Iran Cyber-Response: 4 Recommendations for Defending Your Organization from Nation-State Attacks

Forceful revenge said to follow in response to a recent U.S. airstrike, resulting in the death of Iran’s top general Qassem Soleimani, is predicted to disrupt our lives in unprecedented ways. The cybersecurity threats facing the U.S. range from widespread economic and infrastructural disruption to individual and organizational disruption. Defending against APT groups and Iran’s powerful cyber warfare program will require both organizations and individuals to understand how they may be affected and what they can do to protect themselves.

Nation-state attacks threaten everyone. The motive behind government-backed threat groups is to target government agencies, critical infrastructure and any industry or business that contains sensitive data, property or information valuable to helping the attacker achieve their goal. And this is exactly what we expect to see from Iran. Iran’s robust cybersecurity program has proven that they can execute attacks, at a minimum, that disrupt U.S. infrastructure. It’s also important to remember that attacks may not come directly from Iran but APT hackers, hackers sponsored by Iran or hackers working for Iran’s allies.

Unlike a typical cyberattack, what’s at stake is far greater than data theft and espionage. Current conflicts have escalated the potential for Iranian cyber response, which may target banking systems, power grids, transportation and other assets vital to our economy. Interrupting everyday life by disrupting entire economies is the simplest way to insight fear and chaos without using physical force.

So who’s at risk of being targeted? As stated above, no one is safe from a nation-state attack. While these attackers aren’t looking to target your personal, at-home computers for personal data or monetary gain, small companies and municipalities that maintain low-level defense are often the first to be targeted. Leveraging information and entry to smaller organizations can serve as a gateway to accessing critical infrastructure and organizations, thus pursuing larger national interests. Iran has already targeted some state governments, including Texas, who received roughly 10,000 cyberattacks per minute from Iran in early January.

Withstanding a nation-state attack is beyond the capabilities of many companies. As such, taking proactive measures that prepare your company for a potential attack is a vital. To protect against high-level attacks, organizations should consider the following recommendations from the Department of Homeland Security:

1. Disable all unnecessary ports and protocols: Reviewing network security device logs will help you determine if any ports and protocols are exposed. Shut off unnecessary ports and protocols and monitor anything exposed for suspicious activity.

While we offer services to review and assess firewall rules for security, if you have the resources in-house, organizations can tackle this by configuring rules to log (audit mode) temporarily and reviewing the to see which are being used. If it hasn’t already been done (and documented) further research should be done to review the in-use rules, identify the resources in play, and make sure there’s a business case documented for each policy or rule set.

1. Enhance monitoring of network and email traffic: Phishing emails and unprotected devices on your network are the most common vectors for intruders. Follow best practices for restricting email attachments and reviewing network signatures. To comply with compliance regulations, most organizations should also layer security awareness training and phishing campaigns.
   
   We have a selection of solutions for security awareness and phishing, ranging from free and low-cost to fully integrated and customized platforms. Ask your account manager about free tools or contact us (see bottom of post).
   
   
2. Patch externally facing equipment: Attackers will actively scan for and exploit vulnerabilities, which is why it’s best to focus on patching vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
   
   Skillfully implemented endpoint security tools and/or Network Access Control (NAC) technologies can offer validation and posture assessments against not only patching but organizational policies for endpoints. As always, you can’t manage what you can’t see, so our NAC solutions start with a full-environment discovery to fill that gap.
   
   
3. Log and limit the use of PowerShell: Limit PowerShell usage and accessibility to users and accounts who need it. For those who do, enable code signing of PowerShell scripts and logging of all PowerShell commands.
   
   If you’re unsure about best practices and your current posture related to domain security hygiene, ask about our security assessment services and penetration testing options. We have low-cost options and robust reporting that will direct your team to the most important priorities.
   
   
4. Ensure backups are up to date: Don’t let backup’s slips through the cracks. Ensure backups are constantly up to date and stored in an easily retrievable location that is separated from the organizational network.
   
   We have a breadth of backup and recovery solutions including file and server backup, email backup, and more – all available as on-prem, cloud, or hybrid or multi-location.

Carolina Advanced Digital offers a breadth of security solutions including products and services for security reviews and assessments, penetration testing, zero trust networking and network access control (NAC) as well as endpoint security, security awareness training and a variety of integrations with your existing infrastructure and applications. Contact us today to schedule a free call with a team member to discuss your needs.