Author of Ransomware Defense Initiative (RDI) Framework.
Table of Contents
RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense
CISA released their latest advisory on Black Basta Ransomware (CISA Advisory AA24-131a) on May 10, 2024. The advisory identifies initial attack methods used by Black Basta, primarily MITRE ATT&CK Techniques T1566 and T1190:
Exploit Public-Facing Application (T1190): Black Basta affiliates have exploited ConnectWise vulnerability CVE-2024-1709 to obtain initial access.
Phishing (T1566): Black Basta affiliates have used spearphishing emails to obtain initial access.
The CISA advisory provides the following mitigations to defend against Black Basta ransomware:
The document also provides additional mitigation recommendations:
Asset Management and Security: Identify and understand asset relationships, functionalities, exposures, and running software to protect critical data and systems. Ensure electronic PHI (ePHI) is protected and HIPAA-compliant. Use active scans, passive processes, or a combination of both for asset inventories.
Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.
Access Management: Implement phishing-resistant MFA to thwart social engineering and targeted phishing attacks. Use FIDO/WebAuthn or PKI-based authentication, prioritizing high-risk accounts such as privileged administrative accounts. For more details, refer to CISA’s Implementing Phishing-Resistant MFA Guide.
Vulnerability Management and Assessment: Identify vulnerabilities, then evaluate and prioritize based on organizational risk strategy. Map assets to business-critical functions and prioritize those critical to operations, security, and reputation. Use threat intelligence to focus on actively exploited vulnerabilities, leveraging CISA’s KEV Catalog and other feeds. Apply prioritization methodologies like CVSS for severity, EPSS for exploitation likelihood, and SSVC for impact and status.
We will first examine MITRE ATT&CK technique T1190, and we’ll show how RDI complements CISA’s mitigation recommendations for proactive ransomware defense. We’ll explore how RDI aids CISOs and cybersecurity leaders in assessing their readiness against Black Basta Ransomware and developing strategies to strengthen their security posture. By focusing on the mitigations specific first to T1190, and later to T1566, we’ll demonstrate how RDI supports CISA’s recommendations and strengthens overall cybersecurity measures.
T1190 involves exploiting vulnerabilities in Internet-facing applications to gain unauthorized access leading to data breaches and system compromises. Common attack methods include exploiting outdated software, misconfigurations, and unpatched vulnerabilities.
CISA Mitigations for T1190
We previously highlighted CISA’s mitigation recommendations for Black Basta. For this exercise, we will focus only on those CISA mitigation recommendations that apply to T1190:
Install updates for operating systems, software, and firmware [CPG 1.E]: Prioritize updating Known Exploited Vulnerabilities (KEV).
Secure remote access software by applying mitigations from the joint Guide to Securing Remote Access Software.
Apply mitigations from the joint #StopRansomware Guide.
Vulnerability Management and Assessment: Evaluate and prioritize vulnerabilities.
Implement security awareness training.
Use threat intelligence information to prioritize remediation efforts.
Mapping RDI Controls to CISA Mitigations
To effectively implement CISA’s recommendations, you can leverage RDI controls as shown on this mapping visualization:
Figure 1- Mapping RDI Controls to CISA Mitigations – T1190
This diagram presents a mapping between CISA’s mitigation recommendations for MITRE ATT&CK technique T1190 and RDI’s controls designed to detect and mitigate attacks leveraging T1190 as an attack vector.
The following matrix shows the complementary nature between RDI's controls to CISA's advisory for Black Basta:
CISA Mitigation
RDI Control
RDI Family
Install updates for operating systems, software, and firmware as soon as they are released.
Apply Patches and Updates
Implement Security Policies
Vulnerability Scanning
Foundational
Foundational
Foundational
Secure remote access software by applying mitigations from joint Guide to Securing Remote Access Software.
Secure Communications/Secure Protocols/Secure File Transfer Protocols
Browser Isolation or Virtual Browser solutions
Network Access Control (NAC)
Network Segmentation
Foundational
Foundational
Advanced
Advanced
Advanced
Apply mitigations from the joint #StopRansomware Guide.
APT Detection and Response
EDR
Network Traffic Analysis (NTA)
IDS/IPS
SOAR
Advanced
Advanced
Advanced
Advanced
Advanced
Vulnerability Management and Assessment: Once vulnerabilities are identified across your environment, evaluate, and prioritize to appropriately deal with the posed risks according to your organization’s risk strategy.
Vulnerability Scanning
Application Security Testing Tools
Foundational
Advanced
Implement recommendations, including training users to recognize and report phishing attempts.
Security Awareness
Foundational
Use threat intelligence information. For remediation, prioritize vulnerabilities actively exploited by threat actors.
Threat Intelligence Feeds
Advanced Threat Intelligence
Advanced
Elite
CISOs and cybersecurity teams can efficiently map mitigation recommendations to specific controls identified by RDI. Using RDI’s self-assessment tools (https://rdishield.com/rdi/), you can conduct quick assessments of these controls, identifying any gaps and areas for improvement.
By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering additional complementary controls (see table below), RDI offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.
Secure Communications/Secure Protocols/Secure File Transfer Protocols
Foundational
Implement Security Policies
Advanced
Threat Intelligence Feeds
Advanced
SIEM
Advanced
Network Traffic Analysis (NTA)
Advanced
APT Detection and Response
Advanced
Application Security Testing Tools
Advanced
MFA
Advanced
EDR
Advanced
Application Whitelisting
Advanced
Network Sandboxing
Advanced
IDS/IPS
Advanced
Browser Isolation or Virtual Browser solutions
Advanced
Network Access Control (NAC)
Advanced
SOAR
Advanced
Network Segmentation
Advanced
Runtime Application Self-Protection (RASP)
Advanced
Implementing DevSecOps
Advanced
Deception Techniques
Elite
Advanced Threat Intelligence
Elite
Continuous Monitoring of systems
Elite
Artificial Intelligence and Machine Learning
Elite
Behavioral Analysis
Elite
Memory-based Analysis
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Software-Defined Perimeter (SDP)
Elite
Zero-Trust Architecture
Elite
Quantum-Resistant security
Elite
Threat Hunting
Elite
Blockchain for security
Elite
Biometric-based Authentication
Let’s turn our attention now and apply the same approach to CISA’s mitigation recommendations specific to T1566:
Understanding T1566: Phishing
Phishing involves sending emails with malicious attachments or links to execute code on victim systems and can also occur via third-party services like social media. Social engineering techniques, such as posing as a trusted source, are often employed in phishing attacks.
Adversaries use phishing to gain access to victim systems through electronically delivered social engineering. This can be targeted (spearphishing) or non-targeted (mass malware spam campaigns).
CISA Mitigations for T1566
Require phishing-resistant multi-factor authentication (MFA) [CPG 2.H] for as many services as possible.
Implement recommendations, including training users to recognize and report phishing attempts [CPG 2.I], from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.
Implement security awareness training to help users recognize and report phishing attempts.
Use threat intelligence information to stay updated on phishing campaigns associated with Black Basta.
Advanced Threat Intelligence to gain deeper insights into sophisticated phishing tactics used by threat actors.
Mapping RDI Controls to CISA Mitigations
This diagram presents a comprehensive mapping between CISA’s mitigation recommendations for MITRE ATT&CK technique T1566 and RDI’s controls designed to detect and mitigate attacks leveraging T1566 as an attack vector.
Using the matrix format, it shows the complementary nature between RDI’s controls to CISA’s advisory for Black Basta:
CISA Mitigation
RDI Control
RDI Family
Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.
2FA
Anti-Phishing Software
Phishing Incident Response Plan
MFA
Advanced Phishing-Aware Web Browsers
Foundational
Foundational
Foundational
Foundational
Foundational
Implement recommendations, including training users to recognize and report phishing attempts from joint Phishing Guidance: Stopping the Attack Cycle at Phase One.
Security Awareness
Foundational
Email Security and Phishing Prevention: Install modern anti-malware software and update signatures automatically. Check for embedded or spoofed hyperlinks by validating that the URL matches the text. For more details, refer to CISA’s Enhance Email and Web Security Guide.
Email Authentication Protocols
Anti-virus and Anti-Malware Software
Spam Filters/Email Content Filtering
Email Encryption
Phishing Incident Response Plan
Foundational
Foundational
Foundational
Advanced
Foundational
Use threat intelligence information to stay updated on phishing campaigns associated with Black Basta.
Threat Intelligence Feeds
Advanced Threat Intelligence
Advanced
Elite
As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:
Use Security Information and Event Management (SIEM) systems
Advanced
Use Network Traffic Analysis (NTA)
Advanced
URL Reputation
Advanced
MFA
Advanced
Use EDR
Advanced
Use Network Sandboxing
Advanced
Use IDS/IPS
Advanced
Implementing Browser Isolation or Virtual Browser Solutions
Advanced
Use SOAR
Advanced
Use Deception Techniques
Advanced
Email Encryption
Advanced
PAM
Advanced
DLP
Elite
Use Advanced Threat Intelligence
Elite
Implement Continuous Monitoring of Systems
Elite
Use AI/ML
Elite
Use Behavioral Analysis
Elite
Use Memory-Based Analysis
Elite
Network Forensics
Elite
User and Entity Behavior Analytics (UEBA)
Elite
Behavioral Biometrics
Elite
Use Software-Defined Perimeter (SDP)
Elite
Use Zero-Trust Architecture
Elite
Implementing Quantum-Resistant Security
Elite
Use Threat Hunting
Elite
Use Blockchain for Security
Elite
Advanced Phishing-Aware Web Browsers
Conclusion
By utilizing both RDI and CISA’s advisory, you can design a cybersecurity strategy for protecting against ransomware threats that leverage MITRE ATT&CK Techniques such as T1190 and T1566. By adopting these best practices, organizations can improve their detection and mitigation capabilities against ransomware attacks.
The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.