Mapping CISA’s Akira Mitigations to RDI Controls

Akira ransomware-RDI

Mapping CISA's Akira Mitigations to RDI Controls

Edgar Rojas

Author of Ransomware Defense Initiative (RDI) Framework.

Table of Contents

RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense

CISA released their advisory on Akira Ransomware (CISA Advisory AA24-109a) on April 18, 2024. The advisory identifies initial attack methods used by Akira, MITRE ATT&CK Techniques T1078, T1190, T1133, and T1566:

    • Valid Accounts (T1078): Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
    • Exploit Public-Facing Application (T1190): Akira affiliates have exploited ConnectWise vulnerability CVE-2020-3259  and CVE-2023-20269to obtain initial access.
    • External Remote Services (T1133): Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
    • Phishing (T1566): Akira affiliates have used spear phishing emails to obtain initial access.In the previous blog: Mapping CISA’s Black Basta Mitigations to RDI Controls, we discussed MITRE ATT&CK Techniques T1190 and T1566.

In the previous blog: Mapping CISA’s Black Basta Mitigations to RDI Controls, we discussed MITRE ATT&CK Techniques T1190 and T1566. In this blog, we will focus on the other two techniques: T1078 and T1133.

The CISA advisory provides the following mitigations to defend against Akira ransomware

  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.FR2.S].
  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
  • Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilitiesin internet-facing systems. [CPG 1.E].
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
  • Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.AO].
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
  • Disable unused ports [CPG 2.V].
  • Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.EN].
  • Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data. 
  • Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.KL2.R].

We will analyze the MITRE ATT&CK techniques used by this ransomware family, starting with T1078, and show how RDI aligns with CISA’s mitigation recommendations for proactive ransomware defense. This article will examine how RDI helps CISOS and cybersecurity leaders check their defenses against the Akira Ransomware threat. We’ll show how RDI aligns with CISA’s recommendations and improves overall cybersecurity by focusing on specific ways to stop the MITRE ATT&CK techniques used by Akira Ransomware.

AKIRA RANSOMWARE

Understanding T1078: Valid Accounts

With T1078, attackers can exploit compromised credentials to gain access, maintain persistence, escalate privileges, and evade detection. These credentials allow them to bypass network access controls and access remote systems and services like VPNs and Outlook Web Access. By using legitimate credentials, these attackers can avoid detection by not relying on malware or additional tools.

CISA Mitigations for T1078

  1. Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
  2. Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
  3. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.AO].
  4. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
  5. Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  6. Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.EN].

Mapping RDI Controls to CISA Mitigations

The following matrix shows the mapping between RDI’s controls to CISA’s advisory for Akira:

Mapping RDI Controls to CISA Mitigations

CISA Mitigation

RDI Control

RDI Family

Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].

Implement Security Policies

MFA

Biometric-based Authentication

Behavioral Biometrics

Foundational

Advanced

Elite

Elite

Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].

MFA

Zero-Trust Architecture

Advanced

Elite

Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].

Security Logging and Monitoring Controls

Implement Security Policies

SIEM

EDR

IAM

PAM

Network Traffic Analysis (NTA)

Continuous Monitoring of Systems

User and Entity Behavior Analytics (UEBA)

Artificial Intelligence and Machine Learning

Behavioral Analysis

Foundational

Foundational

Advanced

Advanced

Advanced

Advanced

Advanced

Elite

Elite

Elite

Elite

Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].

Implement Security Policies

Role Based Access Control

IAM

PAM

Foundational

Foundational

Advanced

Advanced

Implement time-based access for accounts set at the admin level and higher

IAM

PAM

Zero-Trust Architecture

Advanced

Advanced

Elite

Figure 1- Mapping RDI Controls to CISA Mitigations – T1078

The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1078:

RDI_T1078

T1078

Family

Control

Foundational

Security Logging and Monitoring Controls

Foundational

2FA

Foundational

Implement Security Policies

Foundational

Role Based Access Control

Advanced

Threat Intelligence Feeds

Advanced

SIEM

Advanced

Network Traffic Analysis (NTA)

Advanced

MFA

Advanced

EDR Segmentation in the DMZ

Advanced

IDS/IPS

Advanced

Browser Isolation or Virtual Browser solutions

Advanced

SOAR

Advanced

Network Segmentation

Advanced

Deception Techniques

Advanced

IAM

Advanced

PAM

Advanced

DLP

Elite

Continuous Monitoring of systems

Elite

Artificial Intelligence and Machine Learning

Elite

Behavioral Analysis

Elite

Memory-based Analysis

Elite

User and Entity Behavior Analytics (UEBA)

Elite

Behavioral Biometrics

Elite

Software-Defined Perimeter (SDP)

Elite

Zero-Trust Architecture

Elite

Threat Hunting

Elite

Blockchain for security

Elite

Biometric-based Authentication

Figure 2 – RDI Controls for T1078

Understanding T1133: External Remote Services

Attackers use remote access services to break into networks or maintain their presence. These services let users connect to a company’s internal systems from outside, typically managed by authentication systems that verify user identities. They typically use vectors such as exposed RDP, compromised VPN credentials, third-party remote access tools, SSH access, software vulnerabilities, misconfigured cloud services, social engineering, and credential dumping.

AKIRA RANSOMWARE

CISA Mitigations for T1133

The following list only those CISA mitigation recommendations that apply to T1133:

  1. Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems (CPG 2.H).
  2. Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems (CPG 1.E).
  3. Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement (CPG 2.F).
  4. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
  5. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (CPG 2.E).
  6. Disable unused ports (CPG 2.V).
  7. Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.

Mapping RDI Controls to CISA Mitigations

The following matrix shows the mapping between RDI’s controls to CISA’s advisory for Akira:

CISA Mitigiation T1133

CISA Mitigation

RDI Control

RDI Family

Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems (CPG 2.H)

2FA

MFA

Foundational

Advanced

Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence

Apply Patches and Updates

Conduct Regular Security Assessments

EDR

SOAR

Threat Intelligence Feeds

Continuous Monitoring of systems

Artificial Intelligence and Machine Learning

Zero-Trust Architecture

Foundational

Foundational 

Advanced

Advanced

Advanced

Elite

                            Elite                                                                 

Elite

Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement (CPG 2.F)

Network Segmentation in the DMZ

Network Security Controls (Firewalls/VPNS/Proxy servers)

Network Segmentation

Network Traffic Analysis (NTA)

Deception Techniques

Continuous Monitoring of systems

Zero-Trust Architecture

Software-Defined Perimeter (SDP)

Foundational

                    Foundational                                         

Advanced

Advanced

Advanced

Elite

Elite

Elite

Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence

Network Security Controls (Firewalls/VPNS/Proxy servers)

Implement Security Policies

IDS/IPS

Network Traffic Analysis (NTA)

Network Access Control (NAC)

Zero-Trust Architecture

Software-Defined Perimeter (SDP)

Artificial Intelligence and Machine Learning

                       Foundational                                                      

Foundational

Advanced

Advanced

Advanced

Elite

Elite

                             Elite                                                                                    

Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (CPG 2.E)

Role Based Access Control (RBAC)

Implement Security Policies

Conduct Regular Security Assessments

SIEM (Security Information and Event Management)

Network Access Control (NAC)

EDR

User and Entity Behavior Analytics (UEBA)

Continuous Monitoring of systems

Zero-Trust Architecture

Artificial Intelligence and Machine Learning

Foundational

Foundational

Foundational  

                        Advanced                                                 

Advanced

Advanced

Elite

Elite

Elite

                            Elite                                                   

Disable unused ports (CPG 2.V)

Implement Security Policies

Security Awareness

Network Access Control (NAC)

SIEM (Security Information and Event Management)

EDR

Continuous Monitoring of systems

Zero-Trust Architecture

User and Entity Behavior Analytics (UEBA)

Foundational

Foundational

Advanced

                      Advanced                                                

Advanced

Elite

Elite

Elite

Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model).

Role Based Access Control (RBAC)

Implement Security Policies

SIEM (Security Information and Event Management)

EDR

Network Access Control (NAC)

Zero-Trust Architecture

User and Entity Behavior Analytics (UEBA)

Artificial Intelligence and Machine Learning

Foundational

Foundational

                      Advanced                                                        

Advanced

Advanced

Elite

Elite

                              Elite                                          

The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1133:

RDI_T1133

T1133

Family

Control

Foundational

Use Web Application Firewall

Foundational

Security Logging and Monitoring Controls

Foundational

Vulnerability Scanning

Foundational

Software and Firmware Security Standards

Foundational

Anti-virus and Anti-Malware Software

Foundational

Apply Patches and Updates

Foundational

Network Segmentation in the DMZ

Foundational

Security Awareness

Foundational

Use Security Software on Mobile Devices

Foundational

2FA

Foundational

Network Security Controls (Firewalls/VPNS/Proxy servers)

Foundational

Implement Security Policies

Foundational

Conduct Regular Security Assessments

Foundational

Role Based Access Control

Advanced

Threat Intelligence Feeds

Advanced

SIEM

Advanced

Network Traffic Analysis (NTA)

Advanced

APT Detection and Response

Advanced

MFA

Advanced

EDR

Advanced

IDS/IPS

Advanced

Browser Isolation or Virtual Browser solutions

Advanced

Network Access Control (NAC)

Advanced

SOAR

Advanced

Network Segmentation

Advanced

Deception Techniques

Elite

Continuous Monitoring of systems

Elite

Artificial Intelligence and Machine Learning

Elite

Behavioral Analysis

Elite

Memory-based Analysis

Elite

Network Forensics

Elite

User and Entity Behavior Analytics (UEBA)

Elite

Software-Defined Perimeter (SDP)

Elite

Zero-Trust Architecture

Elite

Quantum-Resistant security

Elite

Threat Hunting

Elite

Blockchain for security

Figure 4 – RDI Controls for T1133

Conclusion

CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI’s self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.

The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.

By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls, RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.