Author of Ransomware Defense Initiative (RDI) Framework.
Table of Contents
RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense
CISA released their advisory on Akira Ransomware (CISA Advisory AA24-109a) on April 18, 2024. The advisory identifies initial attack methods used by Akira, MITRE ATT&CK Techniques T1078, T1190, T1133, and T1566:
Valid Accounts (T1078): Akira threat actors obtain and abuse credentials of existing accounts as a means of gaining initial access.
Exploit Public-Facing Application (T1190): Akira affiliates have exploited ConnectWise vulnerability CVE-2020-3259 and CVE-2023-20269to obtain initial access.
External Remote Services (T1133): Akira threat actors have used remote access services, such as RDP/VPN connection to gain initial access.
The CISA advisory provides the following mitigations to defend against Akira ransomware
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) [CPG 2.F, R, 2.S].
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilitiesin internet-facing systems. [CPG 1.E].
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement [CPG 2.F].
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host [CPG 3.A].
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
Install, regularly update, and enable real time detection for antivirus software on all hosts.
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, O].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Consider adding an email banner to emails received from outside of your organization [CPG 2.M].
Disable hyperlinks in received emails.
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, N].
Maintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By instituting this practice, the organization helps ensure they will not be severely interrupted, and/or only have irretrievable data.
Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure [CPG 2.K, L, 2.R].
We will analyze the MITRE ATT&CK techniques used by this ransomware family, starting with T1078, and show how RDI aligns with CISA’s mitigation recommendations for proactive ransomware defense. This article will examine how RDI helps CISOS and cybersecurity leaders check their defenses against the Akira Ransomware threat. We’ll show how RDI aligns with CISA’s recommendations and improves overall cybersecurity by focusing on specific ways to stop the MITRE ATT&CK techniques used by Akira Ransomware.
Understanding T1078: Valid Accounts
With T1078, attackers can exploit compromised credentials to gain access, maintain persistence, escalate privileges, and evade detection. These credentials allow them to bypass network access controls and access remote systems and services like VPNs and Outlook Web Access. By using legitimate credentials, these attackers can avoid detection by not relying on malware or additional tools.
CISA Mitigations for T1078
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, O].
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, N].
Mapping RDI Controls to CISA Mitigations
The following matrix shows the mapping between RDI’s controls to CISA’s advisory for Akira:
CISA Mitigation
RDI Control
RDI Family
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring recurring password changes, as these can weaken security [CPG 2.C].
Implement Security Policies
MFA
Biometric-based Authentication
Behavioral Biometrics
Foundational
Advanced
Elite
Elite
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems [CPG 2.H].
MFA
Zero-Trust Architecture
Advanced
Elite
Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 1.A, 2.O].
Security Logging and Monitoring Controls
Implement Security Policies
SIEM
EDR
IAM
PAM
Network Traffic Analysis (NTA)
Continuous Monitoring of Systems
User and Entity Behavior Analytics (UEBA)
Artificial Intelligence and Machine Learning
Behavioral Analysis
Foundational
Foundational
Advanced
Advanced
Advanced
Advanced
Advanced
Elite
Elite
Elite
Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege [CPG 2.E].
Implement Security Policies
Role Based Access Control
IAM
PAM
Foundational
Foundational
Advanced
Advanced
Implement time-based access for accounts set at the admin level and higher
IAM
PAM
Zero-Trust Architecture
Advanced
Advanced
Elite
Figure 1- Mapping RDI Controls to CISA Mitigations – T1078
The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1078:
T1078
Family
Control
Foundational
Security Logging and Monitoring Controls
Foundational
2FA
Foundational
Implement Security Policies
Foundational
Role Based Access Control
Advanced
Threat Intelligence Feeds
Advanced
SIEM
Advanced
Network Traffic Analysis (NTA)
Advanced
MFA
Advanced
EDR Segmentation in the DMZ
Advanced
IDS/IPS
Advanced
Browser Isolation or Virtual Browser solutions
Advanced
SOAR
Advanced
Network Segmentation
Advanced
Deception Techniques
Advanced
IAM
Advanced
PAM
Advanced
DLP
Elite
Continuous Monitoring of systems
Elite
Artificial Intelligence and Machine Learning
Elite
Behavioral Analysis
Elite
Memory-based Analysis
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Behavioral Biometrics
Elite
Software-Defined Perimeter (SDP)
Elite
Zero-Trust Architecture
Elite
Threat Hunting
Elite
Blockchain for security
Elite
Biometric-based Authentication
Figure 2 – RDI Controls for T1078
Understanding T1133: External Remote Services
Attackers use remote access services to break into networks or maintain their presence. These services let users connect to a company’s internal systems from outside, typically managed by authentication systems that verify user identities. They typically use vectors such as exposed RDP, compromised VPN credentials, third-party remote access tools, SSH access, software vulnerabilities, misconfigured cloud services, social engineering, and credential dumping.
CISA Mitigations for T1133
The following list only those CISA mitigation recommendations that apply to T1133:
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems (CPG 2.H).
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems (CPG 1.E).
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement (CPG 2.F).
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence.
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (CPG 2.E).
Disable unused ports (CPG 2.V).
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
Mapping RDI Controls to CISA Mitigations
The following matrix shows the mapping between RDI’s controls to CISA’s advisory for Akira:
CISA Mitigation
RDI Control
RDI Family
Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems (CPG 2.H)
2FA
MFA
Foundational
Advanced
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence
Apply Patches and Updates
Conduct Regular Security Assessments
EDR
SOAR
Threat Intelligence Feeds
Continuous Monitoring of systems
Artificial Intelligence and Machine Learning
Zero-Trust Architecture
Foundational
Foundational
Advanced
Advanced
Advanced
Elite
Elite
Elite
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement (CPG 2.F)
Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (CPG 2.E)
Role Based Access Control (RBAC)
Implement Security Policies
Conduct Regular Security Assessments
SIEM (Security Information and Event Management)
Network Access Control (NAC)
EDR
User and Entity Behavior Analytics (UEBA)
Continuous Monitoring of systems
Zero-Trust Architecture
Artificial Intelligence and Machine Learning
Foundational
Foundational
Foundational
Advanced
Advanced
Advanced
Elite
Elite
Elite
Elite
Disable unused ports (CPG 2.V)
Implement Security Policies
Security Awareness
Network Access Control (NAC)
SIEM (Security Information and Event Management)
EDR
Continuous Monitoring of systems
Zero-Trust Architecture
User and Entity Behavior Analytics (UEBA)
Foundational
Foundational
Advanced
Advanced
Advanced
Elite
Elite
Elite
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model).
Role Based Access Control (RBAC)
Implement Security Policies
SIEM (Security Information and Event Management)
EDR
Network Access Control (NAC)
Zero-Trust Architecture
User and Entity Behavior Analytics (UEBA)
Artificial Intelligence and Machine Learning
Foundational
Foundational
Advanced
Advanced
Advanced
Elite
Elite
Elite
The table below shows the controls identified by RDI to detect and mitigate attacks using MITRE technique T1133:
CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI’s self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.
The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.
By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls, RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.