That comment appeared to be in response to a statement by Iran’s President Hassan Rouhani that his country would not be intimidated by U.S. sanctions.
Cipher Brief expert and former National Intelligence Manager for Iran, Norm Roule, told us this week that his regional contacts “…have seen a spike in Iranian cyberattacks over recent months. I expect this to continue until Iran’s Supreme Leader believes that the regime will be punished for such operations.”
Christopher Krebs, director of DHS’ Cybersecurity and Infrastructure Security Agency issued a warning over the weekend that “malicious cyberactivity” was on the rise. “Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to so much more than just steal data and money,” said Krebs in a statement posted to Twitter. “These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Back in 2011 and running through 2013, Iran conducted distributed denial of service attacks, or DDoS attacks (Distributed Denial of Service) against a large number of U.S. banks, including some of the largest banks in New York City.
In 2016, The Justice Department handed down an indictment on seven Iranian hackers who they believed were acting on behalf of the Iranian government.
“I know that the perception is that Iran attacked U.S. banks because of the sanctions that Treasury had implemented as part of a broader U.S. international policy to address Iran's nuclear weapons programs,” says Leslie Ireland, a Cipher Brief expert and former Assistant Secretary of the Treasury for Intelligence and Analysis. “I wouldn't be surprised if U.S. banks were again subject to cyberattack, but I'd also point out that when the U.S. has sanctioned Iran, the sanctions were against a range of industries. It wasn't just against the financial sector, but the airline sector, the Iranian shipping line, IRISL, was targeted. I think if you think this through from an Iranian perspective of trying to understand what they would consider to be a proportionate attack, I would encourage other industries, parts of our critical infrastructure, to consider the possibility that Iranian cyber actors could come after them as well.”
When it comes to how U.S. businesses should be thinking about the threat in light of the latest warnings, FBI Deputy Assistant Director Tonya Ugoretz told The Cipher Brief that “Cyber is a means for nation-states to achieve their strategic objectives, so it’s important to consider the geopolitical environment when assessing risk and network defenses. As Department of Justice indictments have shown, Iran has a history of both cyber espionage and disruptive and destructive cyberattacks. In addition to employing cyber hygiene best practices, we are all safer when we are forward-leaning in sharing information about suspicious activity – both across and between the government and private sector.”
The Cipher Brief tapped a number of other cyber experts with government and private sector backgrounds, to get a well-rounded take on today’s increased threat to U.S. businesses. We asked them what the latest provocations mean for business and which sectors are most likely to be targeted, as well as their advice on the top three things businesses should be doing right now to harden their defenses.
Rick Ledgett, former Deputy Director, National Security Agency
“Historically, Iran has been measured and proportionate in its responses in cyberspace - at least in their view,” says Ledgett. “So, any response is likely to follow suit.”
Rick Ledgett, Former Deputy Director, National Security Agency
“I would say that (in order of decreasing likelihood) military, other governmental, and commercial businesses associated with the U.S. are potential targets. But it’s possible that a destructive attack could spread beyond its intended target, much as NotPetya did in 2017. And so, all businesses should take precautions.”
“The top three things to do now are patch any vulnerable systems, install multi-factor authentication, and ensure there is a good backup of the corporate system. The first two are things that should be done anyway to make the network more resistant to compromise; the third is in case malware does get on the system,” says Ledgett. “I believe that in the long run, this new posture will provide additional deterrent value, but in the near term, the risk of breaches and destructive or denial of service attacks has increased.”
Admiral James ‘Sandy’ Winnefeld (Ret.), former Vice Chairman, Joint Chiefs of Staff
“Iran will try to target any attacks in a manner that speaks to their anger over increased sanctions, particularly those aimed at Iranian energy exports,” says Winnefeld. “Thus, U.S. companies in the energy sector are of prime interest. Iran may also conduct some kind of limited attack on a target, such as the electric grid, that might stoke fear among Americans and resentment over the possibility that the administration’s actions could backfire at home. That said, they can only attack that which they are capable of attacking, and any other enterprises that are particularly symbolic of the U.S. could be victims.”
Admiral James 'Sandy' Winnefeld (Ret.), former Vice Chairman, Joint Chiefs of Staff
“It’s an excellent time for U.S. businesses to double check that all patches and software updates are current, even at the risk of temporarily interrupting operations in order to get this done. Warnings should also be given to network users to be especially vigilant for spear-phishing attacks, as that is a primary method used by Iran to penetrate networks.”
Saxby Chambliss, former Senator and former Vice Chairman of the Senate Select Committee on Intelligence
“Iran is looking to make a “cyber splash” in response to recent actions by the U.S.,” says Chambliss. “That means that they want some action in the cyber space to be 1) noticed and 2) inflict damage. The most likely sectors will be the financial community, but that sector has done a good job of hardening their systems, so I expect the attempts to be focused on other areas of infrastructure, i.e. water systems, transportation, emergency units, etc.”
Saxby Chambliss, former Senator and former Vice Chairman of the Senate Select Committee on Intelligence
“Remember, they are not interested in stealing money or secrets, but rather destroying systems. That is the good news for us from a defensive standpoint because it is more difficult to do, but these are very sophisticated adversaries and should never be underestimated. Iranians are very good at disguising email activity so businesses should ramp up their education programs with employees, do their own independent targeting from a testing standpoint and, most importantly, use the provisions of the Cybersecurity Information Sharing Act to share information with competitors and the USG while having liability protection.”
“We are seeing a ramp up in attempts of this nature,” adds Chambliss. “I am finding clients like the aggressive nature the USG has taken in the cyber space. It sends the right message, but it has also forced the bad guys to get more creative and Main Street is having a difficult time keeping pace.”
Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis
“The first thing businesses should be doing is looking at how they are positioned to defend against phishing or spear phishing attacks,” says Ireland. “They need to be looking at their training programs for their employees and asking what they could be doing to heighten awareness and let employees know that they need to be careful about what they put on social media, because that they can make them more prone to spear phishing attacks with the more an actor knows about them. One thing companies can do is set up their own spear phishing attack so they can see how often people click, and they can then go back and do some remedial training. They also need to be asking whether there are technologies out there that can help anticipate and specifically defend against a phishing attack? Is your IT department plugged in with those kinds of companies? Companies also need to consider whether they could have an insider threat? Are your employees or is your company vulnerable because you have disgruntled employees, or you have employees who aren't being careful enough?”
Leslie Ireland, former Assistant Secretary of the Treasury for Intelligence and Analysis
Former Assistant Secretary of the Treasury for Intelligence and Analysis
“Does the company see cybersecurity as an enterprise-wide risk, or do they just see it as an IT problem? Do they understand that there are reputational issues and legal issues, and depending upon the industry, sometimes there are regulatory issues as well, so how are they covering that? Are they thinking holistically about the challenge? Are they budgeting what they need to budget? Is the money that goes into cybersecurity seen as a burden, or is it seen as a critical part of business? Is their board of directors providing necessary oversight of the cyber program? Are they prepared for an attack? It's not if, it's when, so are they exercising? Are they conducting tabletop exercises to understand who needs to do what during a cyber crisis?”
“Businesses also need to look at how well the company is positioned with peer networks or with the government in terms of cyber capabilities,” says Ireland. “One of the things that has been established particularly with critical infrastructure are Information Sharing and Analysis Centers (ISACs). If the company's industry has one, it's an excellent opportunity to join it to better understand what the trends are in the attack surface, and what people are doing to help prevent the threat. They can also share information about attacks that have occurred. If your company doesn't have that kind of an industry, I'd say to make sure you are plugged in with your local law enforcement or DHS.”
Lieutenant General Vincent Stewart (Ret.), former Deputy Commander, U.S. Cyber Command
“I would not assume that my firewall has not been penetrated, or that my antivirus and malware tools are fully deployed and protecting my networks,” says Stewart, who retired earlier this year after serving as Deputy Commander of U.S. Cyber Command and Director of the Defense Intelligence Agency before that. Stewart said businesses have to do more to make sure they’re protected. “Those are key initial steps, but insufficient on their own. I would ensure that I have an integrated threat intelligence picture that provides global insights before it reaches my moat; I would be focused on the countering phishing or whaling attempts; and I would deploy my red teams to hunt for persistent threats inside the networks.”
Lieutenant Genera Vincent Stewart (Ret.), former Deputy Commander, U.S. Cyber Command
“The private sector must continue their defensive diligence built around high-quality threat intelligence, and a well-established sharing construct - at minimum within their sector. They have to continue to defend inside their networks, not forgetting the insider threat. And make sure anti-virus and malware defenses are up to date. Sharing insights on known malware and reporting incidents of compromise at network speed, in the first ten minutes, is critical.”
“Dust off the crisis management plan,” says Stewart. “Assume compromise, what actions will you take in the first minute, 10 minutes, 60 minutes? Do you have a playbook ready to go at the time of compromise; who executes the playbook? Who are the key members of the team and what decisions are they authorized to make? What’s the strategic communication plan?” asks Stewart.
Jamil Jaffer, V.P. for Strategy & Partnerships, IronNet Cybersecurity
“The basics are always key,” says Jamil Jaffer, who is also the Founder and Executive Director of the National Security Institute at the Antonin Scalia Law School at George Mason University. “Taking appropriate steps like fully patching and updating systems and having in place core security measures like using two-factor authentication and putting in place network firewalls and antivirus software is critical for businesses of all sizes.”
Jamil Jaffer, VP for Strategy and Partnerships, Ironnet Cybersecurity
“Beyond that, for medium-to-large enterprises, it is important that they have a suite of key tools deployed, including network traffic analytics, endpoint detection and response, and malware isolation, to name a few, and that they have a quality managed service provider or a strong security operations team to monitor address ongoing threats.”
“Writ large, businesses of all sizes need to leverage collective defense capabilities, using data and analysis from across their industry or ecosystem and using it to better defend themselves in real-time,” says Jaffer.
Kelly Bissell, Managing Director of Accenture Security
“We agree with Mr. Krebs’ comments and see a steady rise in cyberattacks from around the world and believe there is a great deal of precedence for an attack against the U.S. private sector. Companies, particularly in the critical infrastructure sectors, should expect retaliation,” says Bissell, who identifies the entities most at risk as operating in the oil and natural gas, transportation, defense and national security, and financial services sectors.
Bissell says other businesses at risk include any organizations in North America or Europe that have dealings with businesses which have organizations in the Middle East region and that companies with operations or personnel operating in the UAE, Saudi Arabia, Kuwait, Iraq, or Oman should operate at a heightened alert level.
Kelly Bissell, Senior Managing Director of Accenture Security
“The global cyber environment is increasingly growing more complex and challenging for the private sector. It should surprise no one that as geopolitical tensions rise, so do cyber-risks. Cyber has increasingly become a primary tool in the toolbox for political, ideological, and financially motivated government and non-government entities. To defend against this increasing threat, every company should plan for the worst and put programs and procedures in place to minimize risks to critical assets and operations that may be most affected by a cyberattack.”
“DHS highlighted these functions in their recent release of the National Critical Functions which are a significant step forward in the U.S. government’s approach to critical infrastructure protection,” says Bissell.
Be sure to read The Cipher Brief over the next few days for analysis of the cyber threat by more experts in national security.
You can find more information on CISA’s cyber resources for business here and if you think you’ve been breached, you can reach CISA at: NCCICCUSTOMERSERVICE@hq.dhs.gov
LAUNCHING IN JULY: The Cyber Initiatives Group, powered by The Cipher Brief. The CIG is a public-private sector group of cyber professionals who share observations, high-level thought and expert perspective on cyber issues impacting all of today’s businesses.
With a team of principals including Former CIA and NSA Director, General Mike Hayden (Ret.), former NSA Director, General Keith Alexander (Ret.), former Deputy NSA Director Rick Ledgett, former NCTC Director Matt Olsen, former Vice Chairman of the Joint Chiefs of Staff, Adm. Sandy Winnefeld and former DHS Deputy Undersecretary for Cybersecurity, Mark Weatherford, the new Cyber Initiatives Group will focus on connecting experts in ways that share best practices on cybersecurity.
If you’re interested in becoming an inaugural member or sponsor of this thought leadership group, please send an email to CIG@thecipherbrief.com and we will send you an invitation to join the conversation.
‘I’m excited to facilitate this critical cyber conversation and to be working with leaders from across the private sector as they tackle the very difficult cyber issues that impact every company doing business today.’ - Michael V. Hayden
