Iranian Cyber Attacks on Enterprises Escalating from Bad to Worse

If you conduct a search on the keywords Iran, cyber, and attack, you will find many articles summarizing Iranian attacks. Look at those from the Wall Street Journal and Microsoft, reporting of 100’s of attacks on enterprises. Victims also include municipalities, such as the infamous ransomware attack on Atlanta.

Before Soleimani’s death, economic sanctions fueled Iranian desperation, evidenced by their many provocations in 2019. Since his death, they are enraged. But, they are not stupid. The diplomatic statement following their missile attack into Iraq strived to avoid an escalation to war. So, what do they want? 

US Enterprises Need to Know.

Iran wants the sanctions lifted as part of a deal similar to what they had with the Obama administration. The Trump administration seeks a deal that more aggressively curbs Iranian nuclear, terrorism, and geopolitical ambitions. The difference between the two deals is so significant that many speculate that Iran may hold-out for a successor to the Trump administration while trying to undermine Trump politically. Headline-making destructive cyberattacks on US enterprises unable to conduct business would do so. 

What do the 2018-19 Iranian Cyber Attacks indicate for 2020?

Mitre Att@ck has useful information regarding the tactics, techniques, and procedures (TTP) used by Iranian cyber-attack groups: APT33Charming KittenOilRigAPT39CleaverCopyKittensGroup5LeafminerMagic Hound, and MuddyWater. The attack groups use various techniques such as malware obfuscation, living-off-the-land, detection evasion, and lateral movement methods that defeat detection-centric enterprise cyber defense tools. 

Unfortunately, most enterprises operate cyber defenses that tolerate intrusion dwell times up to months. According to “Cost of a Data Breach Report 2019”, Ponemon/IBM, July 2019, the average durations across all industries from breach to detection to containment are 230 days and 84 days, respectively. These numbers include results from enterprises using the latest “next generation” machine learning behavior analytics and binary analysis tools (a.k.a., detection-centric defenses).

On top of this, expect aggressive business email compromise attacks to spread from one enterprise to others in the supply chain.

Preventative Countermeasures Against Iranian Destructive Cyber Attacks 

Gartner has increasingly noted that the high Sec-Ops costs of ‘detect & react’ cyber defense postures necessitate greater hardening of cyber defenses, which is also essential to deflecting destructive cyber attacks. Further, hardening includes attack surface reduction, which means blacklisting utilities/tools on workstations and servers that adversaries use to harm the enterprise. Be sure to conduct realistic exercises that confirm that IT/Sec-Ops personnel can do what they must do on endpoints despite hardening policies. 

Robust hardening is not done overnight with most endpoint protection platforms. The following countermeasures do not involve adding or replacing cyber tools:

  • Focus patching on apps known to have software vulnerabilities exploited 'in the wild', followed by those with CVSS scores of 9 or 10. Some threat intelligence providers have predictive models that can further narrow this focus to what apps to prioritize for patching.
  • Use existing tools to blacklist utilities on endpoints that are not needed and mentioned in the Mitre Att@ck profiles on the Iranian cyber groups.
  • Conduct realistic back-up recovery exercises to confirm what is expected would occur, as well as to determine if substantial performance gains can be attained via human improvement
  • Increase multi-factor authentication settings. Some systems allow cached credentials for authentication, requiring second factors periodically (e.g., Gmail, Office365). Reduce such periods to daily, possibly more.
  • Increase phish simulation email frequency to at least two per week, choose realistic exercises, and find ways to make end-users feel a sense of urgency
  • Reach out to your supply chain and revisit any previously agreed upon coordination. Iran’s shift to destructive attacks may warrant changes.