I recently had the opportunity to sit in on a conference call with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and got a chance to hear how they’re thinking about protecting against cyber threats after escalating tensions between the US and Iran.
I’d like to summarize what I heard and reference a few useful supporting cybersecurity guidelines.
On the call CISA made it clear that although they’ve prepared a National Cyber Awareness System Alert and a CISA Insights document specific to the increased geopolitical tensions and threats, they have yet not seen an increase in attacks from Iran.
During the call CISA talked about Iran’s history of leveraging asymmetric attacks when threatened. Recently the use of offensive cyber attacks have been used in addition to their conventional capabilities. I wrote about how we are developing all the ingredients for a cyberwar in my October ReThink article (We Are in the Midst of a Cyber Cold War).
Most of CISA’s recommendations are pragmatic defensive guidelines. They have not changed threat levels, but are recommending things like double checking emergency call trees, enabling 2FA, confirming reporting processes and exercising organizational incident response plans.
Iranian History of Cyber Activity
Besides the guidelines I found the history of Open Source offensive cyber operations really interesting. CISA notes four high profile attacks:
- Late 2011 to Mid-2013 – DDoS Targeting U.S. Financial Sector: Seven Iranian actors over the course of two years conducted DDoS attacks against publicly facing websites of US banks.
- August/September 2013 – Unauthorized Access to Dam in New York State: IRGC gained unauthorized access to a SCADA system controlling a dam in New York State
- February 2014 – Sands Las Vegas Corporation Hacked: In 2014 the Sands was breached and customer data was stolen including credit cards and social security numbers. In addition there was believed to be a destructive portion to the attack in which Sands systems were wiped.
- 2013 to 2017 – Cyber Theft Campaign on Behalf of IRGC: over the course of these four years IRGC was connected with breaches for 144 US universities, 176 foreign universities, and 47 different private sector companies as well as multiple government agencies including the Department of Labor, the UN and the United Nations Children’s Fund.
From the alert CISA recommends companies to take 5 actions to set up better defenses. A lot of these recommendations are repeats from what we’ve talked about at ReThink Security, and that you’ve heard before, but I cannot stress enough that these are great recommendations for starting your cybersecurity preparedness journey.
- Disable all unnecessary ports and protocols.
- Enhance monitoring of network and email traffic.
- Patch externally facing equipment.
- Log and limit usage of PowerShell.
- Ensure backups are up to date.
Persistence comes far before discovery, especially with nation states. Detection is a major component to a good cyber security defense. If you’re concerned that you may be a target, a good first step is to go through your systems with a fine toothed comb. The MITRE ATT&CK framework has a list of different ways in which adversaries may gain persistence (Persistence - MITRE ATT&CK™). Use this list to look for signs of a persistent attack.To minimize business impact, it’s important to discover and mitigate your attackers before you receive a ransomware message, or have detected a data breach.
- CISA INSIGHTS - Increased Geopolitical Tensions and Threats (PDF)
- Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad | CISA
- General Cybersecurity Guidelines from CISA