Defending Against State-Sponsored Hackers

Within days of the U.S. military strike on Iran, U.S. government websites were defaced in a retaliatory effort.

While defacing websites for political gain is an outdated hacktivism tactic, security professionals should still be aware of additional activities of concern given the U.S. Department of Homeland Security’s (DHS) advisory published on January 4th.

Additionally, DHS’ Cybersecurity and Infrastructure Agency (CISA) has issued several other warnings about the tactics commonly used by Iran, its proxies and sympathizers as well as the potential for Iran-backed hacking groups’ response to the U.S. attack.

Who is at risk?

As stated by The Chertoff Group, retaliation is a question of when, not if - attacks from Iran could have major implications for U.S. private sector organizations and civilians. It’s safe to assume that security and threat intelligence professionals that work in any line of critical infrastructure should be on guard, however, security teams at organizations in other industries may be wondering if they are a target for Iranian-backed threat actors. The truth is that there has been a noticeable increase in the frequency of overall state-sponsored attacks directed towards commercial organizations over the past five years.

For example, the U.S. Department of Justice (DoJ) charged nine hackers with ties to Iran’s Islamic Revolutionary Guard Corps for cyber attacks that resulted in the loss of scientific data and intellectual property from 144 U.S. universities, 176 universities across 21 foreign countries, 36 U.S.-based private companies, 11 foreign private companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission and the U.S. states of Hawaii and Indiana.

Point being, no one is safe, which means that security professionals need to think about their risk management strategy through the lens of both impact and likelihood of attacks.

Attribution can be difficult

The reality is that Iran has a well-funded and state-supported offensive cyber capabilities, and cyber attacks have become an integral component of modern warfare. However, security professionals’ concerns should not be solely focused on Iran’s capabilities - the truth is that this situation presents a great opportunity for other hackers or even state-sponsored groups to attack.

This is due to the fact that attributing cyber attacks is a difficult task - another threat actor could easily choose to emulate the tactics, techniques and procedures (TTPs) used by Iran and even spoof Iranian IP space in order to trick the victim and fly under the radar.

For example, the Turla group, a Russian cyber espionage unit, hijacked the tools of OilRig, a hacking collective with ties to the Iranian government. The Turla group used these stolen tools to emulate OilRig’s TTPs and targeted military establishments, government departments, scientific institutions and universities around the world before their activities were uncovered by a joint U.S. and U.K. investigation.

How can my business defend itself?

A great security strategy begins with understanding what you are up against. There are several resources security professionals can turn to in order to have a rich understanding of state-sponsored attackers’ methods. MITRE is one such resource, as it boasts a vast inventory of Iran, Russian and North-Korean-backed hacking groups’ TTPs, aligned out of the ATT&CK framework. Security professionals can also learn more from industry threat observation sources such as Crowdstrike’s blogs that dive more into these groups’ technical methods.

The next step in your defense strategy should be taking advantage of your newfound knowledge of state-sponsored hackers’ TTPs. By leveraging emerging platforms that automate breach and attack simulations; companies can “safely hack themselves” with known Iranian, Russian and North Korean attacks as a way to determine their cyber readiness and recoverability to like attacks.

The results from these proactive evaluations will help organizations learn which attacker techniques they are most vulnerable to and they can focus on defending against them.

Companies can also map the security technologies they have in place to thwart these attacker methods to ensure they have the right defense against an Iranian offense. This approach is like a better security audit, which tests the security configuration continuously, and more cheaply, using automation of real attacker behaviors.

Endpoint security solutions, defensive logical boundaries, data governance protections and hardened incident response plans are typical cybersecurity investments that should be in-place and exercised regularly to defend against these types of techniques.

As a result, security professionals can find major gaps in attacker kill chains (which are prime for investment), areas with overlapping security investment (which are prime for savings), and lots of things of fix (security tools that are not configured correctly) This level of continuous information is gold when trying to decide whether gaps are survivable or dealt with in compensating capability.

This continuous, automated, attacker emulation based strategy will enable the company to improve the allocation of its cybersecurity budget, make sure it is prepared to withstand any of the TTPs it has been evaluated against and even give the C-Suite an accurate view of security posture.

U.S. organizations should expect to be attacked by state-sponsored hacking collectives, it is only a matter of time. However, with the aforementioned strategy, companies can ensure that they are as prepared as possible.

What’s Hot on Infosecurity Magazine?