The dramatic escalation of events in recent days, between the U.S. and Iran, has prompted the U.S. Department of Homeland Security to release an official warning to organizations.

In its first official guidance since the U.S. authorized drone attack against Iran, the Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations to “consider and assess the possible impacts and threat of cyberattack on their businesses.”  This includes the risk of an Iran cyber attack.

The brief goes on to say that Iran and its allies could launch “disruptive and destructive cyber operations” against strategic targets including financial, utility, and energy companies, as well as transit systems.

CISA also warned of potential disinformation campaigns and kinetic attacks – including bombings, and advised companies to take necessary precautions, including off-line backups of critical data and systems. To be clear, Iran has been carrying out state-sponsored attacks on the U.S. for a while.

2012 and 2013 saw a series of denial-of-service attacks against Bank of America, the New York Stock Exchange, and NASDAQ that were attributed to Iran. Additionally, Iran attributed as the source of an attack on the Sands Casino in Las Vegas, which shut down all operations.

In short, Iran has been and will continue to be a cyber threat to the U.S.  While this won’t change, what changes constantly is the level of risk.  It’s dynamic.  In fact, this illustrates a great point with respect to cyber threats in general.  

Cyber-attacks are highly dynamic in terms of the level of risk, identity of the attackers, attack targets, and the infrastructure being used to launch attacks.

This makes it critical for organizations to incorporate a broad-based view of threat intelligence from multiple sources in order to increase visibility into threats, improve cyber defenses, and reduce risk.

Now more than ever, threat intelligence-driven cybersecurity is critical to protecting our economy, our infrastructure, and our institutions. Specific to the current threat from Iran, here’s three major ways you can leverage threat intelligence to reduce the risk.

1. Batten Down Your GEO-IP Hatches & Increase Your Sights on Where Your Network Traffic is Coming from and Going To

Now’s a great time to revisit GEO-IP policies for network access and increase monitoring efforts.  One easy way you can reduce risk is to block or become more restrictive on network traffic originating from or going to Iran (and other hostile countries that represent an Iranian proxy risk).  Now, we know that GEO-IP controls are not a panacea, and have challenges on two main fronts:

  • The first is that a smart Iranian attacker will most likely utilize geo-spoofing techniques to hide their point of origin or look to leverage non-Iranian attack infrastructure.  While this may lead one to conclude that GEO-IP blocking adds limited value, this is far from the truth.
  • Global threat actors may seize on this an opportunity to launch their own spoofed attacks, using Iran as the origination point. Our friends at Recorded Future illustrate this in their recently published threat intelligence report,  which highlighted documented instances of Russian state-sponsored groups hijacking and using Iranian infrastructure for their own cyber operations.  
  • The second challenge with GEO-IP is that given the global nature of many businesses, it may not be feasible to block traffic from/to specific countries in their entirety.
  • In this case, at a minimum, you should increase your monitoring efforts around the volumes and behavior of network traffic from risky countries.

2. Broaden Your Threat Intelligence Use

Today’s elite cybersecurity organizations utilize a broad mix of threat intelligence in order to keep up with today’s highly dynamic threat landscape.

These organizations have realized that the single-source threat intelligence that is powering their existing network security controls (like next-generation firewalls and intrusion detection & prevention systems) is not enough to keep up with today’s threats.

A broader view of threat intelligence that spans commercial, open source, industry, and government sources is required.  This broader view of threat intelligence will complement your GEO-IP efforts and help protect you against malware, phishing, ransomware attacks and communications with malicious command and control infrastructure associated with these attacks. 

We recommend expanding your threat intelligence sources, specifically:

  • Take a look at commercial sources of external threat intelligence from high fidelity sources like DomainTools, Intel 471, IntSights, Proofpoint Emerging Threats, Recorded Future, and Webroot to name a few.  Specific to the threat from Iran, our friends at Recorded Future provide valuable information in this threat report
  • Take a fresh look at open source threat intelligence (OSINT) options.  
  • Join or become more active in your industry threat sharing community via ISACs and ISAOs.
  • Participate in government sharing efforts such as the Department of Homeland Security’s Automated Indicator Sharing (AIS) and Collaborative Information Sharing and Collaboration Program (CISCP) programs.  

Finally, it is important to keep in mind that consuming threat intelligence is the first step in greatly reducing risk, however, sharing threat intelligence is equally important.  “If you see something, say something” as information sharing will be critical to ensuring a holistic and concerted defense against Iran.

3. Up Your Threat Intel Game by Making it Actionable

Expanding your use of threat intelligence is important, but only by acting on threat intelligence will you achieve its full value, – reducing the risk of attack and protection of your business.

For example, knowing that certain IP and domain indicators-of-compromise (IoCs) are malicious is great but if you aren’t proactively blocking these malicious indicators, or at least gaining visibility into whether these IoCs are hitting your network, then what’s the point? 

An excellent example of taking action with threat intelligence is to implement broad-based, real-time, threat intelligence filtering of network traffic.  Adding this as a critical component of your security practice, can help you improve the security of your network and your visibility into threats.

How Bandura Cyber is Enabling Threat Intelligence-Driven Security

Bandura Cyber helps organizations protect their networks by making threat intelligence actionable. Our cloud-based Threat Intelligence Protection platform aggregates threat intelligence from multiple sources, integrates threat intelligence from any source in real time, and takes action on threat intelligence in an easy, open, automated, and scalable away.   

As a critical component of our Threat Intelligence Protection platform, the Bandura Cyber Threat Intelligence Gateway provides scalable and automated threat intelligence-filtering of network traffic as well as easy-to-use GEO-IP filtering capabilities.

Organizations are using Bandura Cyber’s solution to strengthen network protection, reduce manual staff workload and increase ROI on existing security investments including multi-source threat intelligence and next-generation firewalls.

Interested in learning more?  Sign up for a free 30-day trial or a demo

For More Information: 

Threat Intelligence Challenges with Next-Generation Firewalls

The Bandura Cyber Threat Intelligence Firewall Platform Datasheet

Links

Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad – U.S. Cybersecurity and Infrastructure Security Agency (CISA)

Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access – Recorded Future