Following the U.S. drone strike that killed Iranian Quds Force commander Qassem Soleimani outside the Baghdad airport on January 3, the government in Tehran vowed revenge.
On Tuesday evening Iran launched a series of missiles at two military bases in Iraq that housed U.S. forces. While the Pentagon has said those attacks were designed to kill Americans, the Iranian efforts were thwarted by the U.S. military’s Early Warning System. No U.S. personnel were harmed in the attacks and reports noted the damage at the bases was largely contained to taxiways, the parking lot and a damaged helicopter. U.S. officials said it was not the sort of damage that could be described as “major.”
Soon after the attacks, Iranian Foreign Minister Javad Zarif took to Twitter and announced, “Iran took & concluded proportionate measures in self-defense under Article 51 of UN Charter targeting base from which cowardly armed attack against our citizens & senior officials were launched. We do not seek escalation or war, but will defend ourselves against any aggression.”
It seems the threat of an actual war between the United States and Iran is now unlikely, but there are great fears that Iran and its proxies could conduct other attacks, notably via cyber targets including on critical infrastructure.
“With the escalation of tensions in the Middle East, many are asking how far reaching the impacts could be for the U.S. private sector,” warned Warren Poschman, senior solutions architect at Comforte AG.
“While the impacts to the petroleum industry, defense contractors – and service members – supporting U.S. FOBs (forward operating bases) and travel providers are very direct, we cannot forget about the real potential for state-sponsored cyberattacks on both international and domestic U.S. interests,” Poschman told ClearanceJobs.
Cyber Levels the Playing Field
Cyber has long been seen as a force multiplier and is a tool that can allow the proverbial David to strike back at the world’s Goliaths. Iran has already been known to utilize cyber as a way to make systematic strikes against western interests.
“In 2018 the Department of Justice indicted several Iranian nationals in a scheme that penetrated universities, businesses and governmental organizations and stole more than 31TB of data primarily by using credential hacks,” added Poschman. ” while much of the fear has been focused on utilities, communications, and other infrastructure, the track record indicates the focus will likely be on softer targets that are rich with identity data, financial data, and intellectual property data.”
Most military experts agree that Iran couldn’t go blow-to-blow with the United States in a conventional war, even one that would be a regional war limited to the Middle East. However, cyber enables it to respond indirectly.
The question is less if cyber will play a role in Iran’s offensive, but the scale of which such an attack does occur.
“Given that Iran already has a history of launching cyberattacks it seems almost inevitable in today’s climate that we’ll see new threats,” said Ray DeMeo, co-founder and COO of cybersecurity firm Virsec.
“Cyberattacks are an extremely cost-effective form of asymmetrical warfare, with even small attacks getting lots of publicity and causing general anxiety and fear,” DeMeo told ClearanceJobs.
How Should Business Prepare and Respond?
Since it is impossible for the private sector to stop such attacks from happening, the issue is then how to prepare and more importantly, how to respond.
“The only solution for businesses is to be extremely vigilant, upgrade aging security systems, and understand new hacking techniques that target applications during runtime and leave few clues behind,” suggested DeMeo. “Just like we accept higher levels of security and vigilance around air travel, heightened cyber security will be a fact of life, and businesses that are complacent will quickly get in the crosshairs.”
How to prepare might even depend on the type of business involved.
“Some organizations face a greater threat than others,” Paul Bischoff, privacy advocate with Compairtech told ClearanceJobs. “Financial services, energy, oil and gas, health care, infrastructure, and any business that contracts with the federal government are a more likely target.”
Different Threat Vectors
Businesses may also have to prepare for several types of threats, such as malware, ransomware, network disruptions (DDoS attacks), data theft and phishing.
“Because Iran is a nation-state actor, it has a broad range of tactics at its disposal as well as the resources to conduct large-scale cyberattacks,” warned Bischoff. “Because Iran is unlikely to retaliate economically or militarily, cyberattacks should be expected instead.”
He suggested that defensive tactics include keeping software and firmware up to date, using firewalls and antivirus, encrypting data, access control with least privilege, using strong and unique passwords, intrusion detection, and educating all staff on how to detect phishing messages as well as a policy for dealing with these threats.
“High-risk organizations might want to hire white hat hackers to test their systems for security holes and oversights,” added Bischoff. “Businesses should also have a plan for when things go wrong. Create a disaster recovery plan that addresses each of these threats.”
Preparing for an attack by simply having a plan in place is the best first step, added Poschman. “The best way for organizations to protect data is by using a data-centric security approach that ensures data is kept secure and private, especially since traditional security measures such as strong authentication, firewalls and data-at-rest encryption are unlikely to deter access or theft going forward.”
Yet, a plan of action should include some key fundamentals, explained Wayne Lloyd, federal CTO for RedSeal, a cyber terrain modeling company. This can include: Identifying critical data and where it is housed; knowing what assets – physical and virtual – are on your network; hardening your network devices, making sure they are securely configured; reviewing endpoint data sources to make sure you have full coverage of all endpoints on your network; and ensure that your vulnerability scanner is scanning every subnet.
Moreover, Lloyd said the fundamentals, which should be understood at all levels of the company from IT to the C-suite, should also include factoring in accessibility to prioritize your highest-risk vulnerabilities and hosts; making sure only approved or authorized access is allowed; validate that all network traffic goes through your security stack(s); identifying unnecessary ports and protocols and identifying rules on your network gear to determine if they are valid and applied appropriately.
“Similar to how washing our hands remains the most efficient way to stop the spread of illness and infections, the Department of Homeland recommends all public and private sectors focus on ‘cyber hygiene practices,” Lloyd told ClearanceJobs. “Simple failures of basic security practices are our weakest link, and Iran-associated threat actors are on the hunt for this low-hanging fruit.”