In the days since Iranian major general Qasem Soleimani was taken out by a Reaper drone on January 3, 2020, the likelihood of a cyber-attack by Iran or one of its partners has increased markedly, a number of security experts say. While Iran has been actively participating in attacks against the United States and other western nations, the attacks are expected to increase in intensity. In addition, the attacks will be focused on creating chaos as much trying to gather information.
We have been tracking nation-state threat for a long time and it’s continued to increase. Prior to this event we were predicting double digit increase. We think 2019 will be 40 percent. 2020 will be dramatically higher
The threat level has increased enough that the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, has issued a series of warnings. They include discussions of the Iranian threat profile and activity, the potential for Iranian cyber response and warnings about increased focus on industrial control systems.
“We have been tracking nation state threat for a long time and it’s continued to increase,” said Drew Lydecker, president and co-founder of AVANT Communications. “Prior to this event we were predicting double digit increase. We think 2019 will be 40 percent. 2020 will be dramatically higher.”
“With the current conflicts that were happening today. The big punches could be in cyber. An easier target is the American industrial companies, which we think are the biggest risks,” he said.
First of all, understand that withstanding a full-on cyber-attack from a nation-state’s attackers is likely beyond the capabilities of most companies. The best you can do is make it inconvenient enough that they try another company, and that you protect yourself so that you can recover after it’s over.
The government’s cybersecurity experts have provided some specific recommendations to deal with today’s enhanced threat environment. They include:
· Disable all unnecessary ports and protocols. Check your logs to determine which open ports aren’t being used and close them. Then monitor all open ports for command and control activity. Turn off any protocol that’s not absolutely required.
· Enhance monitoring of network and email activity. This includes monitoring for phishing activity and restricting attachments where possible.
· Patch externally facing equipment. Don’t fall into the trap of waiting for several patch cycles because you’ll miss some zero-day vulnerability patches that attackers will use.
· Log and limit the usage of PowerShell. Turn off access to any user who doesn’t not specifically require access, then log everything else.
· Ensure backups are up to date. Make sure your backups are stored in a location that’s easily reached when needed, but which is air-gapped from the production network.
The Next Steps
Once you’ve taken the steps above, then it’s time to make sure you know how to use them. This includes confirming that you can recover your data that’s been backed up, and making sure you know how to manage a cyber-attack response. In addition, you need to scan your backup to make sure it doesn’t contain malware that will simply continue the attack you’re trying to stop.
“This is a perfect time to start practicing using simulation on a cyber range in a protected environment,” said Debbie Gordon, CEO of Cloud Range Cyber. “Test all of the processes that go along with it in a simulation, you can’t just wait for an actual attack.”
Because of the limited size of security staffs, constant training is required to keep their skills current. “Product training doesn’t prepare you for a real attack,” Gordon explained. You need constant training of all the different attack scenarios. Going back to the threat landscape, there are so many ways that an attack can happen. Training is necessary on all sorts of attack vectors.”
Chris Kennedy, CISO of AttackIQ, advises that it’s important to know exactly where your organization stands in regards to its overall security profile. “There’s a way to benchmark your business: Mitre Attack.” Kennedy said that you can use the Mitre Attack framework to test your own defenses.
What to Expect
A cyber-attack by Iran or one of its allies will be aimed more at destruction and chaos than the usual attack that tries to extort money or collect information. This means that you’ll see ramped up attacks against industrial control systems, for example. These systems are already seeing brute-force attacks such as password spraying, using passwords found on the dark web.
Ransomware attacks will arrive with a twist. You’ll still have your data encrypted, and you may be asked for money to decrypt them, but there will be no decryption key. Your files will be permanently beyond your reach (unless you have good backups).
Social engineering will be a big part of any retaliation, if only because it’s already so effective. You can expect a new round of effective phishing emails to start arising, along with other attacks arriving via test message and social media. The attackers have been collecting this information for a long time, and now they’ll use it in any way they can.
The CISA report also includes a series of actions to consider about your company’s physical security. Those actions include preparing for an active shooter or a bomb threat, staff training, community relationships, physical control of the workplace and inventory control of security items.
But another item of physical security that’s often overlooked is the protection of your staff, especially when they travel. We’ll cover that in detail in a companion article.
It’s important to remember that these anticipated attacks won’t necessarily come directly from Iran. Instead they’re likely to come from hackers sponsored by Iran, or from hackers working for Iran’s allies. What’s important is that you be prepared, knowing that the level or attacks is sure to increase, and that it won’t be limited just to government entities or defense contractors. The idea is to cause disruption and chaos, and that means attacking everyone they can.
“Focus on anticipation,” suggests Ghonche Alavi, senior consultant for information security for Garda. “Understand what the main threats are. It’s not possible to prepare if you don’t know what you’re preparing for.”