• Iran Cyber Threat CISO Action Items

    January 7, 2020 | Joe Sullivan
  • Iran Cyber Threat

    President Trump ordered an airstrike that killed the Iranian General Soleimani in Baghdad. Soleimani was suspected of “plotting attacks” against Americans in the region.

    The Department of Homeland Security issued a bulletin stating that Iranian leadership and several affiliated violent extremist organizations publicly stated they intend to retaliate against the United States. This is a concern because Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.

    According to Widipedia: Cyberwarfare is a part of Iran’s “soft war” military strategy. Being both a victim and wager of cyberwarfare Iran is considered an emerging military power in the field. Since November 2010, an organization called “The Cyber Defense Command” has been operating in Iran under the supervision of the country’s “Passive Civil Defense Organization”

    There’s an alleged history that dictates that concerns should be raised currently:

    • In August 2014 An Israeli Defense Force official told press in that Iran has launched numerous significant attacks against Israel’s Internet infrastructure.
    • In March 2015 Iranian hackers, possibly Iranian Cyber Army pushed a massive power outage for 12 hours in 44 of 81 provinces of Turkey, affecting 40 million people.
    • In June 2017 The Daily Telegraph reported that intelligence officials concluded that Iran was responsible for a cyber attack on the British Parliament lasting 12 hours that compromised around 90 email account.
    • In Feb 2014 Iran attacks a Las Vegas casino and hotel chain network.
    • Shamoon data-wiping malware believed to be the work of Iranian hackers – against national oil companies including Saudi Arabia’s Saudi Aramco and Qatar’s RasGas

    CISO Action Items

    CISOs should be paying attention to Iranian tactics techniques and procedures and paying attention to third party access. At the perimeter I advise enforcing geo location blocking to deny access to and from that region.

    User awareness training should include the latest DHS bulletin so that users understand they need to be more diligent. This is a good time to ensure you have strong email filter controls, your public facing asset vulnerabilities are remediated, and your threat intelligence feeds include good action items.

    CISOs should be taking a good look at the Pyramid of Pain to understand how to effectively use threat intelligence. Other good resources are the MITRE ATT&CK Framework and MITRE Pre-ATT&CK. Finally, CISOs should look into utilizing the MITRE ATT&CK Navigator that allows you to navigate, visualize, and annotate attacker techniques.