In today’s hyper-connected world, it’s nearly impossible to avoid the current news cycle. Because of this, you’re probably well aware of the current situation between the United States and Iran. What you may not be aware of is that there often comes a heightened need for cyber threat diligence during times of international tension. Let’s take a look at why that is.
As humans continue to interact with technology at a growing rate, we continue to find ways to leverage technology as a tool to aid us in our motivations. Unfortunately, this also includes the motivations of those that have agendas against us.
As a result, dangerous cyber threats and intelligence gathering have also become more prominent and effective. Iranians are not an exception. According to the Department of Homeland Security, Iranian cyber threat actors are constantly improving their offensive tactics. It’s expected that because of this—and the recent tensions between United States and Iranian governments—there will be an increase in cyber-related activities aimed towards U.S. citizens.
Knowing all this, we want to help make you aware of the types of attacks that we’ll likely see more of and the steps you can take to reduce the chance of your company being impacted by one of these attacks.
What Cyber threats to Expect
Website Defacement
Fairly self-explanatory, attackers will often attempt to gain unauthorized access to web properties in order to alter the design and copy. While these attacks don’t typically pose overt security risks, they’re often used to send a message—making them unsettling.
There have already been reports of government sites defaced by what appears to be Iranian attackers.
Distributed Denial of Service (DDoS) Attacks
DDoS attacks also impact websites, as well as online services. Effectively, these attacks bog down servers with extreme amounts of traffic and activity until they can no longer accommodate the level of traffic and become unusable. These attacks are frequently paired with threats or ransom requests and use the nonfunctioning site as leverage.
These types of cyber threats are typically very disruptive, and Iran has proven they are capable of executing them.
Personally Identifiable Information (PII) Theft
Any information that can reveal something that makes you who you are is personally identifiable information (PII). Things like social security numbers, bank account information, email addresses, and more are all examples of PII.
If attackers can string enough of your PII together, they can steal your identity with little friction. Imagine if someone had your driver’s license number, social security number, and address. That’s enough to open a line of credit under your name, or worse.
In order to facilitate travel, fund efforts, and more, attackers often use fake identification—which is fairly easy to forge as long as the information is available to them. So, stealing PII is a common tactic employed by nation-motivated attackers.
Wiper Malware
Slightly different from a DDoS attack or a typical ransomware attack, wiper malware isn’t intended to encrypt (lock up) information in exchange for something in return. It’s intended to completely wipe the information that exists within files or a hard drive on a computer—making it nearly impossible to recover.
Attackers are looking to do much more than just steal money or data with attacks like this. They typically very quickly escalate from account compromise to data loss to complete network loss.
Cyber-Enabled Kinetic Attacks
A cyber-kinetic attack relies on vulnerable information systems and/or processes to cause physical harm to others. All of this stems from connecting physical objects to the internet. Because these devices are remotely controlled, managed, and monitored, they’re just as vulnerable as any device.
Cyber-Physical Systems (CPSes) and Internet of Things (IoT) devices are infused into our every day lives. Many of the vehicles we drive to work every day are now internet-connected. Utilities like water and power plants rely on CPSes. The risk of these is that, if the wrong hands gain access, they could cause severe physical harm or even death.
These cyber kinetic attacks are the most threatening when thinking about the damage an attacker with nation-loyal motivations could potentially administer.
What to Do About It
We try our best as information security consultants to not use scare tactics. Instead, we focus on facts. Unfortunately, with tensions mounting between the two countries and proof that Iranians are more than capable of employing some of these attack vectors, there is evidence that American businesses need to be ready for when these attempts are made.
Employee Awareness
As me mentioned before, many of the cyberattacks initiate from phishing attempts, password spraying, credential stuffing, and social engineering. Send out a reminder to your employees about how to detect a phishing or social engineering attempt. Note that if they think they may have been a victim of a phishing attack to report that immediately.
Being secure as a company starts with ensuring all of your employees understand the importance of information security and work diligently to protect the information entrusted to them.
Patch Your Systems
Most systems vulnerable to cyberattacks are those that do not have the latest system and security patches applied. We’re used to updating things constantly now. Phones tell you when apps need updating. You likely have automatic updates turned on for your work laptop.
Developers constantly find bugs in systems and software and push updates as a way to implement security measures to fix those vulnerabilities. It’s important to consistently—or, even better, automatically—update and patch your business systems and devices.
Monitor Logs
Logging and alerting are effective practices across numerous information security measures and are particularly important for incident detection and response. Logging allows us to understand what events are occurring in our environment, and alerting tells us about the potentially problematic events.
Review your system monitoring and logging capabilities and enhance monitoring if necessary. Where possible, monitor and log all network activity, administrative actions, abnormal system events, changes to user access permissions (especially elevating privileges), all successful and unsuccessful login attempts, and all user actions (e.g., creating a file, renaming a file, opening an application) that occur within your environment.
By doing so, you can quickly and efficiently investigate any suspicious activity to determine if action needs to be taken to avoid any or further damage.
Vulnerability Scans
Vulnerability scans allow your business to find and fix vulnerabilities before a potential attacker does.
Perform vulnerability scans on your internal and external (internet-facing) environments to identify systems that are vulnerable to cyber threats. If any are, remediate the vulnerabilities appropriately.
A Vetted Incident Response Plan
Incident response and disaster recovery plans are necessary in our industry. Knowing these threats are out there, we need to be prepared for them. The business needs to know who is going to be involved, know what activities each person will be responsible for, know what kinds of backups are needed (technology, physical locations), and understand who externally we might need to elicit for help to get us back up and running ASAP.
The last thing we want is to do is wait until something happens. Prepare the plan preemptively, and consistently test it to make sure it works the way it needs to.
Summary
According to the Department of Homeland Security, Iranian cyber threat actors are constantly improving their offensive tactics. It’s expected that because of this combined with the recent tensions between United States and Iranian governments, there will be an increase in cyber threats aimed towards U.S. citizens.
As a US-based organization, if we know what kinds of cyber threats are plausible to stem from the tension and understand some of the defense tactics we can employ, we’ll be better prepared to defend against the threats and protect our information and, ultimately, the people behind it.
For additional information on the current situation with Iran, US-CERT has released the following alert: AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad