Solutions
Go Back

Make Security Possible

Reduce Alert Noise and False Positives

Boost your team's productivity by cutting down alert noise and false positives.

Automate Security Operations

Boost efficiency, reduce burnout, and better manage risk through automation.

Dark Web Monitoring

Online protection tuned to the need of your business.

Maximize Existing Security Investments

Improve efficiencies from existing investments in security tools.

Beyond MDR

Move your security operations beyond the limitations of MDR.

Secure with Microsoft 365 E5

Boost the power of Microsoft 365 E5 security.

Secure Multi-Cloud Environments

Improve cloud security and overcome complexity across multi-cloud environments.

Secure Mergers and Acquisitions

Control cyber risk for business acquisitions and dispersed business units.

Force-Multiply Your Security Operations

Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Security Operations Platform
Go Back

The GreyMatter Platform

Detection Investigation Response

Modernize Detection, Investigation, Response with a Security Operations Platform.

Threat Hunting

Locate and eliminate lurking threats with ReliaQuest GreyMatter

Threat Intelligence

Find cyber threats that have evaded your defenses.

Model Index

Security metrics to manage and improve security operations.

Breach and Attack Simulation

GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.

Digital Risk Protection

Continuous monitoring of open, deep, and dark web sources to identify threats.

Phishing Analyzer

GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.

Unify and Optimize Your Security Operations

ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Explore the GreyMatter Platform
Resources
Go Back

Resources

Blog

Company Blog

Case Studies

Brands of the world trust ReliaQuest to achieve their security goals.

Data Sheets

Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.

eBooks

The latest security trends and perspectives to help inform your security operations.

Industry Guides and Reports

The latest security research and industry reports.

Podcasts

Catch to the latest cybersecurity perspectives, tutorials and industry discussions with various guest speakers.

Solution Briefs

A deep dive on how ReliaQuest GreyMatter addresses security challenges.

Threat Advisories

The latest threat research report from ReliaQuest Photons research team.

Upcoming & On-Demand Webinars

Upcoming and on-demand webinars addressing the latest challenges and solutions security analysts must know.

White Papers

The latest white papers focused on security operations strategy, technology & insight.

Videos

Current and future SOC trends presented by our security experts.

ReliaQuest Resource
Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

We bring our best attitude, energy and effort to everything we do, every day, to make security possible.

Executive Leadership

Security is a team sport.

Careers

Join our world-class team.

Press and Media Coverage

ReliaQuest newsroom covering the latest press release and media coverage.

Become a Channel Partner

When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.

Contact Us

How can we help you?

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Generic selectors

Exact matches only

Exact matches only

Search in title

Search in title

Search in content

Search in content

Search in excerpt

Post Type Selectors
Hidden

Hidden

Hidden

Hidden

Back to blog

Iran and the United States – start of the long war or return to normal?

admin 13 January 2020

Threat Intelligence

On 03 Jan 2020, the United States conducted a targeted killing of Major General Qasem Soleimani, commander of the elite Quds force of the Islamic Revolutionary Guard Corps of Iran. The massive outpouring of public grief for Soleimani in Iran was followed by a retaliatory rocket strike mounted by Iran on the Al-Asad airbase in Iraq. But as of the date of this publication, many analysts see the situation as de-escalating in intensity. The possibility of Iran and the US engaging in an all-out “hot conflict” is becoming increasingly unlikely.

So what’s the status of the cyber threat posed by Iran? Increased or decreased, along with the physical “bomb and bullet” threat? Ultimately, the precise future in such a highly volatile situation is anyone’s guess. Still, there are useful precedents that can assist when we consider how this will unfold in the near-term future.

Symmetric vs. asymmetric conflict and the role of cyber power

We could spend a lifetime studying the difference between symmetric and asymmetric warfare, but for this blog: Symmetric warfare is a style of conflict in which combatants are roughly equal in terms of raw military capability―think allies versus axis power in World War Two. In contrast, asymmetric warfare is characterized by the involvement of combatants who have drastically uneven capabilities in terms of military power, leading to the use of unconventional tactics characterized by terms such as guerrilla warfare, terrorism, and proxy war activity.

Cyber warfare, defined here as one opponent having some effect on another’s computer networks, is employed in both symmetric and asymmetric warfare. But it’s most commonly associated with the field of asymmetric warfare, principally because of the high level of deniability the cyber operations have.

Symmetric warfare seems to be off the table for both the US and Iran; neither seems to have the appetite for another hot war in the Middle East region. This now puts asymmetric warfare and all its cyber options firmly on the table as a mechanism to strike and influence the opponent. One of the critical objectives of almost any asymmetric warfare campaign is to influence the behavior of a state through methods that target the views and outlook of that state’s population. For example, the US public’s withdrawal of popular consent for the Vietnam war is widely acknowledged to have directly led to a withdrawal of US forces from the country.

Within a cyber context, this facet of asymmetric warfare is dangerous, as the industrial sector of a state’s economy often dwells within the civilian sector of the country’s population. Shown below is a graphical model of how symmetric and asymmetric warfare work and the role that the civilian sector can play within this dynamic.

Symmetric vs. asymmetric conflict

Of course, on the ground, the situation is somewhat different than the simplistic model shown above. Precisely, the US conforms to the State A model shown above (its industrial complex primarily nested within the civilian population and the democratic system dictating who is in power). Still, the Iranian state does not follow this model. Within Iran, the industry is under state control, with the autocratic political model not requiring popular consent to govern. This leads to an edge for Iran over the US in terms of asymmetric warfare, influence, and particularly in terms of the cyber warfare approach―owing to the high level of deniability attached to it.

In superficial terms at least, the current absence of overt conflict between the US and Iran implies an increased risk of Iranian cyber-attacks on the US private sector. A future threat narrative (albeit a simplistic one) could go something like Iran, not wishing to engage in a potentially devastating war with the US, participates in a protracted cyber campaign targeting the US economy.

Iranian cyber capability versus vulnerability

One important aspect to remember when considering the cyber threat posed by Iran is that cyber power differs in form and function for each state that wields it. For example, the People’s Republic of China (PRC) cyber power is more focused on achieving espionage-based objectives. In contrast, the Democratic People’s Republic of Korea (DPRK) appears to be more focused on raising funds to feed volumes’ black economy of North Korea.

Iran’s cyber power has evolved rapidly from an initial flurry of patriotic hacktivism directed at the US banking sector in the wake of the Stuxnet incident in 2010 to the destructive attacks by the Shamoon malware on Saudi Aramco 2012 to a shift to more clandestine intelligence-gathering operations heralded by the creative Newscaster campaigns. This has seen the capability move from enthusiastic but amateurish pro-Iranian civilian hackers to more formalized elements of the Iranian military driving the form of the capability. While Iran certainly has the appetite and capacity to conduct destructive cyber attacks against its opponents, it could be argued that it gains more tangible benefits from cyber espionage operations rather than the transient effects derived from the spectacular destructive cyber-attacks.

This separation of destructive attacks versus more conventional espionage operations is essential when considering the broader geostrategic context of the issue. Soleimani’s killing was very public, and Iran has to be seen to mount a continuing response to the assassination. If their response is destructive cyber attacks, this will stand in sharp contrast to Iran’s currently favored cyber capabilities, which seem at the moment to be more focused on espionage, a practice that, by default, aims to be unseen by all.

An additional point to consider when gauging a state’s overall cyber power capability is how vulnerable a state’s infrastructure is to retaliatory cyber attacks. Just as in the case of the PRC and DPRK, Iran’s cyber vulnerability probably outweighs its ability to conduct an offensive cyber warfare operation. Given that the US likely has one of the most advanced cyber warfare capabilities in the world, and that deniability is a factor of asymmetric warfare that cuts both ways, Iran faces a difficult choice when considering the option of destructive cyber attacks on the US.

This boils down to the assessment that warnings of an increased cyber threat from Iran should be caveated. If Iran engaged in offensive cyber operations against the US, this would be both a significant departure from the campaigns it has recently conducted and would open the country up to potentially devastating retaliation from the US.

Shown below is a SWOT (strengths, weakness, opportunities, and threats) analysis of the possibility of an Iranian cyber attack on US civilian infrastructure.

Iran Swot Analysis

The duality of conflict modes

So far, we’ve looked at two modes of conflict and sought to understand how cyber warfare activity sits within one of these modes. Of course, in reality, state policy is not so simplistic; there’s always the option of combining symmetric and asymmetric warfare (dubbed hybrid warfare) and opening multiple modes of conflict simultaneously.

A recent example is Russia’s activity in Ukraine that has combined multiple interlocking strands of symmetric and asymmetric warfare into one unified effort to control the region. Iran will most likely pursue this course of action, and Soleimani was a master of this style of warfare. Within this context, Iran’s cyber capability will probably receive a boost in terms of funding and human resources, but will likely remain within its traditional boundaries as another espionage capability within the broader portfolio of asymmetric capabilities fielded by Iran.

The event in context: That big a deal?

Returning briefly to the broader geopolitical context, let’s take a step back from the recent rhetoric that has surrounded the incident and attempts to place the events in the broader context of US/Iranian relationships.

Soleimani was a uniformed combatant deeply involved in clandestine warfare operations for decades, and the manner of his death can’t have come as a big surprise to his chain of command in Tehran. “Live by the sword, die by the sword” is a common sentiment for people involved in this kind of work. Conversely, US service personnel in Iraq have been killed in large numbers by explosives originating from Iran since the initial invasion in 2003. Notably, the rocket attack on the Al-Asad air base caused no casualties. From a soldier’s perspective, it’s just another day in Iraq.

Taking this view of the event, the Soleimani killing and Iran’s response may be nothing more than another comparatively small move in the long game the US and Iran have been playing for decades. For the cyber threat, this could imply various outcomes, one of which is―quite possibly―no change at all in the cyber risk. So then how do we evaluate the cyber threat from Iran?

Conclusion

An important point to note is that cyber operations have been perpetrated both towards and against Iran for several years, and even without the Soleimani incident, these operations would have continued regardless. The point that this piece intended to consider was, would the Soleimani incident change the form and objective of Iranian cyber power?

The key to assessing these questions is to understand what a winning state looks like for each side of the conflict. For Iran, the position would appear to be as it has been since 2003: Make the US’s position in the Middle East as weak as possible while amplifying Iranian regional power as much as possible.

The US position seems more opaque; a shadow conflict between the two countries has been running since at least 1979. However, this does mark a very public escalation of the conflict.

How does cyber power projection potentially play into each of these strategies?

The exact details remain to be seen; however, viewing developments in the situation through the lens of symmetric and asymmetric warfare theory, although abstract, has the potential to inform the dynamics that underpin the conflict.