But given the recent tension between the U.S. and Iran over an American drone strike that killed a top Iranian military general, DHS’s Cybersecurity and Infrastructure Security Agency appears to have found an opportunity to test those cyber threat intelligence-sharing capabilities in the new year.
A memo from CISA on Monday warned that Iran and its proxies “have a history of leveraging cyber and physical tactics to pursue national interests, both regionally and here in the United States,” including cyber-attacks against the financial, energy and telecommunications sectors.
“Recent Iran-U.S. tensions have the potential for retaliatory aggression against the U.S. and its global interests. Iran has exercised increasingly sophisticated capabilities to suppress social and political perspectives deemed dangerous to its regime and to target regional and international adversaries,” CISA wrote in its memo.
Threats of retaliation for the death of Revolutionary Guard Gen. Qassem Soleimani became reality Tuesday evening when, as the Associated Press has reported, Iran fired a series of ballistic missiles at two Iraqi bases housing U.S. troops.
As for the threat of a disruptive or destructive cyber-attack, CISA “strongly urges” organizations to take steps to assess and strengthen their cyber defenses in the event of a nation-state cyber-attack through routine actions like backing up critical information and reviewing incident response plans.
“This is heightened vigilance, but people should not think of this the way you would act in a situation where there was a direct, known threat,” said Ari Schwartz, a former member of the White House National Security Council, special assistant to the president and senior director for cybersecurity, now the managing director of cybersecurity services at Venable.
As part of that heightened sense of cyber awareness, Schwartz said front-line employees should minimize their exposure to cyber risks by enabling multi-factor authentication on work and personal accounts, as well as avoid accessing sensitive government accounts on personal devices.
Tom Kellermann, the head of cybersecurity strategy for VMWare and former the chairman of a congressionally-appointed commission on cybersecurity for the Obama administration, said CISA’s advisory on Iran-specific cyber threats demonstrates “increased respect” for the severity of the threat.
“Agencies have been briefed that Iran’s cyber capabilities are no longer second-tier — that they have first-tier attack capabilities and they’re likely to use things like destructive malware within systems and they’re likely to island-hop between connected systems,” Kellermann said. “Some of the more proactive projects for cybersecurity that have sat on the shelf are being brushed off and dusted off.”
Amid rising tensions with Iran, Army insists no plans for draft
Schwartz said agency leaders have probably already been briefed on the scope of potential cyber threats, but Kellermann warned that no agency should let its guard down.
“Specific agencies who have long maintained security through obscurity can no longer do so. I do think there’s a heightened sense of awareness and anticipation for a significant attack by Iran against federal government agencies,” Kellermann said. “I do think that they have taken a more proactive stance, not just by the information sharing that has been ratcheted up, but by an all-hands-on-deck approach that agencies have taken since the holidays.”
In the past, Schwartz said Iran’s means of intrusion have included obtaining credentials to gain entry to networks, and added that identity management should be a key focus of any organization’s cyber strategy.
“My biggest concern, frankly, is the commandeering of the digital transformation efforts of government agencies to then use those agencies’ websites and networks to distribute destructive malware,” Kellermann said.
Iran maintains a robust cyber program and can execute cyber attacks against the United
States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive
effects against critical infrastructure in the United States.
In a National Terrorism Advisory System (NTAS) bulletin released Saturday, acting DHS Secretary Chad Wolfe said there was “no specific, credible threat against the homeland,” but said the agency is “actively monitoring and preparing for any specific, credible threat, should one arise.”
“Iran maintains a robust cyber program and can execute cyber attacks against the United
States,” the NTAS bulletin states.” Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
Destructive cyber attacks rising
According to VMWare data, destructive cyber-attacks have gone up 11% since last fall, while “island-hopping,” or the misuse of trusted infrastructure against its users, has occurred in 40% of recent incidents.
“It’s becoming mainstream and there’s no doubt the Iranians will attempt to commandeer trusted infrastructure to leverage destructive attacks,” Kellermann said. “It’s a question of where and when, and I’m hoping that the U.S. government is ready to suppress this threat, is ready to deploy a more proactive security posture [and] and intrinsic security posture where the infrastructure will defend itself against these behavioral anomalies.”
While Kellermann noted that agencies have made progress in sharing cyber threat intelligence with each other, as well as with private-sector industries deemed national critical infrastructure, the sheer size of the government’s infrastructure still makes it difficult to protect all networks all the time nation-state cyber-attacks.
“I do think there’s an enhanced level of coordination that I haven’t before between all the agencies, and that all agencies leaders … are now paying very close attention to their cybersecurity posture, whereas not all of them were doing so six months ago,” he said.
Outside of the federal government, Schwartz said Iran has been known to target oil and gas companies, as well as banks — especially those that have spoken out about the Iranian regime.
“I think companies that fit those categories should be particularly aware and if DHS is not already in contact with them, they should get in contact with DHS and probably with their local FBI office,” Schwartz said.