Unless you went very dark for an extended holiday break, you are no doubt very well aware of the United States’ targeted killing of Iranian General Qasem Soleimani on January 3rd. This blog is based on a tweetstorm I wrote on Friday afternoon in response to the killing. A follow-up blog provides me the flexibility to dig further into some of my comments and suggestions. You can read the original thread here.
In October 2012, roughly two months after the Saudi Aramco Shamoon wiper attack, then-Secretary of Defense, Leon Panetta, gave a now-famous speech where he warned about the potential for a “cyber Pearl Harbor.” Secretary Panetta said:
“The collective result of these kinds of attacks could be a cyber Pearl Harbor, an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.“
I don’t know if the Iranian response will turn into a “cyber Pearl Harbor,” but I think the likelihood is low at this time. You may have observed many talking heads and thought leaders describing potential Iranian reprisals in hyperbolic ways. “Cyberwarfare! Cyberattack!” My goal for the blog is to provide practical, measured suggestions on how you should respond in both the short term and critically in the long run.
In case you prefer video, check out the recording I did with Harrison on this blog here:
Iranian Threat Landscape: Practical Advice
I’m not a self-proclaimed Iran expert or thought leader, but I do have some intelligence experience working for the United States Central Command. I have been tracking both General Soleimani and the Iranian regime for many years. The good news is that much of what I’m going to discuss isn’t hyper-focused on Iran, because I’m not a proponent of threat du jour thinking. Here are a few thoughts.
- Now isn’t the time to “ZOMG CYBER IRAN.” Threat du jour thinking isn’t an adequate defense model. Let’s not repeat our historical affinity for ZOMG China and then ZOMG Russia thinking. If a nation-state is going to target you, detection and response will be your fall back. We need to build cybersecurity programs that are resilient against our most relevant threat actors; think 80/20% rule here. Threat modeling should be a key discipline in your security program.
- Understand the threat. How do Iranian threat actors fit into your model? How do Iranian interests intersect your business? How has historic Iranian targeting related to your business? Looking at victims from the “The Diamond Model of Intrusion Analysis” model could be helpful in understanding threat actor targeting. How does the Iranian threat stack up against your supply chain? 3rd parties should be a key component of your threat modeling exercise. When did you last update your threat model? Do you have a threat model?
- But what about being “collateral damage?” One excellent point around collateral damage was brought up by Dr. Anton Chuvakin (@anton_chuvakin) and a few others later in the day.
A painful example of the reality of collateral damage is Maersk and NotPetya. Maersk lost $870 million as a result of being NotPetya’s collateral damage. You can read an excellent WIRED story from Andy Greenberg (@a_greenberg) here: “The Untold Story of NotPetya, the Most Devastating Cyberattack in History.” You should add “collateral damage” to your threat model, but make sure that you clearly understand impact and likelihood. The impact could be high, but the likelihood is much lower. You should prioritize more likely scenarios/actors above “collateral damage from a nation-state actor” in your threat models. One other item to note, it would be a good time to check your cyber insurance policy’s contract for legalese around “act of war” exclusions. Don’t assume that your insurance funds will be available to you.
- You must be able to communicate up the chain of command effectively. The ongoing Iranian situation presents you with an opportunity to effectively communicate up the chain of command and help them understand the actual cyber risks Iran presents to your business. The New York Times, Wall Street Journal, and CyberScoop will produce “Leadership RFIs” and that is ok. Don’t minimize what could happen, but you need to control the message and not Infosec Twitter, and primetime T.V. pundits manage it for you. If your executives aren’t asking the “right questions,” don’t scoff; educate them, and help them learn how to ask the right questions in the future. If you haven’t seen this blog “Trump and Intelligence: 6 Ways To Deal With Challenging Intelligence Consumers“, check it out. It provides some tips on presenting to leadership. Also look for opportunities to get a regular presentation cadence with them outside of the threat du jour activities like Iran, WannaCry, NotPetya, and Equifax. It is always easier to have conversations when you aren’t in a crisis mode, so suggest quarterly threat briefs that are aligned to key business initiatives.
- “Just do the basics.” Just do the boring. Iran is known to use account takeover (ATO) techniques, spearphishing, and destructive wiper malware (Shamoon). The good news for cyber defenders… they aren’t the only ones that use these techniques. Who doesn’t use ATO and spearphishing? Amirite? Hopefully you already have controls in place to mitigate these cyberattacks. Check out this blog from my colleague and Director of Security Engineering Richard Gold: “Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework.” These controls aren’t sexy: They’re boring, but they work. Stay tuned for more from us on this topic. Boring controls are much more useful than magic artificial intelligence pixie dust controls that poop rainbows anyway.
- Swiper no wiping, Swiper no wiping! Iran has a history of leveraging wiper malware. In August of 2012, three-quarters of Saudi Aramco’s corporate P.C.s were erased by the Shamoon malware, which shut down corporate operations for ten days. You can read more about Iran’s cyberattack here: “In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.” Fortunately, destructive/wiper malware isn’t widely deployed, and the ASD’s Essential 8 will help mitigate its risks. If you are already working on extortion threat models and tabletop exercises, then hopefully your ransomware recovery planning can assist you in wiper response planning. Ransomware and destructive wiper malware are only one decryption key away from each other. If you haven’t done anything in this area, then add a destructive malware tabletop exercise to your to-do list for Q1.
- Plan for Denial of Service attacks. Speaking of tabletop exercises, if you haven’t done a DDoS scenario, it would be good to work that into your plan. Iran has used denial of service attacks in the past. In 2012, the Al-Qassam Cyber Fighters used DDoS attacks to target the financial industry in Operation Ababil. They were able to take many large U.S. banking sites offline successfully. Seven Iranians working for Islamic Revolutionary Guard Corps (IRGC) affiliated entities were indicted in March of 2016 for these attacks. Hacktivists not affiliated with the Iranian government could also launch these attacks. There are many flavors of DDoS protection: On-prem hardware and upstream filtering via a service provider are common. It would be good to reach out now and get details on how much and how long it would take to swing the protection of your website over to a 3rd party. If you do become a victim of Iranian DDoS attacks, you want to have a plan in place and execute it.
- Let’s go hunting. – If Iranian actors are a high priority on your threat model, then there’s work to be done. Industrial Control System (ICS) operators, ICS suppliers, financial services firms, and shipping companies that transit the Persian Gulf (thinks Strait of Hormuz) could be targets. Heightened monitoring is essential, and I fully acknowledge the generic nature of this statement, but whatever the equivalent of your DEFCON levels are should be raised (or lowered, if you want to be technically correct). In addition to any internal hunting activities you undertake, you can also reconcile your security controls against the techniques used by Iranian threat actors in the MITRE ATT&CK Framework.
- Remember, revenge is a dish best served cold. Don’t take lack of overt Iranian action as a sign that reprisals aren’t coming. There could be several reasons for this. First, Iran will seek to respond at a time of their choosing that achieves maximum political and military impact. For example, cyberattacks aligned with key U.S. Presidential election dates could benefit Iran. A second reason for a delayed response could be that cyber operations take time. If Iran hasn’t already gained access to a target environment, then they must plan and execute an operation to gain access so they can accomplish their objectives. These activities don’t occur overnight, so don’t become complacent.
Just like we often chase shiny new security controls (remember magic artificial intelligence pixie dust controls that poop rainbows), we pursue threats du jour. We need to balance current cyber threat activity with building long term resiliency in our security programs that raise the mark and protects against more than a single threat actor. In a world where we have a limited budget for security investment, this approach results in more value.
I also hopped on a quick video recording with Richard Gold and an episode of ShadowTalk with Harrison to chat through these points above. If you’re interested, check them out below.