lolloj - Fotolia
The Department of Homeland Security warned of potential of Iranian cyberattacks against the U.S., and security experts weighed in on the risks facing enterprises.
In the bulletin, released Saturday as part of the National Terrorism Advisory System, DHS said there was no indication that attacks from Iran were imminent, but noted the country and its allies "have demonstrated the intent and capability to conduct operations in the United States." The bulletin was issued in the wake of escalating military conflict with Iran.
"Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States," DHS wrote in the bulletin. "Be prepared for cyber disruptions, suspicious emails, and network delays. Implement basic cyber hygiene practices such as effecting data backups and employing multi-factor authentication [MFA]."
In general, experts agreed there is a legitimate threat of Iranian cyberattacks against U.S. entities and many added that while Iran has offensive cyber capabilities, they are not known to have capabilities on the level of the U.S., China or Russia.
Rick Holland, CISO and vice president of strategy at Digital Shadows in San Francisco, said Iran has proven the ability to cause damage with cyberattacks.
"Iranian offensive cyber capabilities have grown significantly since the days of Stuxnet, which was a catalyst for the Iranian regime to mature their capabilities," Holland told SearchSecurity. "While Iran isn't as mature as the United States, Russia or China, they are capable of causing damage. Destructive or wiper malware like Iran used against Saudi Aramco could cause significant damage to their targets."
Robert M. Lee, CEO and founder of Dragos, said Iran has "consistently been growing their capabilities and are aggressive and willing to be as destructive as they can be."
"We're unlikely to see widespread issues or scenarios such as disrupting electric power but it's entirely possible we will see opportunistic responses to whatever damage they think they can inflict," Lee told SearchSecurity. "Iran has shown previously to be opportunistic in its targeting of infrastructure with denial of service attacks against banks as well as trying to get access to industrial control systems in electric and water companies. While it is important to think where strategic targets would be for them, it's just as relevant that they might search for those who are more insecure to be able to have an effect instead of a larger effect on a harder target."
High disruption value
While DHS was unclear what organizations Iran might target with cyberoperations, some experts tended to agree with Lee that infrastructure and financial targets would be most likely.
Jake Williams, founder and president of Rendition Infosec in Augusta, Ga., classified Iran as having "moderately sophisticated capabilities."
"They aren't on par with Russia or China, but they aren't script kiddies either. Iran will most likely target defense industrial base and financial institutions -- basically, targets that have a high disruption value," Williams told SearchSecurity. "For an enterprise, the things to keep in mind are DDoS and early indicators of compromise for defense industrial base organizations. Of course, Iran could target other verticals, but we assess these to be the most likely initial targets."
Levi Gundert, vice president of intelligence and risk at Recorded Future, noted that "Iranian sponsored groups are constantly probing potential targets for weaknesses toward intelligence gathering."
"When provoked, these groups have also successfully demonstrated retaliatory cyberattacks. Based on historical precedent, Iran retaliates with destructive attacks against perceived threatening organizations (e.g. Sands Corporation), or they attack businesses toward achieving economic impact -- large American financial service companies (Operation Ababil) and Saudi Aramco are two good examples," Gundert told SearchSecurity via email. "We believe the most likely targets of cyberattacks remain the United States government, contractors, and partner businesses involved in U.S. regional interests."
However, Chris Morales, head of security analytics at threat detection vendor Vectra in San Jose, Calif., said "everyone could be at risk" of an Iranian cyberattack.
"While certain industries were targeted in the past for disruption or for data theft, there is no limitation to who could be targeted in an asymmetric attack that involves disruption, misdirection and confusion," Morales told SearchSecurity. "Earlier state-sponsored Iranian actors stole only basic information, but over the past few years they have been building long-term espionage campaigns. The risk here being in many cases Iranian actors already persist inside networks and it becomes a case of identifying their presence and removing them."
Holland said the risk of being targeted by Iran would be low for most organizations, but enterprises should perform threat modeling by asking:
- How do Iranian interests intersect your business?
- How has historic Iranian targeting/victimology related to your company?
- How does the Iranian threat stack up against your supply chain?
Protecting your organization
Experts agreed that taking care of the basics is probably the best approach to defend against possible Iranian cyberattacks.
Dr. Chase Cunningham, principal analyst serving security and risk professionals for Forrester Research, suggested enterprises "fix the easy stuff: deploy MFA everywhere; bolster DDoS defense and make sure email security is in place. Other than that, brace for impact and maintain situational awareness."
Holland said enterprises "shouldn't have to take any extraordinary measures."
"Patch operating systems and applications. Disable Microsoft Office macros. Implement application whitelisting. Restrict admin privileges. Disable external-facing Remote Desktop Protocol," Holland said. "Enable multi-factor authentication for external-facing applications and privileged users. Monitor for malicious domains registrations related to your organization."
Gundert suggested organizations "take the time to understand Iranian sponsored groups' historical tools, tactics, and techniques."
"These groups typically achieve initial unauthorized access through password re-use, phishing, and/or web shells," Gundert said. "Now is a great time to review and improve security controls for each threat category, as well as visibility into post-compromise activity like the usage of native Windows tools."
Lee said the best approach is for cybersecurity professionals to "be in a heightened sense of awareness and put the investments they've made into people, process, and technology to use."
"For companies that have yet to make proper investments into the cybersecurity of their business, there is not much that can be done quickly in situations like this," Lee said. "Companies need to prepare ahead of these moments and these moments and any angst felt should serve as an opportunity to look internally to determine what your plans would be especially for incident response and disaster recovery."