Cadre’s manager of Knowledge Services, Tim O’Connor, was invited to an FBI Cyber Security briefing on the official Threat Profile for Iran. He gave us a download on everything he learned about what to look for and how to protect your company.
Read on to learn more!
1. Did you walk away from the briefing feeling as though there was information that was particularly relevant to our readers’ security situation?
Yes, indeed there was. The FBI Cyber Security briefings cover a range of issues relevant to organizations of all sizes and types. Many of these things I will address later in this interview. Overall the FBI Threat Profile is an excellent guide for understanding the scope of the situation and while the military situation seems to be de-escalating, cyber security threats are expected to continue. In addition to the Threat Profile, the FBI gave additional guidance, including recommended actions--but more on that later.
2. After attending the briefing, what is the #1 thing you think every company should do?
The number one thing is to adopt a state of heightened security awareness and to be able to contact the appropriate people or agencies in the event of a suspected incident.
Ideally, organizations should already have a plan in place on what actions might constitute threat activity and how to respond.
3. In 2012, Iran is believed to have launched cyberattacks on US banks and other US and international entities that fell into disfavor. What have we learned from the past attacks?
We have learned a great deal some of which I will address in later questions. We know that Iran has formed an organization called “The Cyber Defense Command” and they rank 4th in the world as a “cyber army.” One piece of good news, if you can call it that, is that much of the cyber army resources are used internally to monitor the country’s own citizens and information flowing in and out of Iran.
We also know that Iran's activities qualify as a Persistent Threat. In simple terms, this means that they are very patient. Because they are not after a monetary payoff, they can take their time using slow and methodical types of attacks that are much more difficult to detect than the kind of traffic generated by evil hackers motivated by financial gain.
4. Who is believed to be directing these attacks? Are they independent hackers or is it the Iranian gov’t?
Both and more.
Iran has been directly involved in a number of serious attacks and also has been caught probing and profiling US systems. The Iranian cyber army was caught probing the US power grid and other infrastructure systems over a span of several years and we saw this again in 2018.
As mentioned previously, the Iranian cyber army has a lot on their hands with their own affairs so they very commonly work with other nation-state or political groups (hacktivists) against the US and other western nations. Many of the most successful attacks so far have been through these proxy groups.
Another related and interesting issue is ‘copy cat’ hackers. Because of the political spotlight on these current events, all kinds of hackers are likely trying to cause disruption and mayhem in hopes that it will feed into the current political climate. Russian hackers, for instance, were observed impersonating Iranian hackers.
5. What is the goal? Pure disruption or is there an end goal beyond that?
We don’t really directly know what their goals are either in the short- or long-term but we can make some educated guesses based on what we have discovered so far and what the government of Iran has done.
We know that they are both patient and also willing to go after short-term opportunities. They appear to be open to any kind of harm that they can cause and also have an interest in small plays that might give them political recognition.
6. What businesses/infrastructures, etc., were considered most at risk?
As mentioned above, we don’t know their motives exactly as they have attacked both businesses and large infrastructures. We in the US are behind in much of our risk mediation and this is a significant problem, especially when we are actively pursuing actions in the Middle East and with Russia.
I am reminded of the old saying that those that live in glass houses shouldn't throw stones. Cyber terrorism is a “level playing field” for small or less armed nations and they will take advantage of this. In October of 2019, researchers identified twenty-six thousand industrial control systems in the US that are easy targets for hackers.
7. Why should independent businesses be worried, especially if they aren’t related to industries like politics or infrastructure?
Iran has targeted the US Financial Sector, intellectual property data and has even attacked the Las Vegas Sands Corporation.
8. What types of attacks are considered most likely by the FBI?
I have not seen a structured list of attacks, at least so far. They have called out limiting the use of PowerShell a Microsoft scripting system related to Unix shell scripting but based on .Net (DotNet). Most of the advice is less system specific.
9. What are “gaps” companies should examine?
The FBI Iranian Cyber Response alert specifically recommends looking at traffic logs and protocols, monitoring of email traffic, patching externally facing equipment, securing use of PowerShell, and verifying backups are safe, offline, and up to date.
The most significant gaps many organizations have are a poor Security Awareness program, low scores on maturity models and poor security culture and buy-in. Security Awareness is one of the most powerful and flexible defenses in this kind of threat environment. Security Awareness should go well beyond just practicing for phishing attacks.
10. How can targets protect themselves? Does it vary by industry or are the practices largely the same across the board?
Every organization will have specific risks. Every organization of every size, however, needs to have a plan.
Organizations should have a call tree that every employee knows how to use for reporting suspicious activity.
Before an incident occurs, organizations should have a plan outlining who to call if the issue goes beyond an employee’s capabilities or if the incident needs to be reported to an outside agency.
If your organization has a security team, have one or more of the senior members join the FBI InfraGard program. A few weeks after a background check, this employee will be able to have direct contacts and resources in the FBI CISA program. Alternatively (or if you don’t have a full security team), you can call me at Cadre Information Security as we bridge that gap for you.
11. How can targets mitigate risks from an attack?
Mitigation is primarily the same as what you should already be doing to protect yourself from all of the other kinds of evil hackers. Increase your security maturity and work out a good information security risk management plan.
Remember that there are many ways to deal with risk, including transferring risk, avoiding risk, mitigating risk, and accepting risk. Having an outside party verify these mitigations is essential even for small organizations.
12. Is there any estimate of the costs to businesses?
Not that I am aware of that are specific to Iran.
If you’d like to get more information about the FBI briefing on Iran--or just discuss ways to generally protect your business--please contact us.
Another great (and fast!) way to see where your company could be better-protected is to take our five-minute scorecard!