Iran cyber attacking the US is no longer a threat - it's our reality. How we can better prepare ourselves and make sure our SIEM is equipped to deal with this very serious threat?
On January 6th the US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert for potential Iranian cyber response to the drone killing of Iran’s powerful lead general Qassim Suleimani last week. In the short time since, it has become clear the potential is now a reality - Texas Gov. Greg Abbott said that the Texas Department of Information Resources has seen a spike in attempted cyberattacks from Iran on state agency networks at the rate of about 10,000 per minute.
We should all take note. Following a strike on American military facilities in Iraq, checking off their need to take some type of military action, cyber attacks are the natural next step for the Iranian leadership. The New York Times yesterday published an article on the cyber threat from Iran, describing cyber warfare as the perfect weapon which could allow Iran to do significant damage, while masking its culpability.
Let’s go back and examine Iran’s cyber attack capabilities. The CISA alert includes a list of previous Iranian DDoS attacks targeting the US financial sector in 2013, which prevented customers from accessing their accounts and cost banks millions of dollars in remediation, and an attack on the Sands Las Vegas Corporation in 2014 which wiped out their computer systems and stole customer data, amongst others.
In the years since we can be sure Iran has improved its cyber attack capabilities for just such a situation as we’re in now – when they want to strike American interests in a way that will be painful, but subversive, and not necessarily push the US into a full-out military conflict, which they want to avoid.
The CISA alert provides a list of known Iranian advanced persistent threat (APT) techniques based on the MITRE ATT&CK Framework, including Credential Dumping, Link Spearphishing, PowerShell, User Execution and others. These attack types are all represented via MITRE ATT&CK language terminology (the alert itself provides tips for what you can do right now to detect and mitigate Iranian attacks, and increase your safety level, I recommend everyone read it if you haven’t already).
If Iran executes attacks that can be efficiently represented via MITRE technique terms, and we want to protect our networks, we need to use platforms that can translate network logs, user activity logs as well as security event logs into MITRE language terms. Especially in NG SIEM platforms – whose role it is to synchronize all the different security tools, hunt threats, classify and mitigate – the issue of language is critical.
The second critical component to ensure cyber preparedness is the ability to deal with masses of data. Sifting through mountains of data and logs will necessitate not only translating all the logs into MITRE representation, but also prioritizing the real attacks (filtering out false positives) by finding connections between the identified different MITRE techniques and seeing if together they form a real attack “story” – otherwise it just “noise”. If so, the security team needs to be alerted to that story, so they can handle it properly. If the team is alerted to every piece of data at various threat levels, they will never be able to dig themselves out of the mess.
Iran is already on the attack, and every American business and organization is a target. If you know your SIEM can classify all your logs into the MITRE ATT&CK language and automation to mitigate, you can sleep (a little) better at night.