Iranian Cyberattacks: 10 Must-Have DefensesAct Quickly and Prioritize the Basics, Experts Recommend
Battling fraudsters, ransomware rings, bored teenagers or nation-state hackers inevitably boils down to the same thing: Unless organizations get the basics right, they're sitting ducks.
See Also: Stopping BEC and EAC
That's one top takeaway from the U.S. government warning that Iran will likely retaliate with cyberattacks for the Thursday killing - ordered by President Donald Trump - of one of its military leaders, Major General Qasem Soleimani. Experts expect American private and public sector organizations to be targeted as a result (see: Analysis: Threat Posed by Pro-Iranian Hackers). On Tuesday, Iran waged missile strikes against bases in Iraq housing American troops.
"The single most important factor here is to set up all of this now."
As tensions escalate, the director of the U.S. Cybersecurity and Infrastructure Security Agency - a unit of the Department of Homeland Security that oversees security threats to critical infrastructure - reissued summer 2019 guidance on countering Iranian advanced persistent threat attacks.
"In times like these, it's important to make sure you've shored up your basic defenses, like using multifactor authentication, and if you suspect an incident - take it seriously and act quickly," CISA's alert says.
What is notable, in part, about this advice, is how basic it is. Organizations should long ago have put in place multifactor authentication and a breach response plan and continued to actively shore up any defenses that are lagging. But here's the U.S. government once again warning organizations that support critical infrastructure to do the basics.
Make the Basics Sexy
Well before this era of artificial intelligence and machine learning, among other prevailing buzzwords, security experts have been warning that the basics too often get overlooked. Back at Black Hat Europe 2015, keynote speaker Haroon Meer told me that cybersecurity remained partially a story of organizations continually tackling "new, shiny problems," only to leave them half-finished and move to a new one. "We are hyper-obsessed with the latest [technology], and so, as an industry, we get pretty caught up in just about whatever the industry is selling," said Meer, who heads Johannesburg-based security firm Thinkst Applied Research.
At last month's Black Hat Europe 2019, Daniel Cuthbert, global head of security research for Banco Santander, warned in a closing panel discussion that organizations are still failing to get the basics right (see: 8 Takeaways: Black Hat Europe's Closing 'Locknote' Panel).
"Basic isn't sexy. Go to RSA. You're going to see something that fixes cancer. Really, it's phenomenal. And the problem is, that sells," Cuthbert told the audience.
Top 4: Australian Signals Directorate
What basics should organizations be focusing on? The Australian Signals Directorate's top 4 information security mitigation strategies, first published in 2011, is cited by many experts as the best place to start:
- Whitelist applications;
- Patch applications and operating systems;
- Update to the latest versions of applications and operating systems;
- Minimize administrative privileges.
But any organization that might get targeted by Iranian APT attackers should be doing much more.
On Monday, for example, CISA issued additional guidance, warning organizations should beware of ransomware attacks and domain name system tampering. They also should ensure they have applied all critical patches, sufficiently locked down email and web security and prioritized their defense of high-value assets, the guidance stresses.
Who's Most at Risk?
Given the escalated threat of online retaliation by Iran, who's most at risk? "Our current assessment is that organizations in the financial, defense, government, and oil and gas sectors are the most likely targets for retaliation activity," cybersecurity firm CrowdStrike tells me, emphasizing that it has yet to see any such attacks.
Given Iran's past targeting of banks via distributed denial-of-service attacks, and its ties to ransomware such as SamSam, both of those types of attacks remain a possibility, CrowdStrike says (see: Two Iranians Charged in SamSam Ransomware Attacks).
Of course even the best prevention in the world is no guarantee that an organization won't get breached. To identify exactly what all organizations should be doing to survive a data breach, three months ago, I spoke to a number of experts about how to build a data breach response playbook, including incident response essentials.
Attorney Chris Pierson, CEO of cybersecurity firm Blackcloak, told me: "The single most important factor here is to set up all of this now, ahead of time, get buy-in from all levels of the company, including the board, and to practice."
10-Point Response Playbook
Pierson says that advice continues to apply for any organization at risk from retaliatory Iranian cyberattacks. He says CISOs - especially in government agencies and the aerospace and defense sectors - should now be conducting a four-week review "to shore up defenses - resiliency - and make sure they can get back up and running after the successful attack, aka via recovery."
Here's Pierson's list of the top 10 items they should focus on via a four-week "cyber sprint":
- Board: Communicate with the board and executive leadership team on the need for dedicated resources to ensure the company is prepared and able to do a four-week cyber-sprint - secure people, extra funding and support.
- Endpoints: Ensure every endpoint has active, working and up-to-date protection and terminate all nodes that do not.
- Patching: Patch every critical vulnerability at the company and apply the latest patches to all workstation computers.
- Keys: Rotate encryption keys and privileged administrative passwords.
- Passwords: Mandate a password reset for all users and especially external login access.
- Multifactor: Ensure every system is using dual-factor authentication.
- Disaster recovery: Confirm the availability of all necessary backups and the ability to work with warm or hot replications sites.
- Phishing: Push out a message and 60-second educational piece on phishing to every user.
- Hygiene: Close all accounts for those who are no longer employed by the company.
- Monitoring: Turn up controls for email monitoring, web traffic monitoring and IDS, IPS, firewall and web application firewall protection to a heightened level.
"These are the low-hanging-fruit items that can try to prevent a hack and not introduce too much friction," Pierson tells me. "In addition, most companies can achieve them in four weeks, and thus better balance protection and recovery."
But that four-week target doesn't begin counting down until organizations put a plan in place. Don't wait; start now.
"It's all hands on deck," says Tom Kellermann, head of cybersecurity at VMware, who notes that Iran's period of mourning for Soleimani ended on Monday.
Kellermann, who was a cybersecurity adviser to the Obama administration, says cyberattacks may be imminent. "The Iranian government has stated that this was an act of war," he says. "Now they're going to potentially unleash the hounds."