The current conflict between the United States and Iran has created obvious reasons for concern. The news outlets and social media have been interchangeably using phrases such as “escalating,’ “de-escalating,” “conflict,” “war,” etc. However, there is a common term used in most reports- “Cyberwar.” While I am not a fan of this term, it is applicable here. Whether or not the media outlets understand what “Cyberwar” means, it provides legitimacy to the importance of the internet, networks, and computers to countries, businesses, and critical infrastructure. Let’s be honest – a disruption to these technologies and infrastructures impacts all of us. This concern has grown to the level that the Department of Homeland Security (DHS) has issued Alert AA20-006A.

All information security programs should perform some level of threat modeling to understand and defend against their most pressing threats. If you store, process, transmit credit cards, your concerns should focus on attackers from Eastern Europe (Russia), as this is where the majority of card-related financial fraud is reported to be sourced from. If your organization is a cleared contractor, designs technology, or is part of the supply chain for advanced technologies, your concern would be the Nation States such as China that look to obtain intellectual property for a competitive advantage against the United States. However, Iran does not fall into either of these categories.

Iran likely has little to no interest in payment information or intellectual property in relation to “Cyberwar” in this current conflict. My opinion is that their objectives are actually a bit more concerning. Iran likely does not have a favorable opinion of the United States after our “alleged” involvement in Stuxnet that significantly impacted their ability to enrich uranium. As the missile attacks demonstrated, they want their attacks to be obvious and noticed. They have also demonstrated their desire and expertise for large, public disruptions in the past with attacks such as Saudi Aramco in 2012, which was reported to have disabled 30,000 computers of one of the largest oil companies in the world.

Most companies need to be concerned about the current conflict with Iran from a “Cyberwar” perspective. However, there are certain attacks that I feel are more likely from Iran or others on their behalf. They include, but are not limited to:

  • DDoS attacks
  • Website defacements
  • Espionage for political gain
  • Disrupting Industrial control systems that are part of the critical infrastructure (power, water, propane, etc.)

6 Steps to a More Secure Environment

Whether or not your threat modeling exercises include Iran as a direct adversary, use this concern to prepare. Here are six steps you can take today to provide your organization with a more secure environment:

  1. Ensure that you either have or can quickly provision protections against DDoS attacks. Most organizations do not keep these protections on premise and choose to rely on external parties for this protection (ISPs, upstream providers, Cloudflare, Akamai, etc.). If you are unaware of whether these protections are available to you, now is the time to consider your capabilities and plan accordingly.
  2. From a propaganda perspective, the United States will be targeted for website defacements. There have already been reports of this activity. Ensure that your web applications, and associated platforms, are properly patched from a security perspective. In addition, web application assessments are strongly suggested to determine any other security issues.
  3. Ensure that security patching is consistent for internal workstations and servers.
  4. Ensure proper segmentation between your production and business networks exists to segregate any networks that contain industrial control systems (ICS).
  5. Perform external penetration tests to understand your security risks from attackers on the internet.
  6. Conduct social engineering tests with a focus on phishing emails that are designed to capture user credentials. Also, ensure the multi-factor authentication (MFA) is deployed on all external entry points (cloud, Office365, VPN, etc.).

 

Creating a Strong Line of Defense

The most effective way to prepare for a cyberattack is through tabletop exercises. If any of the above concerns were to occur, how would you respond? While many feel their policies and procedures are adequate, they will not know until they test them. This type of exercise could even be elevated to an actual adversary simulation that demonstrates the methods used by Iranian hacker groups. The MITRE ATT&CK framework has playbooks that are specific to the methods used by Iranian hacker groups. In addition, the Department of Homeland Security (DHS) has issued Alert AA20-006A, which outlines their methods in detail.

The current conflict between the United States and Iran presents an opportunity to make sure you have the appropriate controls in place to protect your organization from cyber threats. Whether we are in a cyberwar or not, now is the time to ensure you have a strong line of defense from a cybersecurity perspective.

Bill Dean is a Shareholder and service line leader in LBMC’s Information Security’s incident response, digital forensics, electronic discovery and litigation support service lines. He can be reached at bdean@lbmc.com.

Learn More about LBMC Information Security