proxy Servers) |
Foundational |
| Secure Remote Access |
Foundational |
| RBAC (Role-Based Access Control) |
Foundational |
| Network Segmentation |
Advanced |
| NAC (Network Access Control) |
Advanced |
| IDS/IPS (Intrusion Detection and Prevention Systems) |
Advanced |
| SOAR |
Advanced |
| Network Detect and Respond (NDR) |
Advanced |
| Software-Defined Perimeter (SDP) |
Elite |
| Zero-Trust Architecture |
Elite |
| Network Forensics |
Elite |
| Continuous Monitoring |
Elite |
| Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. |
Security Logging and Monitoring Controls |
Foundational |
| Use Web Application Firewall (WAF) |
Foundational |
| Network Security Controls (Firewalls/VPNs/Proxy Servers) |
Foundational |
| Network Segmentation in the DMZ |
Foundational |
| Enabling Host-Based Firewalls |
Foundational |
| Secure Remote Access |
Foundational |
| SIEM (Security Information and Event Management) |
Advanced |
| Network Traffic Analysis (NTA) |
Advanced |
| APT Detection and Response |
Advanced |
| EDR (Endpoint Detection and Response) |
Advanced |
| IDS/IPS (Intrusion Detection and Prevention Systems) |
Advanced |
| Network Detect and Respond (NDR) |
Advanced |
| SOAR |
Advanced |
| Network Segmentation |
Advanced |
| NAC (Network Access Control) |
Advanced |
| Continuous Monitoring |
Elite |
| Network Forensics |
Elite |
| UEBA (User and Entity Behavior Analytics) |
Elite |
| Threat Hunting |
Elite |
| Advanced Threat Intelligence |
Elite |
| Zero-Trust Architecture |
Elite |
| Implement Secure Logging Collection and Storage Practices. Learn more about logging best practices by referencing CISA’s Logging Made Easy resources. |
Security Logging and Monitoring Controls |
Foundational |
| Network Security Controls (Firewalls/VPNs/Proxy Servers) |
Foundational |
| Implement Security Policies |
Foundational |
| Conduct Regular Security Assessments |
Foundational |
| Role-Based Access Control |
Foundational |
| SIEM (Security Information and Event Management) |
Advanced |
| Network Traffic Analysis (NTA) |
Advanced |
| APT Detection and Response |
Advanced |
| File Integrity Monitoring |
Advanced |
| IDS/IPS (Intrusion Detection/Prevention Systems) |
Advanced |
| SOAR |
Advanced |
| Network Detect and Respond (NDR) |
Advanced |
| Continuous Monitoring |
Elite |
| Network Forensics |
Elite |
| UEBA (User and Entity Behavior Analytics) |
Elite |
| Threat Hunting |
Elite |
| Disable unused ports. |
Network Security Controls (Firewalls/VPNs/Proxy Servers) |
Foundational |
| Enabling Host-Based Firewalls |
Foundational |
| Secure Remote Access |
Foundational |
| IDS/IPS (Intrusion Detection and Prevention Systems) |
Advanced |
| NAC (Network Access Control) |
Advanced |
| Network Detect and Respond (NDR) |
Advanced |
| Continuous Monitoring |
Elite |
| Network Forensics |
Elite |
| Software-Defined Perimeter (SDP) |
Elite |
| Zero-Trust Architecture |
Elite |
| Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. |
2FA (Two-Factor Authentication) |
Foundational |
| Secure Remote Access |
Foundational |
| Implement Security Policies |
Foundational |
| RBAC (Role-Based Access Control) |
Foundational |
| Email Authentication Protocols |
Foundational |
| Anti-Phishing Software |
Foundational |
| MFA (Multifactor Authentication) |
Advanced |
| IAM (Identity and Access Management) |
Advanced |
| PAM (Privilege Access Management) |
Advanced |
| NAC (Network Access Control) |
Advanced |
| SOAR (Security Orchestration, Automation, and Response) |
Advanced |
| Biometric-Based Authentication |
Elite |
| UEBA (User and Entity Behavior Analytics) |
Elite |
| Advanced Phishing-Aware Web Browsers |
Elite |
| Zero-Trust Architecture |
Elite |
CISOs and cybersecurity teams can efficiently map CISA mitigation recommendations to specific controls identified by RDI, and conduct assessments of these controls identifying any gaps and areas for improvement.
By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering complementary controls as identified by RDI (see table below), it offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.
| T1190 |
| Family |
RDI Control |
| Foundational |
Use Web Application Firewall |
| Foundational |
Security Logging and Monitoring Controls |
| Foundational |
Vulnerability Scanning |
| Foundational |
Software and Firmware Security Standards |
| Foundational |
Web Filtering |
| Foundational |
Browser Extensions |
| Foundational |
Anti-Virus and Anti-Malware Software |
| Foundational |
Apply Patches and Updates |
| Foundational |
Network Segmentation in the DMZ |
| Foundational |
Security Awareness |
| Foundational |
Use Security Software on Mobile Devices |
| Foundational |
Enabling Host-Based Firewalls |
| Foundational |
Implementing DNS security |
| Foundational |
2FA |
| Foundational |
Network Security Controls (Firewalls/VPNS/Proxy servers) |
| Foundational |
Secure Communications/Secure Protocols/Secure File Transfer Protocols |
| Foundational |
Implement Security Policies |
| Advanced |
Threat Intelligence Feeds |
| Advanced |
SIEM |
| Advanced |
Network Traffic Analysis (NTA) |
| Advanced |
APT Detection and Response |
| Advanced |
Application Security Testing Tools |
| Advanced |
MFA |
| Advanced |
EDR |
| Advanced |
Application Whitelisting |
| Advanced |
Network Sandboxing |
| Advanced |
IDS/IPS |
| Advanced |
EDR |
| Advanced |
Browser Isolation or Virtual Browser solutions |
| Advanced |
Network Access Control (NAC) |
| Advanced |
SOAR |
| Advanced |
Network Segmentation |
| Advanced |
Runtime Application Self-Protection (RASP) |
| Advanced |
Implementing DevSecOps |
| Advanced |
Deception Techniques |
| Elite |
Advanced Threat Intelligence |
| Elite |
Continuous Monitoring |
| Elite |
AI/ML |
| Elite |
Behavioral Analysis |
| Elite |
Memory-Based Analysis |
| Elite |
User and Entity Behavior Analytics (UEBA) |
| Elite |
Software-Defined Perimeter (SDP) |
| Elite |
Zero-Trust Architecture |
| Elite |
Quantum-Resistant security |
| Elite |
Threat Hunting |
| Elite |
Blockchain for Security |
| Elite |
Biometric-Based Authentication |
