Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
Threat Advisories
The latest threat research report from ReliaQuest Threat Research research team.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On 03 Jan 2020, the United States conducted a targeted killing of Major General Qasem Soleimani, commander of the elite Quds force of the Islamic Revolutionary Guard Corps of Iran. The massive outpouring of public grief for Soleimani in Iran was followed by a retaliatory rocket strike mounted by Iran on the Al-Asad airbase in Iraq. But as of the date of this publication, many analysts see the situation as de-escalating in intensity. The possibility of Iran and the US engaging in an all-out “hot conflict” is becoming increasingly unlikely.
So what’s the status of the cyber threat posed by Iran? Increased or decreased, along with the physical “bomb and bullet” threat? Ultimately, the precise future in such a highly volatile situation is anyone’s guess. Still, there are useful precedents that can assist when we consider how this will unfold in the near-term future.
We could spend a lifetime studying the difference between symmetric and asymmetric warfare, but for this blog: Symmetric warfare is a style of conflict in which combatants are roughly equal in terms of raw military capability―think allies versus axis power in World War Two. In contrast, asymmetric warfare is characterized by the involvement of combatants who have drastically uneven capabilities in terms of military power, leading to the use of unconventional tactics characterized by terms such as guerrilla warfare, terrorism, and proxy war activity.
Cyber warfare, defined here as one opponent having some effect on another’s computer networks, is employed in both symmetric and asymmetric warfare. But it’s most commonly associated with the field of asymmetric warfare, principally because of the high level of deniability the cyber operations have.
Symmetric warfare seems to be off the table for both the US and Iran; neither seems to have the appetite for another hot war in the Middle East region. This now puts asymmetric warfare and all its cyber options firmly on the table as a mechanism to strike and influence the opponent. One of the critical objectives of almost any asymmetric warfare campaign is to influence the behavior of a state through methods that target the views and outlook of that state’s population. For example, the US public’s withdrawal of popular consent for the Vietnam war is widely acknowledged to have directly led to a withdrawal of US forces from the country.
Within a cyber context, this facet of asymmetric warfare is dangerous, as the industrial sector of a state’s economy often dwells within the civilian sector of the country’s population. Shown below is a graphical model of how symmetric and asymmetric warfare work and the role that the civilian sector can play within this dynamic.
Of course, on the ground, the situation is somewhat different than the simplistic model shown above. Precisely, the US conforms to the State A model shown above (its industrial complex primarily nested within the civilian population and the democratic system dictating who is in power). Still, the Iranian state does not follow this model. Within Iran, the industry is under state control, with the autocratic political model not requiring popular consent to govern. This leads to an edge for Iran over the US in terms of asymmetric warfare, influence, and particularly in terms of the cyber warfare approach―owing to the high level of deniability attached to it.
In superficial terms at least, the current absence of overt conflict between the US and Iran implies an increased risk of Iranian cyber-attacks on the US private sector. A future threat narrative (albeit a simplistic one) could go something like Iran, not wishing to engage in a potentially devastating war with the US, participates in a protracted cyber campaign targeting the US economy.
One important aspect to remember when considering the cyber threat posed by Iran is that cyber power differs in form and function for each state that wields it. For example, the People’s Republic of China (PRC) cyber power is more focused on achieving espionage-based objectives. In contrast, the Democratic People’s Republic of Korea (DPRK) appears to be more focused on raising funds to feed volumes’ black economy of North Korea.
Iran’s cyber power has evolved rapidly from an initial flurry of patriotic hacktivism directed at the US banking sector in the wake of the Stuxnet incident in 2010 to the destructive attacks by the Shamoon malware on Saudi Aramco 2012 to a shift to more clandestine intelligence-gathering operations heralded by the creative Newscaster campaigns. This has seen the capability move from enthusiastic but amateurish pro-Iranian civilian hackers to more formalized elements of the Iranian military driving the form of the capability. While Iran certainly has the appetite and capacity to conduct destructive cyber attacks against its opponents, it could be argued that it gains more tangible benefits from cyber espionage operations rather than the transient effects derived from the spectacular destructive cyber-attacks.
This separation of destructive attacks versus more conventional espionage operations is essential when considering the broader geostrategic context of the issue. Soleimani’s killing was very public, and Iran has to be seen to mount a continuing response to the assassination. If their response is destructive cyber attacks, this will stand in sharp contrast to Iran’s currently favored cyber capabilities, which seem at the moment to be more focused on espionage, a practice that, by default, aims to be unseen by all.
An additional point to consider when gauging a state’s overall cyber power capability is how vulnerable a state’s infrastructure is to retaliatory cyber attacks. Just as in the case of the PRC and DPRK, Iran’s cyber vulnerability probably outweighs its ability to conduct an offensive cyber warfare operation. Given that the US likely has one of the most advanced cyber warfare capabilities in the world, and that deniability is a factor of asymmetric warfare that cuts both ways, Iran faces a difficult choice when considering the option of destructive cyber attacks on the US.
This boils down to the assessment that warnings of an increased cyber threat from Iran should be caveated. If Iran engaged in offensive cyber operations against the US, this would be both a significant departure from the campaigns it has recently conducted and would open the country up to potentially devastating retaliation from the US.
Shown below is a SWOT (strengths, weakness, opportunities, and threats) analysis of the possibility of an Iranian cyber attack on US civilian infrastructure.
So far, we’ve looked at two modes of conflict and sought to understand how cyber warfare activity sits within one of these modes. Of course, in reality, state policy is not so simplistic; there’s always the option of combining symmetric and asymmetric warfare (dubbed hybrid warfare) and opening multiple modes of conflict simultaneously.
A recent example is Russia’s activity in Ukraine that has combined multiple interlocking strands of symmetric and asymmetric warfare into one unified effort to control the region. Iran will most likely pursue this course of action, and Soleimani was a master of this style of warfare. Within this context, Iran’s cyber capability will probably receive a boost in terms of funding and human resources, but will likely remain within its traditional boundaries as another espionage capability within the broader portfolio of asymmetric capabilities fielded by Iran.
Returning briefly to the broader geopolitical context, let’s take a step back from the recent rhetoric that has surrounded the incident and attempts to place the events in the broader context of US/Iranian relationships.
Soleimani was a uniformed combatant deeply involved in clandestine warfare operations for decades, and the manner of his death can’t have come as a big surprise to his chain of command in Tehran. “Live by the sword, die by the sword” is a common sentiment for people involved in this kind of work. Conversely, US service personnel in Iraq have been killed in large numbers by explosives originating from Iran since the initial invasion in 2003. Notably, the rocket attack on the Al-Asad air base caused no casualties. From a soldier’s perspective, it’s just another day in Iraq.
Taking this view of the event, the Soleimani killing and Iran’s response may be nothing more than another comparatively small move in the long game the US and Iran have been playing for decades. For the cyber threat, this could imply various outcomes, one of which is―quite possibly―no change at all in the cyber risk. So then how do we evaluate the cyber threat from Iran?
An important point to note is that cyber operations have been perpetrated both towards and against Iran for several years, and even without the Soleimani incident, these operations would have continued regardless. The point that this piece intended to consider was, would the Soleimani incident change the form and objective of Iranian cyber power?
The key to assessing these questions is to understand what a winning state looks like for each side of the conflict. For Iran, the position would appear to be as it has been since 2003: Make the US’s position in the Middle East as weak as possible while amplifying Iranian regional power as much as possible.
The US position seems more opaque; a shadow conflict between the two countries has been running since at least 1979. However, this does mark a very public escalation of the conflict.
How does cyber power projection potentially play into each of these strategies?
The exact details remain to be seen; however, viewing developments in the situation through the lens of symmetric and asymmetric warfare theory, although abstract, has the potential to inform the dynamics that underpin the conflict.
Practical Advice around Iranian Cyber Threats: https://www.reliaquest.com/blog/iranian-cyber-threats-practical-advice-for-security-professionals/
Iranian APT Groups’ Tradecraft Styles: https://www.reliaquest.com/blog/iranian-apt-groups-tradecraft-styles-using-mitre-attck-and-the-asd-essential-8/
Iran and Soleimani: Monitoring the Situation: https://www.reliaquest.com/blog/iran-and-soleimani-monitoring-the-situation/