- An Iranian cyberattack is a viable possibility in retaliation for Gen. Qassem Suleimani’s assassination, says Phil Quade, chief information security officer at Fortinet.
- National, commercial and local targets would be consistent with Iranian attack history and tactics.
- To protect yourself, techniques such as storing backup copies offline and evaluating your firewall architecture should be put in place now.
There's much speculation on Iran's plans in response to heightened world tensions and what it might mean in the cyberspace domain. We've already witnessed an Iranian kinetic response on U.S. assets in Iraq, so it's worth assessing whether we're experiencing cyber fear-mongering or if companies and governments should take steps to help protect themselves if needed.
The key is to ascertain if it is a viable threat. "Threat" is a combination of motivation, willingness and capability. In this case, seemingly, Iran wants to strike back at U.S. interests (motivation); believes they have little to lose, with max sanctions already in place, and much to gain (willingness); and Iran is known to have attack tools at their disposal (capability).
Recall in 2012 the Iranian hacker groups, allegedly working on behalf of the Iranian government, who conducted distributed denial-of-service attacks against dozens of American banks, as well as attempting to seize control of Bowman Dam outside New York City.
Those who raise the threat of an Iranian cyberattack as a possible or likely response in 2020 are not recklessly beating the drum.
Who might the Iranians aim their potential attacks at, and why? National, commercial and local targets would be consistent with Iranian attack history to demonstrate Iran's ability to "slap back."
On the national level, U.S. government systems, ranging from U.S. Government's departmental public-facing web pages to systems that are actually used to communicate or organize the U.S.'s plans to address Iran. This includes the perceived instruments of U.S. government pressure against Iran — for example, defense, finance, commerce and diplomatic systems.
Commercially, though typically not targeted for cyberattack by nation-states (though a favorite of criminals), the U.S. financial sector, such as banks, has been attacked by agents of Iran in the past, so it certainly would seem very possible to be on their target list again. There may be other commercial targets – those that are perceived as instruments of government power — that may serve as motivation for other attacks on commercial entities as well.
Local governments might be targeted as an attempt to directly affect the U.S. population, as it is the easiest way to potentially impact the populations in cities or towns.
Additionally, certain critical infrastructures in such industries as oil and gas and chemicals might be targeted, since Iran has technical expertise in those sectors.
Contrary to popular belief, it's hard to implement an impactful, sustained and scalable cyberattack. While an attacker might be able to achieve one of those goals, accomplishing all three is complex. The most likely techniques that could be executed quickly include:
- Distributed Denial of Service (DDoS) attacks, in which systems or communication pipes are clogged by bogus data.
- Ransomware attacks, in which data within systems is rendered unusable unless an attacker demand is met.
- Sleeper agent attacks, in which malicious cyber implants are placed in key systems during "peacetime" and activated through remote control during a crisis to enable access for malicious activities.
So if the threat is realistic, what should be done? While it's never a fair fight to expect a private company or local government to defend against a nation-state attack — we need to depend on the Federal government's diplomatic and national defense capabilities to defend the nation — there are commercial techniques that can be employed immediately to become more resilient.
- Separate your critical assets. Evaluate your firewall architecture to ensure that you separate your critical assets into well-protected domains so that a failure in one domain does not become catastrophic.
- Create multiple communication options.Give yourself multiple paths to communicate in the face of denied or congested communications, using SD-WAN capabilities. SD-WAN is secure networking capability that allows you to agilely change the communication path you use, depending on a variety of factors, including availability. Ensure that the commercial service agreements with your network service provider includes the ability to add optional communication bandwidth and cloud capacity.
- Follow procedural safeguards. Make backup copies of critical data and store them offline to counter ransomware attacks.
- Use automated and integrated cybersecurity techniques. Implement a platform approach to integrating security devices. Arm yourself with commercial security tools, such as Endpoint Detection & Response (EDR) and Security Orchestration Automation & Response (SOAR), which provide the ability to quickly detect and automatically respond to a potential attack.
- Inspect suspicious cyber communications. Look at suspicious content using advanced cybersecurity techniques, such as inspection of suspected malicious email attachments to test for potential threats in a safe environment, and the examination of encrypted internal communications to find hidden evidence of potential pre-placed command-and-control malicious software implants.
- Leverage up-to-date threat intelligence. Ingest and put into place threat indicators — special patterns of software that are "signatures" of malicious software. These are available commercially and through the government to block known attacks and their derivations.
It's often said, correctly, that cybersecurity is a team effort. In the face of a motivated and capable nation-state attacker, that's as true as ever. In the face of heightened international tension, we need to depend on the important and unique national defense capabilities of the U.S. Government, such as CYBERCOM, NSA and the CIA, to make prudent self-defense preparations as noted above and to be prepared to both share indicators of attack with information-sharing brokers and know how to enlist the support of the local FBI office if under duress from a suspected Iranian attack.
— By Phil Quade. Mr. Quade is chief information security officer at Fortinet and a member of the CNBC Technology Executive Council