Mapping CISA’s Black Basta Mitigations to RDI Controls

RANSOMWARE DEFENSE INITIATIVE

Mapping CISA's Black Basta Mitigations to RDI Controls

Edgar Rojas

Author of Ransomware Defense Initiative (RDI) Framework.

Table of Contents

RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense

CISA released their latest advisory on Black Basta Ransomware (CISA Advisory AA24-131a) on May 10, 2024. The advisory identifies initial attack methods used by Black Basta, primarily MITRE ATT&CK Techniques T1566 and T1190:

  • Exploit Public-Facing Application (T1190): Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
  • Phishing (T1566): Black Basta affiliates have used spearphishing emails to obtain initial access.

The CISA advisory provides the following mitigations to defend against Black Basta ransomware:

The document also provides additional mitigation recommendations:

  • Asset Management and Security: Identify and understand asset relationships, functionalities, exposures, and running software to protect critical data and systems. Ensure electronic PHI (ePHI) is protected and HIPAA-compliant. Use active scans, passive processes, or a combination of both for asset inventories.
  • Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.
  • Access Management: Implement phishing-resistant MFA to thwart social engineering and targeted phishing attacks. Use FIDO/WebAuthn or PKI-based authentication, prioritizing high-risk accounts such as privileged administrative accounts. For more details, refer to CISA’s Implementing Phishing-Resistant MFA Guide.
  • Vulnerability Management and Assessment: Identify vulnerabilities, then evaluate and prioritize based on organizational risk strategy. Map assets to business-critical functions and prioritize those critical to operations, security, and reputation. Use threat intelligence to focus on actively exploited vulnerabilities, leveraging CISA’s KEV Catalog and other feeds. Apply prioritization methodologies like CVSS for severity, EPSS for exploitation likelihood, and SSVC for impact and status.

We will first examine MITRE ATT&CK technique T1190, and we’ll show how RDI complements CISA’s mitigation recommendations for proactive ransomware defense. We’ll explore how RDI aids CISOs and cybersecurity leaders in assessing their readiness against Black Basta Ransomware and developing strategies to strengthen their security posture. By focusing on the mitigations specific first to T1190, and later to T1566, we’ll demonstrate how RDI supports CISA’s recommendations and strengthens overall cybersecurity measures.

Understanding T1190: Exploit Public-Facing Application

T1190 involves exploiting vulnerabilities in Internet-facing applications to gain unauthorized access leading to data breaches and system compromises. Common attack methods include exploiting outdated software, misconfigurations, and unpatched vulnerabilities.

CISA Mitigations for T1190

We previously highlighted CISA’s mitigation recommendations for Black Basta. For this exercise, we will focus only on those CISA mitigation recommendations that apply to T1190:

  1. Install updates for operating systems, software, and firmware [CPG 1.E]: Prioritize updating Known Exploited Vulnerabilities (KEV).
  2. Secure remote access software by applying mitigations from the joint Guide to Securing Remote Access Software.
  3. Apply mitigations from the joint #StopRansomware Guide.
  4. Vulnerability Management and Assessment: Evaluate and prioritize vulnerabilities.
  5. Implement security awareness training.
  6. Use threat intelligence information to prioritize remediation efforts.

Mapping RDI Controls to CISA Mitigations

To effectively implement CISA’s recommendations, you can leverage RDI controls as shown on this mapping visualization:

Figure 1- Mapping RDI Controls to CISA Mitigations – T1190

This diagram presents a mapping between CISA’s mitigation recommendations for MITRE ATT&CK technique T1190 and RDI’s controls designed to detect and mitigate attacks leveraging T1190 as an attack vector.

The following matrix shows the complementary nature between RDI's controls to CISA's advisory for Black Basta:

CISA Mitigation

RDI Control

RDI Family

Install updates for operating systems, software, and firmware as soon as they are released.

Apply Patches and Updates

Implement Security Policies

Vulnerability Scanning

Foundational

Foundational

Foundational

Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software.

Network Security Controls (Firewalls/VPNS/Proxy servers)

Secure Communications/Secure Protocols/Secure File Transfer Protocols

Browser Isolation or Virtual Browser solutions

Network Access Control (NAC)

Network Segmentation

Foundational


Foundational

Advanced

Advanced

Advanced

Apply mitigations from the joint #StopRansomware Guide.

APT Detection and Response

EDR

Network Traffic Analysis (NTA)

IDS/IPS

SOAR

Advanced

Advanced

Advanced

Advanced

Advanced

Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate, and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy.

Vulnerability Scanning

Application Security Testing Tools

Foundational

Advanced

Implement recommendations, including training users to recognize and report phishing attempts.

Security Awareness

Foundational

Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors.

Threat Intelligence Feeds

Advanced Threat Intelligence

Advanced

Elite

CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI’s self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.

By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls (see table below), RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.

T1190

Family

Control

Foundational

Use Web Application Firewall

Foundational

Security Logging and Monitoring Controls

Foundational

Vulnerability Scanning

Foundational

Software and Firmware Security Standards

Foundational

Web Filtering

Foundational

Browser Extensions

Foundational

Anti-virus and Anti-Malware Software

Foundational

Apply Patches and Updates

Foundational

Network Segmentation in the DMZ

Foundational

Security Awareness

Foundational

Use Security Software on Mobile Devices

Foundational

Enabling Host-Based Firewalls

Foundational

Implementing DNS security

Foundational

2FA

Foundational

Network Security Controls (Firewalls/VPNS/Proxy servers)

Foundational

Secure Communications/Secure Protocols/Secure File Transfer Protocols

Foundational

Implement Security Policies

Advanced

Threat Intelligence Feeds

Advanced

SIEM

Advanced

Network Traffic Analysis (NTA)

Advanced

APT Detection and Response

Advanced

Application Security Testing Tools

Advanced

MFA

Advanced

EDR

Advanced

Application Whitelisting

Advanced

Network Sandboxing

Advanced

IDS/IPS

Advanced

Browser Isolation or Virtual Browser solutions

Advanced

Network Access Control (NAC)

Advanced

SOAR

Advanced

Network Segmentation

Advanced

Runtime Application Self-Protection (RASP)

Advanced

Implementing DevSecOps

Advanced

Deception Techniques

Elite

Advanced Threat Intelligence

Elite

Continuous Monitoring of systems

Elite

Artificial Intelligence and Machine Learning

Elite

Behavioral Analysis

Elite

Memory-based Analysis

Elite

User and Entity Behavior Analytics (UEBA)

Elite

Software-Defined Perimeter (SDP)

Elite

Zero-Trust Architecture

Elite

Quantum-Resistant security

Elite

Threat Hunting

Elite

Blockchain for security

Elite

Biometric-based Authentication

Let’s turn our attention now and apply the same approach to CISA’s mitigation recommendations specific to T1566:

Understanding T1566: Phishing

Phishing involves sending emails with malicious attachments or links to execute code on victim systems and can also occur via third-party services like social media. Social engineering techniques, such as posing as a trusted source, are often employed in phishing attacks.

Adversaries use phishing to gain access to victim systems through electronically delivered social engineering. This can be targeted (spearphishing) or non-targeted (mass malware spam campaigns).

CISA Mitigations for T1566

  • Require phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as possible.
  • Implement recommendations, including training users to recognize and report phishing attempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
  • Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.
  • Implement security awareness training to help users recognize and report phishing attempts.
  • Use threat intelligence information to stay updated on phishing campaigns associated with Black Basta.
  • Advanced Threat Intelligence to gain deeper insights into sophisticated phishing tactics used by threat actors.

Mapping RDI Controls to CISA Mitigations

This diagram presents a comprehensive mapping between CISA’s mitigation recommendations for MITRE ATT&CK technique T1566 and RDI’s controls designed to detect and mitigate attacks leveraging T1566 as an attack vector.

Figure 2 – Mapping RDI Controls to CISA Mitigations – T1566

Using the matrix format, it shows the complementary nature between RDI’s controls to CISA’s advisory for Black Basta:

RANSOMWARE DEFENSE INITIATIVE

CISA Mitigation

RDI Control

RDI Family

Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.

2FA

Anti-Phishing Software

Phishing Incident Response Plan

MFA

Advanced Phishing-Aware Web Browsers

Foundational

Foundational

Foundational

Foundational

Foundational

Implement recommendations, including training users to recognize and report phishing attempts from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.

Security Awareness

Foundational

Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.

Email Authentication Protocols

Anti-virus and Anti-Malware Software

Spam Filters/Email Content Filtering

Email Encryption

Phishing Incident Response Plan

Foundational

Foundational

Foundational

Advanced

Foundational

Use threat intelligence information to stay updated on phishing campaigns associated with Black Basta.

Threat Intelligence Feeds

Advanced Threat Intelligence

Advanced

Elite

As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:

RANSOMWARE DEFENSE INITIATIVE

T1566

Family

Control

Foundational

Security Logging and Monitoring Controls

Foundational

Vulnerability Scanning

Foundational

Email Authentication Protocols

Foundational

Monitoring of Social Media and Other Platforms

Foundational

Software and Firmware Security Standards

Foundational

Browser Extensions

Foundational

Anti-virus and Anti-Malware Software

Foundational

Security Awareness

Foundational

Use Security Software on Mobile Devices

Foundational

2FA

Foundational

Use Security Software on Mobile Devices

Foundational

Enabling Host-Based Firewalls

Foundational

Implementing DNS security

Foundational

Secure Remote Access

Foundational

Network Security Controls (Firewalls/VPNS/Proxy servers)

Foundational

Anti-Phishing Software

Foundational

Spam Filters/Email Content Filtering

Foundational

Implement Security Policies

Foundational

Phishing Incident Response Plan

Advanced

Use Threat Intelligence Feeds

Advanced

Use Security Information and Event Management (SIEM) systems

Advanced

Use Network Traffic Analysis (NTA)

Advanced

URL Reputation

Advanced

MFA

Advanced

Use EDR

Advanced

Use Network Sandboxing

Advanced

Use IDS/IPS

Advanced

Implementing Browser Isolation or Virtual Browser Solutions

Advanced

Use SOAR

Advanced

Use Deception Techniques

Advanced

Email Encryption

Advanced

PAM

Advanced

DLP

Elite

Use Advanced Threat Intelligence

Elite

Implement Continuous Monitoring of Systems

Elite

Use AI/ML

Elite

Use Behavioral Analysis

Elite

Use Memory-Based Analysis

Elite

Network Forensics

Elite

User and Entity Behavior Analytics (UEBA)

Elite

Behavioral Biometrics

Elite

Use Software-Defined Perimeter (SDP)

Elite

Use Zero-Trust Architecture

Elite

Implementing Quantum-Resistant Security

Elite

Use Threat Hunting

Elite

Use Blockchain for Security

Elite

Advanced Phishing-Aware Web Browsers

Conclusion

By utilizing both RDI and CISA’s advisory, you can design a cybersecurity strategy for protecting against ransomware threats that leverage MITRE ATT&CK Techniques such as T1190 and T1566. By adopting these best practices, organizations can improve their detection and mitigation capabilities against ransomware attacks.

The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.