With heightened tensions and vowed threats of “revenge” from Iran, the CISA released insights into the potential for cyber and physical attacks against the United States. In a previous blog, Director of Cyber Operations, Dr. Wesley McGrew, discussed the potential for Iranian retaliation in the form of denial and disruption cyberattacks. However, the purpose of this post is to summarize the CISA’s insights around potential targets, best practices, and protective actions.
Iranian Threat Profile and Activity
Recent tensions between Iran and the U.S. have prompted Iran to vow retaliation against the U.S. and its global interests. The CISA notes that “Iran has exercised increasingly sophisticated capabilities to suppress social and political perspectives deemed dangerous to its regime and to target regional and international adversaries.” It is known that Iran has a history of using cyber tactics to advance its national interests. These tactics include, but are not limited to:
- Disruptive and destructive cyber operations (see McGrew’s blog, here) against strategic targets including finance, energy, and telecommunications organizations, as well as an increased interest in industrial control systems and operational technology.
- Cyber-enabled espionage and intellectual property theft targeting a variety of industries and organizations to enable a better understanding of our strategic direction and policy-making.
- Disinformation campaigns promoting pro-Iranian narratives while pushing anti-U.S. sentiments.
With the increased likelihood of cyberattacks, we concur with the CISA that all organizations should, at a minimum, assess and strengthen basic cyber defenses.
Eleven Questions to Ask About Your Organization’s Cyber Protection
- Backups - Do we backup all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident?
- Incident Response – Do we have an incident response plan and have we exercised it?
- Business Continuity – Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
- Risk Analysis – Have we conducted a cybersecurity risk analysis of the organization?
- Staff Training – Have we trained staff on cybersecurity best practices?
- Account Protections – Have we implemented multi-factor authentication and are we minimizing account privileges?
- Vulnerability Scanning and Patching – Have we implemented regular scans of our networks and systems? Do we have an automated patch management program?
- Penetration Testing – Have we conducted a penetration test in the last two years? Have the findings been remediated and verified to ensure effectiveness?
- Network Traffic Monitoring – Are we monitoring the network traffic? Including the traffic crossing the boundary of critical networks, including industrial control systems?
- Application Whitelisting – Do we allow only approved programs to run on our networks?
- Ransomware – Have we conducted a ransomware preparedness exercise on our networks, such as ransomware simulation? Do we know which users pose the greatest risk to our organization if attacked by ransomware?
Things to do Today
- Implement the CISA’s Cyber Essentials - An essential actions guide for building a culture of Cyber Readiness related to yourself, your staff, your systems, your surroundings, your data, and your actions under stress.
- Prepare your organization for rapid response by adopting a state of heightened awareness - This ranges from reviewing your security and emergency preparedness plans, consuming relevant threat intelligence, minimizing coverage gaps in personnel availability, and making sure your emergency call tree is up to date.
- Increase organizational vigilance - Ensure your security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Assess your access control protocols. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures for immediate response. If you do not have internal security personnel or a way to monitor and identify anomalous behavior, consider contracting a cybersecurity operations center.
- Confirm reporting processes - Ensure your personnel know how and when to report an incident. The well-being of your workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting your cyber incidents to CISA as part of an early warning system.
- Exercise your incident response plan - Ensure your personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Make sure personnel are positioned to act in a measured, calm, and unified manner.
- Confirm offline backup - Ensure you have an offline backup of information critical to operations.
HORNE Cyber will continue to monitor the threat landscape as it relates to current geopolitical tensions and threats and update accordingly. To stay up to date, follow us on Twitter and LinkedIn and signup for our blog posts.