In light of the recently developing conflict with Iran, we are bringing back into view this blog post and podcast, originally published in July, 2019.
High-level tensions between the US and Iran are again on the rise. In June, the Department of Homeland Security’s cybersecurity chief Christopher C. Krebs recently issued a dire warning to American businesses:
“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money.
“These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Sophisticated, government-sponsored hackers going after your network — what could you possibly do to stop them?
More than you might think at first glance, says RiskLens Risk Science Director Dr. Jack Freund. In this 4-minute podcast, Jack presents cybersecurity defenders with a rational, risk-based response to a potential threat coming from Iran. Jack is the co-author of Measuring and Managing Information Risk, the book about FAIR, the model that powers the RiskLens platform – and FAIR is first of all a way to apply critical thinking to threats to gain an accurate picture of risk.
Listen now or read the transcript below.
Q: So, Jack, the Department of Homeland Security recently warned American businesses to be on guard for cyber attacks from Iran – and they mentioned spear phishing, password spraying, data wipers and other techniques.
What’s your recommendation to American businesses on how to prepare for this threat in, let’s say a rational, risk based way?
A: Well, thank you for having me, Jeff, and I’m happy to help these organizations think about how to rationalize these attacks in the scope of this increase that we may be seeing from Iran.
I think one of the things that’s really important to remember is that these attacks should not be new to you. Defending against them is not necessarily the thing that you should be unprepared for.
Password spraying, phishing, these are run-of-the-mill attacks that your organization should be looking for anyway.
So, in thinking about this enhanced attack from Iran, really you need to be thinking about ‘What are the IOCs that we need to be looking for anyway that are going to be targeting our organization.
And that gives us the opportunity to really focus on what’s the meat and potatoes of the kind of organizational threats that we’re looking for every day.
Rationalizing them in the scope of Iran means we may see more of them, they may be better, but they’re not necessarily going to be significantly more sophisticated than the ones that we are already looking at.
Q: IOCs – that’s indicators of compromise, right?
A: That’s correct.
Q: And how do you think the FAIR model can guide businesses, in terms of conceptualizing their response?
Jack: One of the really interesting things about FAIR is that it treats threat agents like Iran as a continuum of possible attacks.
So, we use a range of attack percentiles, from one percent to 99 percent, to represent the threat capability that these groups may bring to bear.
So, for Iran, as an example, we typically call that a nation-state attacker and these tend to be the most highly weaponized, highly resourced groups that we may face so they can operate as high as 99 percentile.
But one of the interesting things about this is, like all attackers, they’re lazy like everybody else. They want to do the minimum amount of work necessary to accomplish what they need to.
So, when you are analyzing this threat in the scope of your organization, while it may be possible they could bring to bear something in that highest percentile, they may not need to.
So that’s why the Department of Homeland Security is talking about weaponizing phishing and password spraying and data wipers. Those are pretty run-of-the-mill tactics. If I can use those to break in and they’re easy and they’re going to be effective, I’m going to do that. I’m not necessarily going to bring out of the closet that secretive new zero day vulnerability. I’m going to wait for some other organization that is a more highly valued target.
If you are one of those highly valued targets, like the energy sector or something like that, then you need to be on the lookout for those.
But if you are an average American business, I think most of those are attacks you have already seen and those threat agents could operate at a lower level just to create chaos and havoc in your organization and across the American business sector.
Jeff: Well, that is indeed some practical advice…. Thanks very much, Jack!
Jack: Thank you, Jeff.