Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

Will Iran Retaliate in the Cyber Realm?: 5 Questions with an Incident Response Expert

By now, you’re well aware of the tensions currently in place between the United States and Iran. 

Following a U.S. strike that took down one of the top government officials in Iran, the country quickly retaliated by firing back at U.S. bases located in Iraq. While the battleground may be in the air and potentially on the ground in the future, there’s one arena that can create as much havoc and disruption; the cyber realm.

But before you jump into any conclusions, we decided to touch base with Trustwave’s own incident response expert, Brian Hussey, vice president of cyber threat detection and response, who provided us with a breakdown of what’s occurring, but most importantly, what may occur in the coming days or months. 

Can you provide us with a breakdown of what’s going on at the moment?

Brian Hussey: Last week the U.S. launched strikes killing Iran’s top military leader, General Soleimani, and Iran vowed revenge. That's kind of the state we’ve been in for the last couple days, wondering if their revenge will include cyber attacks. Earlier this week Iran did launch retaliatory strikes against U.S. bases in Iraq. That’s obviously one element of their retaliation, but will there be others or not? That’s the question right now. Geopolitical factors do influence the cyber threat landscape and often times the cyber approach is a faster and less attributable way, with easier access, for a small nation-state or one that has a hard time being able to launch an attack on the U.S. homeland.

For example, for a nation-state to launch an attack against the U.S., it’s not easy to get within our borders, thankfully so. But one of the easiest ways to directly impact US infrastructure and economy would be via a cyber-attack. So, when a geopolitical event like this occurs, we need to have heightened awareness when it comes to cyber attacks that may or may not come out of Iranian nation-state actors, or even patriotic actors within the country.

Why should security leaders that aren’t necessarily protecting government infrastructure care? How would it impact them?

BH: When you look at the modern-day security professional, they’re always overwhelmed by their day-to-day job, but when a major attack occurs, their job is going to get much more difficult, very, very quickly. Its best, at minimum, to maintain situational awareness about the constantly changing threat landscape impacting their industry and geography.  There are a few types of attacks that Iran is famous for, most prevalent being wiper malware.

If you look at the Shamoon malware, (more recently updated to StoneDrill), it was executed against Saudi Aramco and RasGas a number of years ago. That’s the known Iran modus operandi – or at least one of them. It’s to destroy your systems. In the case of Saudi Aramco, it destroyed 30,000 computers in one shot. That is a major, high-impact event for any corporation. IT security professionals have incredibly busy days and stacked responsibilities, but when high-impact geopolitical events like this take place it raises the threat level and it’s something they should have some concern over.

Are there any specific industries that should be more cautious than others?

BH: As a retaliation, Iran is going to want to make headlines, they’re going to want to be noticed, and make a major impact with their cyber attacks. The most impact is going to come across areas that have the ability to affect human life, US confidence in their Government, or impact of major monetary value. The U.S. government will certainly want to be on high alert, as well as, finance, and healthcare sectors.  In addition, any SCADA environments that have access to or the ability to impact human life, such as water treatment plants and power plants. They are the ones that should be the most concerned in a cyber war-type scenario with Iran.

What types of attacks could we possibly see out of Iran?

BH: What they’re well-known for is the wiper malware, which is distributed in a way that is similar to ransomware, but it operates differently, as there’s no way to recover data. It completely wipes the boot sector away, as well as sections across the hard drive making recovery impossible, except possibly from offline backups.

While that’s what they’re most known for, since 2007 the Stuxnet attack was a very targeted SCADA attack on an air-gapped step 7 Siemens processor that should not have been able to be targeted, but it clearly was. That was inspirational for Iran in the development of their attacks on targeted, off-line SCADA networks. This kind of attack generally takes a lot higher of a level of sophistication, so I don’t know if they’re capable to do that right now, or if they are currently laying dormant in US SCADA environments, ready to launch an attack, is also unknown. 

I’d also be concerned about botnets. Every nation-state that has an offensive capability has gathered a very large botnet to use for offensive purposes in the event of a cyber war. That’s just the nature of the game. Does Iran have this and are they interested in using it now.  Even today, with modern security technology and professionals, it is difficult to protect against massive botnet driven DDOS.

Are there any particular incidents from the past that we can compare this to from the past?

There have been global incidents in the past that have caused security professionals to be on high alert.  Really, any time a nation-state is in potential conflict with another nation-state, then those residing within the borders of the combatants should be aware of the cyber implications at hand. It’s not just about bombs and planes and tanks. The concern that immediately needs to be on the top of the list is cyber threats.

Given the high alert many security professionals are currently on, Hussey advises security leaders to focus on the following areas:

  • Defense-in Depth: The old maxim, harden your perimeter with layers of protection that can cover when one fails.

  • It’s all about the endpoints: Invest in quality EDR technology that gives you access for rapid hunting, investigation, and containment across your global enterprise (not to mention advanced preventative capabilities).

  • Get Proactive: Invest in pen testing and threat hunting. You should know how attackers can get into your network and if you’ve already been compromised.