mobile logo
09
January

Threat Of Iranian Cyberattacks: What Are The Risks?

January 9, 2020
In Industry, News, Partners
By Secure Sense

The US Department of Homeland Security is warning organizations of potential Iranian cyberattacks. While this is no strong indication that Canada would be targeted for cyberattacks by Iran, the overall risk is heightened, especially for Canadian companies operating in or with assets in the US.

Learn more from Dark Reading below, as well as, get recommendations from our partner SentinelOne on what you can do to protect your organization.

DHS Warns of Potential Iranian Cyberattacks

Recent US military action in Baghdad could prompt retaliatory attacks against US organizations, it says.

Concerns about an Iranian cyber response to the recent American military strike in Baghdad grew this week with the US Department of Homeland Security urging organizations to be on heightened alert for denial-of-service and other more destructive attacks.

In an alert Monday, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned US organizations about Iran’s historic use of cyberattacks to retaliate against perceived foes. “Iran has a history of leveraging asymmetric tactics to pursue national interests beyond its conventional capabilities,” the CISA alert noted.

In recent years, cyber groups operating on behalf of the Iranian government have improved their offensive capabilities in carrying out denial of service, website defacement attacks, and data theft. “They have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks,” CISA said.

The CISA alert is the first public acknowledgement from the US government about potential Iranian cyberattacks in response to the US drone strike last week that killed Gen. Qassem Soleimani. Several security vendors, including Crowdstrike and Recorded Future, have noted the possibility of such attacks in recent days, citing past precedent.

According to Crowdstrike, while there is no evidence of a specific threat emanating from Iranian nation-state actors at this time, US organizations should assume a defensive posture all the same. Current intelligence suggests that organizations in the government, defense, financial, and oil and gas sectors will be the most likely targets for attacks, the security vendor said.

Recorded Future said it believes that Iranian cyber groups will try to use networks they already have compromised in previous espionage activities to carry out new attacks. Other likely tactics include the use of web shells, password spraying, and commodity and custom malware to break into target networks. In addition to US-based targets, Iranian cyber operatives likely will target organizations in the Persian Gulf as well as US allies and partners in the region, Recorded Future said.

Multiple Iran-based cyber groups with suspected ties to the government and the country’s Islamic Revolutionary Guard Corps are believed to have the capability to disrupt and damage operations at US organizations. Top among them are APT33, one of the most active threat groups operating out of the Middle East; APT34 (aka OilRig/MUDDYWATER); and APT39, a relatively newly surfaced group that targets companies in the technology, travel services, and telecommunications sectors.

“APTs 33 and 34 are primarily focused on financial, energy, telecom, and SCADA/ICS,” says Rosa Smothers, a former CIA technical intelligence officer and senior VP of cyber operations at KnowBe4. Private sector companies responsible for critical infrastructure are often unaware these threat actors already might have a presence on their network. That poses a threat because the Iranian government and its hacker proxies are likely to first consider targets where they currently maintain persistence.

“If organizations are fully defending against APTs — utilizing defense-in-depth methods, educating users about how to spot phishing and rejecting known breached and common passwords — then your technical bases should be covered,” Smothers says.

SOURCE

Recommendations from our partner, SentinelOne

  1. Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity.
  2. Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’. Learn more from Microsoft.
  3. Set policies to alert on new hosts joining the network. To reduce the possibility of ‘rogue’ devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.
  4. Backup now, and test your recovery process for business continuity. It is easy to let backup policies slide, or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and/or cold sites.
  5. Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures.
  6. Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks.

What is Secure Sense Doing for Our Clients?

Secure Sense has been following events as they unfold and has established heightened alert severities for relevant IoCs and related activity monitoring. In addition to our own threat research, Secure Sense receives threat intelligence and IoC information from a variety of sources including government funded threat list sharing and sources from our partners. Our SOC has been providing relevant updates/briefing information to customers, along with proactive threat reports available via our customer portal. Our team of dedicated CSMs has been engaged to brief customers and to field any requests/concerns regarding the measures we have implemented to ensure customers remain up-to-date and have their concerns addressed.

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.

You can also find us on TwitterFacebook,  LinkedIn.

Post Tags:

Related Posts

Effective Patch Management Tools for Your Organization

Welcome back to the...

The Evolution from Password Managers to Privileged Access Management. Which is right for you?

Welcome back to the...

A Secure Sense Competitive Advantage

Welcome back to the Cyber Security Month blog! In last week’s blog, we talked about the importance and value of an MSSP, what sets Secure Sense apart from other MSSP’s and how Secure Sense can help your business. Today, we want to continue the conversation around the competitive advantage of working with Secure Sense and what sets us apart in the world of managed security.

In addition to our dedicated customer success teams and our 24×7 SOC (read more in the previous blog here) Secure Sense’s white glove service stands out in many other ways. Continue reading to find out the secret keyphrase, and our competitive advantage.

Expert engineers/analysts

Our experienced technical team comes from diverse technical backgrounds, representing a wealth of security knowledge. They play an integral role in everything we do at Secure Sense; from evaluating partners to developing services, allowing us to focus entirely on the best products and the highest training certificates.

Our engineers, architects, and analysts are required to ensure they are up-to-date on technical training. In addition to solution technical training, our technical team has focused on training in the following areas:

  • Communication for clearer and more accurate ticket updates​
  • Troubleshooting skillsets have led to fewer escalations internally, and ultimately shorter times to remediate​
  • Critical analysis skills which have measurably improved our ticket responses in providing higher quality responses to tickets.

This training has had a measurable increase in the quality of our services, as well as time to remediate and reduce escalations.

Our SOC has many teams that work with our expert analysts to ensure you receive the most from your service. In addition to our security analyst team, Secure Sense has four other technical teams: the reporting team, the threat intel team, the automation team, and the purple team.​

Automation team:

The Secure Sense automation team reviews customer requests, as well as potential customer controls, and ties those controls in with our managed services for automated systems mitigation, stopping threats in their tracks.​

The team is also responsible for:

  • Automated SIEM log analysis, tied into our Threat intelligence team to streamline the ingestion of IOCs into our managed services.
  • Implementing our vendor vulnerability review and remediation systems allows us to reduce our critical vulnerability remediation windows and provide improved visibility into coverage and reporting.
  • Delivering smart-responses from our SIEM solution, and implementation of Reporting team recommendations and improvements.​
  • Automating reporting and alerting directly into our ServiceNOW portal, providing short response times to customer alerts

Reporting team:

Secure Sense has created a dedicated reporting team to streamline and bring more meaningful data to our customers on a regular basis. This team not only builds custom reports, but also analyzes how our customers are using our services, identifying any particular improvements that we could be making to the services, and providing recommendations to the rest of the managed service teams.​

Our reporting team also builds datasets and analyses based on our customer tickets, as well as managed service systems, to identify new use cases and patterns that we can leverage to improve services internally.​

Threat intel team:

Our internal Threat Intel team reviews various events that have occurred and identifies the relevant TTPs. They provide this intelligence to our purple team which will operationalize it.​

The Secure Sense threat intel team focuses on both systematic collection of IOCs and analysis thereof, as well as individual TTPs that are used to identify new and emerging threats. ​The team looks at those tools, Techniques and procedures that threats are using in the market, and identifies how they could be leveraged against our existing customer base, along with better enhancing our services to detect those TTPs when in use.​​

Purple team:​

Secure Sense’s Purple team reflects the blend of both defensive or blue team skillsets, along with offensive or red team skillsets. The team takes tools, techniques and procedures identified by the threat intel team, analyses our customer’s environments and identifies if we can detect them. ​ With customer collaboration, the Purple team can provide execution packages where we can simulate specific components of a threat, and then validate that we have visibility into that TTP being run in a customer environment.

Professional services

Secure Sense’s implementation and support experts are experienced in a wide variety of Professional Services engagements with specialized tactical teams within our extended technical bench, focused on specific technologies and or products.

In most cases, Professional Services are project-based services that require a skilled engineer or architect for a one-time project or short-term change in your organization; or a senior consultant to provide a wide range of risk advisory services. Project teams will also typically address any ongoing support or maintenance after the initial project is complete.

Our cybersecurity consultant team and senior architects hold a broad range of top industry certifications and credentials, along with many years of experience in the industry. Our methodologies for common engagement types have been developed and refined to reflect the most up-to-date best practices and to scale to projects of any size, including global enterprise enablement.

A few of the engagements we commonly offer include:

  • Cybersecurity Architecture Assessment and Design
  • Solution Implementation Services
  • Health Checks
  • Penetration Testing
  • Vulnerability Assessments
  • Threat and Risk Assessment
  • Enablement & Training
  • Ongoing Support

Secure Sense focuses on continual training and certification among our technical ranks in order to provide the most knowledgeable technical support.

Security training

Secure Sense offers security training and can assist in helping your organization to create its cyber security training program. From general employee awareness training to specific security training for your IT and security staff, Secure Sense can help your organization combat the threats they face on a daily basis. Our team is able to offer:

  • Engaging user awareness training for end-users
  • Technology training for security solutions and products
  • Security Analyst training
  • Threat hunting training
  • Threat simulations to give your internal security teams practice in using internal tools
  • Tabletop exercise development and execution to simulate incidents and incident response

Your Key word is “Purple Team”

Don’t forget! Take this keyword and head to our LinkedIn page here to comment on it for your chance to win one of many prizes this month!

As always, if you’re interested in learning more about Secure Sense’s competitive advantage or any of our services, don’t hesitate to reach out to us at 866-999-7506 or sales@securesense.ca!

Continue reading