In the wake of the U.S. airstrike that killed Iranian Maj. Gen. Qassem Soleimani, both the United States and Iran have taken steps to de-escalate the conflict and prevent further direct military confrontation. Nevertheless, many cybersecurity experts are warning that the threat of Iranian cyber attacks remains as high as ever, and U.S. companies should remain vigilant in guarding against potential cyber attacks that could be initiated as a form of retaliation.
Iran’s History of Cyberwarfare
Ever since the Stuxnet attack on Iranian nuclear facilities in 2009, Iran has steadily expanded its cyberwarfare capabilities and activities. For example, in 2012 and 2013, Iranian hackers launched multiple attacks on U.S. banks, casinos, and even the control system of a New York river dam. More recently, nine Iranian hackers were indicted in 2018 on charges of stealing valuable intellectual property from over 320 universities, government agencies and companies. Therefore, when tensions between Iran and the United States escalated in early January, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), citing Iran’s history of offensive cyber operations, issued an alert detailing the potential for an Iranian cyber response.
Cyber Incident Response Plans Need The Right Platform, People, and Processes
According to the CISA alert, the threat of an Iranian cyber attack is particularly high for sectors that have previously been targeted by Iranian operations, such as financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base. However, all organizations should take steps to increase their readiness for a potential attack. According to CISA, organizations can do so by taking the following actions:
- Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
- Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
- Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity.
- Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the access they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.
These recommendations provide a useful reminder that cyber resilience is not only about having the right technology, it’s also about having the right people and processes in place to execute your cyber incident response plan as quickly as possible.
CISA Technical Recommendations To Increase Cyber Resilience
The CISA alert also provides a list of technical recommendations that IT professionals can use to increase incident preparedness and mitigate potential vulnerabilities. When making these types of preparations, CyFIR digital security and forensic analysis solutions can add important capabilities that assist with implementing the CISA recommendations. Here’s how CyFIR solutions can help organizations implement some of the key CISA recommendations:
- Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
The CyFIR Enterprise Platform gives IT professionals complete visibility of a network environment and allows them to see if something malicious is trying to communicate with a port.
- Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
As a cloud-hosted managed service, CyFIR Instant Response can monitor running applications to detect potential threats that may have evaded an antivirus. When unknown processes are detected, CyFIR automatically pulls a copy for analysis within a Security Sandbox to conduct detailed testing and evaluation. When a threat is identified, CyFIR can then search throughout a network to find other instances of the malicious processes (e.g. searching email servers to find all recipients of an email phishing attack).
- Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
Patching devices throughout a network environment can be made easier with tools like HCL BigFix, which integrates the capabilities of CyFIR Enterprise
- Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
When CyFIR is running within a network environment, it can log and alert security personnel whenever PowerShell is launched, helping identify potentially unauthorized activity.
With state-sponsored cyber attacks growing in frequency and sophistication, it is critical for organizations to keep up-to-date with the latest security practices. Moreover, the potential for nation-state attacks is another reason to invest in tools that can catch things that get past perimeter defenses.
CyFIR Cyber Risk Solutions can help organizations become cyber resilient with tools to detect and mitigate known advanced persistent threat techniques, such as credential dumping, data compression, PowerShell, scripting, user execution, registry run keys, and other threats. For spot checking critical machines, CyFIR Investigator provides organizations with by-the-hour licensing through the Amazon Web Marketplace, while CyFIR Instant Response provides three tiers of managed service for continuous monitoring and threat hunting.
With flexible and scalable pricing models, CyFIR makes sophisticated incident response and digital forensics capabilities accessible to companies of any size. Contact CyFIR today to learn more or schedule a demo.