Mapping CISA's RansomHub Mitigations to RDI Controls

RDI & CISA's Mitigation Recommendations for Proactive Ransomware Defense

CISA's RansomHub Mitigation Recommendations

CISA released their latest advisory on RansomHub Ransomware (CISA Advisory AA24-242a) on August 29, 2024. The advisory identifies MITRE ATT&CK Techniques T1566 and T1190 as initial attack methods used by RansomHub:

  • Exploit Public-Facing Application (T1190):RansomHub affiliates have exploited vulnerabilities in public-facing applications to gain unauthorized access to networks.
  • Phishing (T1566):RansomHub affiliates have utilized spearphishing emails to deceive users into providing credentials or executing malicious code, facilitating initial access.

The CISA advisory provides the following mitigation recommendations to defend against RansomHub ransomware:

  • Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies.
  • Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Require Phishing-Resistant multifactor authentication to administrator accounts and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems).
  • Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement.
  • Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Install, regularly update, and enable real time detection for antivirus software on all hosts.
  • Implement Secure Logging Collection and Storage Practices. Learn more about logging best practices by referencing CISA’s Logging Made Easy resources.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports.
  • Implement and enforce email security policies.
  • Disable macros by default
  • Disable hyperlinks in received emails.
  • Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task.
  • Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.

Turning CISA's mitigation advice into action using MITRE ATT&CK and RDI

CISA offers solid advice for fighting ransomware, but what RDI brings to the table is different - it maps these recommendations to specific RDI controls based on the MITRE ATT&CK techniques that attackers use. By connecting these dots, organizations can see exactly which security controls they need to defend against the specific techniques that ransomware groups are using against them.

Mapping MITRE ATT&CK T1190 to RDI Controls

MITRE ATT&CK T1190 involves exploiting vulnerabilities in Internet-facing applications to gain unauthorized access leading to data breaches and system compromises. Common attack methods include exploiting outdated software, misconfigurations, and unpatched vulnerabilities.

The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1190 and RDI's controls designed to detect and mitigate attacks leveraging T1190 as an attack vector.

CISA Mitigation RDI Control RDI Family
Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems. Apply Patches and Updates Foundational
Vulnerability Scanning Foundational
Security Logging and Monitoring Controls Foundational
Software and Firmware Security Standards Foundational
Application Security Testing Tools Advanced
Network Detect and Respond (NDR) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
Security Information and Event Management (SIEM) Advanced
APT Detection and Response Advanced
Advanced Threat Intelligence Elite
Continuous Monitoring Elite
Network Forensics Elite
Threat Hunting Elite
Zero-Trust Architecture Elite
Secure remote access software by applying mitigations from the joint Guide to Securing Remote Access Software. Secure Remote Access Foundational
Network Security Controls (Firewalls/VPNs/Proxy Server Foundational
Apply Patches and Updates Foundational
Software and Firmware Security Standards Foundational
Security Logging and Monitoring Controls Foundational
Vulnerability Scanning Foundational
RBAC (Role-Based Access Control) Foundational
Use Encryption Foundational
Application Security Testing Tools Advanced
SIEM (Security Information and Event Management) Advanced
EDR (Endpoint Detection and Response) Advanced
NTA (Network Traffic Analysis) Advanced
Threat Intelligence Feeds Advanced
IDS/IPS (Intrusion Detection/Prevention Systems) Advanced
NAC (Network Access Control) Advanced
RASP (Runtime Application Self-Protection) Advanced
NDR (Network Detect and Respond) Advanced
PAM (Privileged Access Management) Advanced
Implementing DevSecOps Advanced
Advanced Threat Intelligence Elite
Continuous Monitoring Elite
AI/ML (Artificial Intelligence and Machine Learning) Elite
Behavioral Analysis Elite
UEBA (User and Entity Behavior Analytics) Elite
SDP (Software-Defined Perimeter) Elite
Zero-Trust Architecture Elite
Threat Hunting Elite
Network Forensics Elite
Vulnerability Management and Assessment Vulnerability Scanning Foundational
Apply Patches and Updates Foundational
Security Logging and Monitoring Controls Foundational
Software and Firmware Security Standards Foundational
Conduct Regular Security Assessments Foundational
WAF (Use Web Application Firewall) Foundational
Network Security Controls (Firewalls/VPNs/Proxy servers) Foundational
Threat Intelligence Feeds Advanced
Security Testing and Red Teaming Exercises Advanced
Application Security Testing Tools Advanced
SIEM (Security Information and Event Management) Advanced
NTA (Network Traffic Analysis) Advanced
FIM (File Integrity Monitoring) Advanced
IDS/IPS (Intrusion Detection/Prevention Systems) Advanced
Implementing DevSecOps Advanced
NDR (Network Detect and Respond) Advanced
SBOM (Software Bill of Materials) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
Advanced Threat Intelligence Elite
Continuous Monitoring Elite
AI/ML (Artificial Intelligence and Machine Learning) Elite
Behavioral Analysis Elite
Network Forensics Elite
Threat Hunting Elite
UEBA (User and Entity Behavior Analytics) Elite
Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement. Network Segmentation in the DMZ Foundational
Network Security Controls (Firewalls/VPNs/Proxy Servers) Foundational
Secure Remote Access Foundational
RBAC (Role-Based Access Control) Foundational
Network Segmentation Advanced
NAC (Network Access Control) Advanced
IDS/IPS (Intrusion Detection and Prevention Systems) Advanced
SOAR Advanced
Network Detect and Respond (NDR) Advanced
Software-Defined Perimeter (SDP) Elite
Zero-Trust Architecture Elite
Network Forensics Elite
Continuous Monitoring Elite
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host. Security Logging and Monitoring Controls Foundational
Use Web Application Firewall (WAF) Foundational
Network Security Controls (Firewalls/VPNs/Proxy Servers) Foundational
Network Segmentation in the DMZ Foundational
Enabling Host-Based Firewalls Foundational
Secure Remote Access Foundational
SIEM (Security Information and Event Management) Advanced
Network Traffic Analysis (NTA) Advanced
APT Detection and Response Advanced
EDR (Endpoint Detection and Response) Advanced
IDS/IPS (Intrusion Detection and Prevention Systems) Advanced
Network Detect and Respond (NDR) Advanced
SOAR Advanced
Network Segmentation Advanced
NAC (Network Access Control) Advanced
Continuous Monitoring Elite
Network Forensics Elite
UEBA (User and Entity Behavior Analytics) Elite
Threat Hunting Elite
Advanced Threat Intelligence Elite
Zero-Trust Architecture Elite
Implement Secure Logging Collection and Storage Practices. Learn more about logging best practices by referencing CISA’s Logging Made Easy resources. Security Logging and Monitoring Controls Foundational
Network Security Controls (Firewalls/VPNs/Proxy Servers) Foundational
Implement Security Policies Foundational
Conduct Regular Security Assessments Foundational
Role-Based Access Control Foundational
SIEM (Security Information and Event Management) Advanced
Network Traffic Analysis (NTA) Advanced
APT Detection and Response Advanced
File Integrity Monitoring Advanced
IDS/IPS (Intrusion Detection/Prevention Systems) Advanced
SOAR Advanced
Network Detect and Respond (NDR) Advanced
Continuous Monitoring Elite
Network Forensics Elite
UEBA (User and Entity Behavior Analytics) Elite
Threat Hunting Elite
Disable unused ports. Network Security Controls (Firewalls/VPNs/Proxy Servers) Foundational
Enabling Host-Based Firewalls Foundational
Secure Remote Access Foundational
IDS/IPS (Intrusion Detection and Prevention Systems) Advanced
NAC (Network Access Control) Advanced
Network Detect and Respond (NDR) Advanced
Continuous Monitoring Elite
Network Forensics Elite
Software-Defined Perimeter (SDP) Elite
Zero-Trust Architecture Elite
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. 2FA (Two-Factor Authentication) Foundational
Secure Remote Access Foundational
Implement Security Policies Foundational
RBAC (Role-Based Access Control) Foundational
Email Authentication Protocols Foundational
Anti-Phishing Software Foundational
MFA (Multifactor Authentication) Advanced
IAM (Identity and Access Management) Advanced
PAM (Privilege Access Management) Advanced
NAC (Network Access Control) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
Biometric-Based Authentication Elite
UEBA (User and Entity Behavior Analytics) Elite
Advanced Phishing-Aware Web Browsers Elite
Zero-Trust Architecture Elite

CISOs and cybersecurity teams can efficiently map CISA mitigation recommendations to specific controls identified by RDI, and conduct assessments of these controls identifying any gaps and areas for improvement.

By identifying a core set of controls that apply to CISA’s mitigation recommendations, and then layering complementary controls as identified by RDI (see table below), it offers you the tools to define a more complete defense strategy. This approach ensures multiple layers of security are in place, helping to mitigate risks from various angles and strengthening the security posture of your organization against diverse threats.

MITRE ATT&CK T1190
Family RDI Control
Foundational Use Web Application Firewall
Foundational Security Logging and Monitoring Controls
Foundational Vulnerability Scanning
Foundational Software and Firmware Security Standards
Foundational Web Filtering
Foundational Browser Extensions
Foundational Anti-Virus and Anti-Malware Software
Foundational Apply Patches and Updates
Foundational Network Segmentation in the DMZ
Foundational Security Awareness
Foundational Use Security Software on Mobile Devices
Foundational Enabling Host-Based Firewalls
Foundational Implementing DNS security
Foundational 2FA (Two-Factor Authentication)
Foundational Network Security Controls (Firewalls/VPNS/Proxy servers)
Foundational Secure Communications/Secure Protocols/Secure File Transfer Protocols
Foundational Implement Security Policies
Advanced Threat Intelligence Feeds
Advanced SIEM
Advanced Network Traffic Analysis (NTA)
Advanced APT Detection and Response
Advanced Application Security Testing Tools
Advanced MFA
Advanced EDR
Advanced Application Whitelisting
Advanced Network Sandboxing
Advanced IDS/IPS
Advanced EDR
Advanced Browser Isolation or Virtual Browser solutions
Advanced NAC (Network Access Control)
Advanced SOAR
Advanced Network Segmentation
Advanced Runtime Application Self-Protection (RASP)
Advanced Implementing DevSecOps
Advanced Deception Techniques
Elite Advanced Threat Intelligence
Elite Continuous Monitoring
Elite AI/ML
Elite Behavioral Analysis
Elite Memory-Based Analysis
Elite UEBA (User and Entity Behavior Analytics)
Elite Software-Defined Perimeter (SDP)
Elite Zero-Trust Architecture
Elite Quantum-Resistant security
Elite Threat Hunting
Elite Blockchain for Security
Elite Biometric-Based Authentication
Mapping MITRE ATT&CK T1566 to RDI Controls

Phishing involves sending emails with malicious attachments or links to execute code on victim systems and can also occur via third-party services like social media. Social engineering techniques, such as posing as a trusted source, are often employed in phishing attacks. Adversaries use phishing to gain access to victim systems through electronically delivered social engineering. This can be targeted (spearphishing) or non-targeted (mass malware spam campaigns).

The matrix below presents a mapping between CISA's mitigation recommendations for MITRE ATT&CK technique T1566 and RDI's controls designed to detect and mitigate attacks leveraging T1566 as an attack vector.

CISA Mitigation RDI Control RDI Family
Require Phishing-Resistant multifactor authentication to administrator accounts and require standard MFA for all services to the extent possible (particularly for webmail, virtual private networks, and accounts that access critical systems). 2FA (Two-Factor Authentication) Foundational
Secure Remote Access Foundational
Implement Security Policies Foundational
RBAC (Role-Based Access Control) Foundational
MFA (Multi-Factor Authentication) Advanced
IAM (Identity and Access Management) Advanced
PAM (Privileged Access Management) Advanced
NAC (Network Access Control) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
Biometric-Based Authentication Elite
Zero-Trust Architecture Elite
Advanced Phishing-Aware Web Browsers Elite
Implement and enforce email security policies. Email Authentication Protocols Foundational
Anti-Phishing Software Foundational
Spam Filters/Email Content Filtering Foundational
Phishing Incident Response Plan Foundational
URL Reputation Advanced
URL Reputation Advanced
Email Encryption Advanced
Browser Isolation or Virtual Browser Solutions Advanced
Advanced Phishing-Aware Web Browsers Elite
Behavioral Biometrics Elite
UEBA (User and Entity Behavior Analytics) Elite
Disable Macros by Default Anti-Phishing Software Foundational
Spam Filters/Email Content Filtering Foundational
Security Awareness Foundational
Application Whitelisting Advanced
Browser Isolation or Virtual Browser Solutions Advanced
Disable hyperlinks in received emails Spam Filters/Email Content Filtering Foundational
Anti-Phishing Software Foundational
Email Authentication Protocols Foundational
URL Reputation Advanced
Browser Isolation or Virtual Browser Solutions Advanced
Deception Techniques Advanced
Advanced Phishing-Aware Web Browsers Elite
UEBA (User and Entity Behavior Analytics) Elite
Threat Hunting Elite
Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege. RBAC (Role-Based Access Control) Foundational
Security Logging and Monitoring Controls Foundational
Implement Security Policies Foundational
Conduct Regular Security Assessments Foundational
IAM (Identity and Access Management) Advanced
PAM (Privileged Access Management) Advanced
SIEM (Security Information and Event Management) Advanced
NAC (Network Access Control) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
UEBA (User and Entity Behavior Analytics) Elite
Zero-Trust Architecture Elite
Continuous Monitoring Elite
Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. Implement Security Policies Foundational
RBAC (Role-Based Access Control) Foundational
Security Awareness Foundational
2FA (Two-Factor Authentication) Foundational
IAM (Identity and Access Management) Advanced
PAM (Privileged Access Management) Advanced
MFA (Multi-Factor Authentication) Advanced
SIEM (Security Information and Event Management) Advanced
Biometric-Based Authentication Elite
Zero-Trust Architecture Elite
UEBA (User and Entity Behavior Analytics) Elite
Install, Regularly Update, and Enable Real-Time Detection for Antivirus Software on All Hosts. Anti-Virus and Anti-Malware Software Foundational
Security Logging and Monitoring Controls Foundational
Apply Patches and Updates Foundational
EDR (Endpoint Detection and Response) Advanced
SIEM (Security Information and Event Management) Advanced
File Integrity Monitoring Advanced
Network Detect and Respond Advanced
Continuous Monitoring Elite
Network Forensics Elite
Threat Hunting Elite
Implement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the principle of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy is set in place to automatically disable admin accounts at the Active Directory level when the account is not in direct need. Individual users may submit their requests through an automated process that grants them access to a specified system for a set timeframe when they need to support the completion of a certain task. 2FA (Two-Factor Authentication) Foundational
Secure Remote Access Foundational
Implement Security Policies Foundational
RBAC (Role-Based Access Control) Foundational
Email Authentication Protocols Foundational
Anti-Phishing Software Foundational
MFA (Multifactor Authentication) Advanced
IAM (Identity and Access Management) Advanced
PAM (Privilege Access Management) Advanced
NAC (Network Access Control) Advanced
SOAR (Security Orchestration, Automation, and Response) Advanced
Biometric-Based Authentication Elite
UEBA (User and Entity Behavior Analytics) Elite
Advanced Phishing-Aware Web Browsers Elite
Zero-Trust Architecture Elite

As mentioned previously, RDI goes a step further by providing a broader range of controls beyond those mentioned in the CISA advisory, offering a more comprehensive view of detection and mitigation strategies against such attacks:

MITRE ATT&CK T1566
Family RDI Control
Foundational Security Logging and Monitoring Controls
Foundational Vulnerability Scanning
Foundational Email Authentication Protocols
Foundational Monitoring of Social Media and Other Platforms
Foundational Software and Firmware Security Standards
Foundational Browser Extensions
Foundational Anti-Virus and Anti-Malware Software
Foundational Security Awareness
Foundational Use Security Software on Mobile Devices
Foundational 2FA (Two-Factor Authentication)
Foundational Secure Remote Access
Foundational Network Security Controls (Firewalls/VPNS/Proxy servers)
Foundational Anti-Phishing Software
Foundational Spam Filters/Email Content Filtering
Foundational Implement Security Policies
Foundational Phishing Incident Response Plan
Advanced Use Threat Intelligence Feeds
Advanced SIEM
Advanced Use Network Traffic Analysis (NTA)
Advanced URL Reputation
Advanced MFA
Advanced EDR
Advanced Use Network Sandboxing
Advanced Use IDS/IPS
Advanced Browser Isolation or Virtual Browser solutions
Advanced SOAR
Advanced Deception Techniques
Advanced Email Encryption
Advanced PAM
Advanced DLP
Elite Advanced Threat Intelligence
Elite Continuous Monitoring
Elite AI/ML
Elite Behavioral Analysis
Elite Memory-Based Analysis
Elite Network Forensics
Elite UEBA (User and Entity Behavior Analytics)
Elite Behavioral Biometrics
Elite Software-Defined Perimeter (SDP)
Elite Zero-Trust Architecture
Elite Quantum-Resistant security
Elite Threat Hunting
Elite Blockchain for Security
Elite Advanced Phishing-Aware Web Browsers

Conclusion

By utilizing both RDI and CISA's advisory, you can design a cybersecurity strategy for protecting against ransomware threats that leverage MITRE ATT&CK Techniques such as T1190 and T1566. By adopting these best practices, organizations can improve their detection and mitigation capabilities against ransomware attacks.

The RDI framework is effective due to its comprehensive nature. It identifies direct controls recommended by authorities like CISA and includes a range of complementary controls. This ensures a strong defense-in-depth strategy, enabling organizations to improve their cybersecurity measures against various threats, including sophisticated ransomware attacks. By integrating both direct and complementary controls, RDI helps build a more resilient cybersecurity infrastructure.