Credit to Author: Chester Wisniewski| Date: Wed, 15 Jan 2020 10:00:38 +0000
Lately, it seems everyone is talking about Iran and whether we are likely to see an increase in cyberattacks against US targets as retribution for the assassination of Qasem Soleimani. It is impossible to know, but as a thought exercise, let’s walk through what it might look like to be better prepared were you to believe you might be targeted.
When facing a human adversary, especially one who has the support of a nation-state, one must be prepared for anything. While true, you would be well served by looking into previous attacks conducted on behalf of that nation-state, in this case seeing what patterns emerge from attacks appearing to originate from the Islamic Revolutionary Guard Corps (IRGC), the group responsible for Iran’s foreign cyber operations.
One of the most famous and early attacks believed to be attributed to the IRGC is Shamoon. It was used to disrupt operations at Saudi Aramco and established the concept of a “wiper” as a signature move for Iranian operations to cover their tracks and disable systems at their chosen targets.
Further analysis of later attacks shows they usually begin by doing a malicious penetration test seeking to find insecure remote access systems or vulnerable applications exposed to the open internet. If these options are not successful at identifying a hole to exploit to gain access, then they proceed by phishing staff members to obtain valid credentials that will help them gain a foothold in the targeted entity’s systems.
After obtaining initial access, the game plan usually then moves to the lateral movement phase. During this phase, attackers often transition to a “living off the land” strategy. This uses existing tools or commonly used legitimate tools to further penetrate toward their objectives. This historically has involved malicious PowerShell scripts, deployment of malicious payloads using PsExec, and harvesting additional credentials using Mimikatz or by brute force attacking poorly secured accounts.
In the discovery phase of the attack, they again will use both existing information, often obtained from Active Directory, or open source tools like Nmap to find likely target systems that contain the information desired. They are then able to steal the information desired, exfiltrate that information back to systems under their control and move into the final phase of the mission: disruption.
The disruption phase usually involves a wiper, a dual purpose tool to both cover their tracks and to disable and disrupt the target’s ability to operate. These wipers, so named for their ability to wipe out all the information on a system, have taken several forms over the years with varying degrees of success.
To protect against this type of sophisticated attack, we recommend the following:
- Patching – Eliminate known vulnerabilities and inventory of software assets and versions
- Phishing awareness training – Educate users to follow their gut and on the increasing sophistication of malicious email
- Credential hardening – Test your user database against known breached passwords and providing tools for secure password management
- Multi-factor authentication (MFA) – Require MFA for remote access and other frequently abused services
- Application control – Watch for unauthorized use of legitimate tools
- Advanced anti-malware tools – Defend against unknown variations of known malware and exploits against zero day and unpatched vulnerabilities
Layer the ability to monitor and hunt for threats using Endpoint Detection and Response (EDR) and you begin to look incredibly well prepared to defend yourself against the latest tactics used by advanced criminal attackers.
Now, take a step back. You will notice this checklist resembles security recommendations needed to protect your organization from both nation-state and financially motivated cybercriminals.
Whether you believe you are a realistic target for a nation-state attacker or not, the truth of the matter is the tools, tactics and procedures being utilized by the IRGC are remarkably similar to those used by conventional cybercrooks. Their goals might be different, million-dollar ransoms and your customers’ credit card data, instead of international drama and revenge, but the methods barely vary.
Using high-profile events like this to conduct exercises to determine your readiness is a great opportunity for hardening your defenses. Common cybercriminals aren’t stupid. They take pages from nation-state attackers’ playbooks. They might not have the resources to develop new attack methods to bypass advanced protective defenses, but they aren’t too proud to steal those ideas and use them to hold you hostage.