How could Iran potentially launch cyberattacks vs. the United States and related infrastructure? The Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security (DHS), offered new insights about the situation on January 6.
Moreover, a CISA document describes the nine risk mitigation questions that MSSPs (managed security services providers) and MSPs should ask themselves and their customers.
First, a little background: The United States has been bracing for potential cyberattacks from Iran after the U.S. launched a lethal strike that killed Iranian IRGC-Quds Force commander Qassem Soleimani.
In response, Iran is considering 13 response scenarios against the United States, Bloomberg reported on January 7. The weakest of those options would be "an historic nightmare" for the U.S., the report said. Still, it's important to note that no credible threat against U.S. infrastructure has been discovered.
CISA Insights Document: Iran's Alleged Cyberattack History
Still, the DHS and CISA have issued multiple warnings to help organizations and U.S. citizens protect physical and digital assets. A new CISA Insights document describes the Iran threat profile and activity -- including previous alleged attacks that involved:
- Disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology.
- Cyber-enabled espionage and intellectual property theft targeting a variety of industries and organizations to enable a better understanding of our strategic direction and policy-making.
- Disinformation campaigns promoting pro-Iranian narratives while pushing anti-U.S. sentiments.
- Improvised explosive devices (IEDs), which are a staple tactic of the Islamic Revolutionary Guard Corps (IRGC), its Quds Force (focused on external, global operations), and proxy entities such as Hizbollah.
- Attacks against U.S. citizens and interests abroad and similar attacks in the Homeland.
- Unmanned aircraft system (UAS) attacks against hardened and soft targets.
Of course, cyber wars are not one-sided battles. It's important to note that the United States has been known to launch cyberattacks against Iran and other targets.
CISA Insights Document: Nine Cybersecurity Questions to Ask
In addition to describing physical security measures, the CISA Insights document outlines a nine-step cyber protection plan. MSSPs and MSPs that follow the plan should ask these nine questions of themselves and their customers, the CISA says:
- Backups: Do we back up all critical information? Are the backups stored offline? Have we tested our ability to revert to backups during an incident
- Incident Response: Do we have an incident response plan and have we exercised it?
- Business Continuity: Are we able to sustain business operations without access to certain systems? For how long? Have we tested this?
- Risk Analysis: Have we conducted a cybersecurity risk analysis of the organization?
- Staff Training: Have we trained staff on cybersecurity best practices
- Account Protections: Have we implemented multi-factor authentication and are we minimizing account privileges?
- Vulnerability Scanning and Patching: Have we implemented regular scans of our networks and systems? Do we have an automated patch management program?
- Network Traffic Monitoring: Are we monitoring the network traffic crossing the boundary of critical networks, including industrial control systems?
- Application Whitelisting: Do we allow only approved programs to run on our networks?
MSPs Fighting Cyberattacks: Basic First Steps
To get ahead of cyber threats, MSSP Alert and ChannelE2E have recommended that readers:
- Sign up immediately for U.S. Department of Homeland Security Alerts, which are issued by the Cybersecurity and Infrastructure Security Agency. Some of the alerts specifically mention MSPs, CSPs, telcos and other types of service providers.
- Study the NIST Cybersecurity Framework to understand how to mitigate risk within your own business before moving on to mitigate risk across your customer base.
- Explore cybersecurity awareness training for your business and your end-customers to drive down cyberattack hit rates.
- Connect the dots between your cybersecurity and data protection vendors. Understand how their offerings can be integrated and aligned to (A) prevent attacks, (B) mitigate attacks and (C) recover data if an attack circumvents your cyber defenses.
- Continue to attend channel-related conferences, but extend to attend major cybersecurity events — particularly RSA Conference, Black Hat and Amazon AWS re:Inforce, and MSP-centric cyber events like PerchyCon 2020.