Undoubtedly, you’ve heard and been concerned about recent tensions between the United States and the Islamic Republic of Iran. This tension can hit close to home in a multitude of ways. Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) — a division of Homeland Security –issued an alert in regard to cybersecurity tied to Iran’s historic use of cyber offensive activities as retaliation.
Patterns of known Iranian threat techniques include credential dumping, obfuscated files or information, data compressed, PowerShell, user execution, scripting, registry run keys/startup folder, remote file copy, spearphishing link, and spearphishing attachment.
Sandwire Managed IT wants to make you aware of the information shared so you can protect yourself, your company, and your customers. The CISA recommends taking the following actions:
- Adopt a state of heightened awareness: This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
- Increase organizational vigilance: Ensure security personnel is monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTP’s) for immediate response.
- Confirm reporting processes: Ensure personnel knows how and when to report an incident. The well-being of an organization’s workforce and cyberinfrastructure depends on the awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
- Exercise organizational incident response plans: Ensure personnel is familiar with the key steps they need to take during an incident. Do they have the access they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel is positioned to act in a calm and unified manner.
The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of the potential threats from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.
Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
Log and limit the usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.