Post From The President: Takeaways from Iranian Threat Briefing
Global Resilience Federation held a threat briefing last week on Iran featuring intelligence professionals from CSIS, FireEye, CrowdStrike, iDefense/Accenture and GRF. A lot of interesting points were made, along with some great commentary on TTPs and risk mitigation. To see a recording of the entire webinar, register here.
There are a number of physical and cybersecurity takeaways listed below that may have been lost in the 24 hour news cycle - not in priority order. Please add your thoughts and I'll add them to the list!
First, the obvious: the U.S. and Iran seem to have avoided a broader conventional conflict
However, Iran has been committing asymmetric attacks against the U.S. and other regional powers for years and will likely continue to do so.
Despite their hyperbolic rhetoric, major Iranian cyberattacks often coincide with what the regime sees as outside provocation - meaning there is calculus there that we can use to predict attacks on the private sector, including in the near future.
Iran does not hesitate to attack commercial entities for things said by company executives or actions taken by an organization’s national government. There is not a public/private distinction. See Las Vegas Sands Corp and banking DDoS attacks.
Iranian proxies felt the launch of ballistic missiles by Tehran was not an adequate response to the death of Quds Force commander Soleimani.
Iranian proxies do not have significant cyber capabilities but do represent a physical security risk to U.S. and allied-nation military, government and civilian personnel. Business travelers should be extremely cautious.
Proxies and the IRGC have a history of local and international activity, including extra-regional bombings and attempted bombings (Argentina, London, Washington, D.C., France) demonstrating both intention and capability. However physical attacks will likely be in Iran’s regional sphere of influence.
A significant cyberattack from Iran may come but not necessarily in a window most might think of as “timely.” In the past, Iran has waited months to react to real and perceived slights. Cybersecurity professionals should maintain vigilance. The banking DDoS attacks of 2011-2013 were in reaction to Stuxnet which occurred in 2010. Disruptive operations take time to plan and execute.
Cyberattacks are useful to Iran because muddled attribution may allow Iran to claim credit at home while denying its role to the US and the international community.
Iranian cyber threat actors use some custom tools but often leverage commodity malware and publicly available tools used by the pentesting industry.
Password spraying is a common practice. Ensure you’re using MFA. This applies to all web-facing tools.
Implement least privilege for VPN and public facing application user accounts.
Review recent advisories on vendor patches and notices from government, i.e. software updates, CVE notices etc.
Enforce recommended registry configurations via group policy.
Limit the use of PowerShell and log PowerShell commands.
Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly. Follow best practices of restricting attachments via email or other mechanisms.
Review network security device logs and disable all unnecessary ports and protocols. Monitor for command and control activity.
Originally published on LinkedIn.