As if security operations professionals don’t have enough on their plates, they can add a new geo-political event — the U.S. killing of top Iranian Gen. Qasem Soleimani — to their list of potential sources of grief.
The strike prompted the U.S. Department of Homeland Security (DHS) to point to an advisory it issued last summer, when the agency warned that malicious actions via Iran are “often enabled through common tactics like spear phishing, password spraying and credential stuffing.”
Those threats are not uncommon for a security operations center to address, and obviously not unique to Iran as a purveyor. However, where the country has earned an aggressive reputation in cyberspace is through “wiper” attacks, a class of malware that is designed to destroy targeted files, unlike ransomware which is typically profit driven.
On Jan. 6, the DHS issued an in-depth National Cyber Awareness System alert to security teams. The notification listed previous attacks attributed to Iran, as well as recommended best practices. They include:
1) Minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
2) Ensuring security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
3) Ensuring personnel know how and when to report an incident and that they are familiar with the key steps they need to take during an incident.
Whether any major attacks develop as a result of Soleimani’s killing remains to be seen, but businesses, especially those in target-rich environments like finance, health care and critical infrastructure, should use the event as a reminder of the importance of well-documented, well-rehearsed incident response processes and security operations procedures, which include playbooks. Playbooks ensure that everyone in your organization is on the same page, will execute processes the same way and knows what their role is in the event of an incident. As with attack simulations, playbooks can be created in a variety of ways, including automated playbooks available within many security automation, orchestration and response (SOAR) platforms.
John Kitchen, senior sales engineer at Siemplify, said organizations should take the Iran threat seriously, but conceded the country is just one of multiple potential adversaries that organizations must square up against. He added:
- All U.S.-based industrial control systems and SCADA infrastructure are at risk from anyone with the means to penetrate them.
- Iran has likely waged disruptions in the past — and this year’s U.S. elections are a viable target — but it is questionable whether the country can inflict as much digital damage as other nation-states like China and Russia.
- Exercising precautionary measures is prudent for every organization.
Dan Kaplan is director of content at Siemplify.