As tensions rise in the Middle East, it's increasingly likely some American businesses/agencies will be faced with cybersecurity attacks from the Islamic Republic of Iran.
The Islamic Republic of Iran (or just plain Iran from this point forward), has a history of perpetrating cyberattacks (against both the U.S. and around the world), some of which you can read about here: https://www.bankinfosecurity.com/7-iranians-indicted-for-ddos-attacks-against-us-banks-a-8989.
Who's Most Likely to be Attacked?
At the top of the list are federal agencies like the State Department, Department of Defense, Department of the Treasury, etc. Any of our federal institutions that could possibly impact Iran in some way are a likely target.
Local government agencies (from local municipalities to state government) might also be targeted, as they're often low hanging fruit in the eyes of the attacker. That's something that we've covered multiple times and at great nauseam. You can read those stories here, here, here, here, and here.
There are more stories if you search for them, but I think you get the point.
What about businesses?
Businesses aren't very likely to be attacked by a nation-state. The people that go after private and public corporations are typically independent criminals who rarely, if ever have a government behind their actions.
Now that's not to say corporations won't be a target. The link I included above contained an instance where Iran went after the U.S. financial sector in 2016.
What kind of attacks can you expect?
Oh, the usual:
- Denial of Service (DDoS)
- Sleeper Agent Attacks
Nothing too out of the ordinary.
How you can protect yourself, just in case of attack:
There are a few things you can do if you're worried about being attacked. But heck, these are things you should probably be doing to begin with.
1. Conduct a Risk Assessment
There's an old saying, "you can't manage what you don't measure," and that applies to what we're talking about. How in the world could you begin to patch holes and vulnerabilities if you don't have a good understanding of your current security postures and any that might be in it.
We know how easy it can be to miss something when your plate's already full. A good risk assessment, performed by an outside party can really be an eye opening experience and can potentially save your business a lot of worry and strife in the future.
If you haven't already checked it out please look at our 7 Steps of a Successful Risk Assessment article.
2. Implement Security Awareness Training
The weakest element in any cybersecurity defense plan is the human one. We're imperfect creatures. We make mistakes. A good Security Awareness Training program can help people avoid making mistakes by offering:
- Malware Awareness Training
- Password Security Training
- Social Engineering Training
- Email Security Training
- Physical Security Training
- Mobile Device Security Training
- Phishing Awareness Training
- Travel Security Training
- Information Privacy Awareness Training
3. Filter Your Web Traffic
Properly setting up web filtering services on your firewalls can save you hours of headache. Most either have a service built in or that you can subscribe to that will do most of the heavy lifting for you. Yeah occasionally you might bump into oddly misclassified websites or what not, but ultimately it does a pretty darn good job of keeping people safe on the internet.
We personally use FortiGuard and recommend it to anyone using a FortiGate device. Of course, Fortinet isn't alone in offering a web filtering product. Others like Cisco and Barracuda (to name a few) do as well.
4. Block and alert on Botnet and C&C traffic
Botnets are nasty, nasty things. They can be difficult to detect too since they're designed to operate with out an end-users' knowledge. But you're in luck, there are a few common things you can look for.
- IRC traffic (botnets and bot masters use IRC for communications)
- Connection attempts with known C&C servers
- Multiple machines on a network making identical DNS requests
- High outgoing SMTP traffic (as a result of sending spam)
- Unexpected popups (as a result of click-fraud activity)
- Slow computing/high CPU usage
- Spikes in traffic, especially Port 6667 (used for IRC), Port 25 (used in email spamming), and Port 1080 (used by proxy servers)
- Outbound messages (email, social media, instant messages, etc) that weren’t sent by the user
- Problems with Internet access
5. Enforce Application Control
Todays world is all about apps! I don't mean appetizers (but if that's where your first thought went I like where your head's at). I mean applications. You can't do anything with out 'em! They enable us.
But there are a lot of bad or questionable apps out there and it's real easy to install them. By enforcing application control you can limit what gets installed on your endpoints to only what is known and what is sanctioned by you. You can implement application control rather easily by applying the principle of least privilege when assigning user rights.
Keep in mind that the average user doesn't usually need to install any sort of application on their end-point to do their job. They should already have all the tools the need. Limiting their ability to do so from the get-go might be a solution you want to consider.
6. Install Next-Gen Anti-Virus Software
There are a lot of products out there to consider when it comes to protecting your end-points. We'd never shy away from our love of Cylance but we'll be the first to admit they're not the only game in town and there are a lot of solutions out there that would probably work for you. What matters is you pick something and install it.
7. Implement Deep Packet Inspection (DPI)
Implementing DPI allows you to analyze encrypted traffic that's being sent over your network. DPI allows you to take action against traffic by blocking, re-routing, or logging it. DPI can also be used to make sure data is formatted correctly, look for malicious code, or if someone is eavesdropping on your network traffic.
DPI benefits include:
- Filter and analyze messages
- Open and close ports
- Perform in-line spam screening
- Proxy your IM traffic
- Perform SSL session inspections
- Prevent security breaches
We're big believers in not being able to manage what you don't measure. By analyzing your network traffic you get a much better idea what's going on day to day. DPI can help you accomplish that.
Like our blog? Subscribe using the CTA in the upper right hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.