Introduction to Ransomware Defense Initiative (RDI) Foundational Controls

Edgar Rojas

Author of Ransomware Defense Initiative (RDI) Framework.

Table of Contents

The Ransomware Defense Initiative (RDI) (https://rdishield.com), introduces the Foundational layer to help organizations of any size, identify the necessary controls to better protect themselves against Ransomware threats. These controls are important for any organization, regardless of size, to strengthen and mature its defenses.

RDI’s Foundational controls include Web Application Firewalls, Security Logging and Monitoring, Email Authentication protocols, 2FA, RBAC, and others. These controls help detect and mitigate vulnerabilities and threats, establishing a mature baseline of defense.

This series of articles will detail each of the RDI defined controls, showing how they protect against Ransomware threats and improve the overall security posture.

Let’s consider LockBit 3.0 ransomware, also known as LockBit Black. Emerging in June 2022, it uses a Ransomware-as-a-Service (RaaS) model and is known for its triple extortion technique. This involves not only encrypting data and demanding a ransom for decryption, but also threatening to sell or leak stolen sensitive information. (https://www.hhs.gov/sites/default/files/lockbit-3-analyst-note.pdf)

LockBit 3.0 employs multiple attack vectors including:

  • Phishing: Deceiving users to gain access via malicious emails.
  • Brute forcing Remote Desktop Protocol (RDP) accounts: Attempting multiple password entries to gain unauthorized access.
  • Exploiting known vulnerabilities: Specifically targeting known weaknesses like CVE-2018-13379 and CVE-2021-22986.

To mitigate the risks associated with these initial attack vectors, specific RDI Foundational controls are important:

RDI

1) Role-Based Access Control (RBAC):

a)       RBAC helps by limiting access to information and resources to only those people who need it to perform their job functions. This minimizes the potential damage from a ransomware attack because even if an attacker gains access to a user’s credentials, they are limited to accessing only the information and resources that are necessary for that user’s role.

b)      By enforcing strict role-based access policies, RBAC can also prevent the spread of ransomware within the network. If ransomware does manage to infect one part of the network, it will be harder for it to move laterally to other parts because each segment or role will have distinct access privileges.

2) Two-Factor Authentication (2FA):

RDI

a)       2FA adds another layer of security by requiring users to provide two forms of identification before they are granted access. This is useful against phishing and brute-force attacks, where attackers may obtain a user’s password but still need a second factor to gain access.

b)      Since LockBit 3.0 and similar ransomware often rely on stolen credentials, 2FA significantly reduces the risk of unauthorized access, even if passwords are compromised. The additional authentication step (like a code sent to a user’s phone or a biometric verification) helps ensure that only authorized users can access their accounts.

3) Anti-Phishing Software and Email Authentication Protocols:

a)       These controls are designed to identify and block phishing attempts. By verifying the authenticity of incoming emails and filtering out suspicious content, they reduce the likelihood of phishing attacks succeeding.

b)      Email authentication protocols, such as SPF, DKIM, and DMARC, ensure that the emails received are from legitimate sources, mitigating the risk of social engineering attacks which rely on deception.

4) Security Logging and Monitoring Controls:

a)       These controls are important for continuously monitoring network activities and logging various events. They can flag unusual access patterns or authentication attempts, which could indicate brute force attacks, unauthorized access, or other suspicious activities, particularly useful for RDP monitoring.

b)      Organizations can analyze logs to identify breach attempts to improve security measures and implement response strategies for similar future incidents.

RDI

5) Vulnerability Scanning and Web Application Firewalls (WAF):

a)       Vulnerability scanning helps organizations identify and patch vulnerabilities before they can be exploited by attackers. This proactive approach helps in preventing ransomware from exploiting known security gaps.

b)      A Web Application Firewall serves as a protective barrier for web applications by filtering and monitoring traffic between a web application and the Internet. It specifically helps to block attempts to exploit web vulnerabilities.

6) Implementation of Security Policies and Regular Security Assessments:

a)       Implementing and regularly updating security policies ensures that all systems operate under the latest security standards. This includes enforcing strong password policies, regular software updates, and the principle of least privilege.

b)      Regular security assessments allow organizations to check the effectiveness of their security posture continually. Businesses can identify new vulnerabilities or areas of improvement by continuously testing and assessing their infrastructure, helping to mitigate potential breaches before they occur.

Implementing these foundational controls enhances an organization’s defensive posture against initial vectors used by LockBit 3.0, preventing the malware from gaining a foothold within the network. This approach reduces the likelihood of successful attacks and minimizes the potential impact of any breaches.

Join us as we review Advanced and Elite families in future articles, offering practical advice on how to effectively implement these important measures and improve your defensive posture.