By Fortinet | January 10, 2020
This blog is a summary of a byline written by Phil Quade, Fortinet CISO, for CNBC's Technology Executive Council. The original article can be accessed here.
There is a significant amount of speculation on Iran's plans in response to heightened world tensions and what it might mean in the cyberspace domain. "Those who raise the threat of an Iranian cyberattack as a possible or likely response in 2020 are not recklessly beating the drum," says Quade.
Given that impactful, sustained, and scalable cyberattacks require significant planning and development, the most likely scenario is one that leverages existing techniques, such as ransomware and denial of service attacks. However, we can’t rule out the possibility of Sleeper Agent attacks, whereby malicious cyber implants are placed in key systems during "peacetime" and activated through remote control during a crisis.
The issue at hand is how to prepare for any such event. Likely targets range from government sites to high-profile commercial entities to critical infrastructure. Of course, organizations face determined cybercriminals every day, so any actions taken to address this current threat should already be part of any security strategy.
Six Steps You Can Take Now
There are six essential steps any organization should have in place to prepare for any cyberattack and protect their digital assets:
Segment Your Network: Critical assets should be divided into well-protected domains, and intent-based segmentation should be employed to ensure that devices, assets, and data that are constantly moving into and out of the network are dynamically allocated to the appropriate segment based on policy. An effective segmentation policy ensures that a failure in one domain does not become catastrophic by spreading to other areas of the network.
Maintain Redundant Communications Options: Maintaining open communications with the distributed elements of your network is essential. Traditional WAN models are highly vulnerable to things like DDoS attacks. SD-WAN’s secure networking capability, on the other hand, allows organizations to dynamically change communication paths based on a variety of factors, including availability.
Safeguard Critical Data: Given the high rate of ransomware attacks, every organization should be regularly backing up critical data and storing it offline. That data should also be regularly inspected for embedded malware. In addition, organizations should run regular drills to ensure that backed up data can be quickly redeployed into critical systems and devices to ensure that networking can get back to normal as quickly as possible.
Leverage Integration and Automation: A platform approach to integrating security devices ensures that they can share and correlate threat intelligence as well as seamlessly participate as an integral part of any coordinated response to a threat. In addition, Endpoint Detection & Response (EDR) and Security Orchestration Automation & Response (SOAR) provide the ability to quickly detect, orchestrate, and automatically respond to an attack.
Inspect Electronic Communications: Email remains the most common attack vector for infecting devices and systems with malware. In addition to aggressive end user training on how to detect and respond to phishing attacks, secure email gateways need to be able to effectively identify and inspect suspected malicious email attachments to test for potential threats in a safe environment, such as a sandbox. Likewise, Next-Generation Firewalls need to be deployed inside the network perimeter to examine encrypted internal communications to find malicious software and hidden command-and-control implants.
Subscribe to Threat Intelligence Feeds: Subscribing to a number of threat intelligence feeds, along with belonging to regional or industry-based ISACs enable you to stay up to date on the latest threat vectors and malicious malware. By ingesting this intelligence and integrating it into an integrated security platform, organizations can highlight threat indicators – signatures of malicious software most likely to impact your network and industry – to not only block them when detected, but to prevent them from ever entering your network in the first place.
Cybersecurity is a Team Sport
To effectively defend ourselves against a determined cyberattack, everyone needs to work together as a team to prevent, detect, and respond. This includes everyone and everything from the national defense capabilities of the U.S. Government, such as CYBERCOM, NSA and the CIA, to local consortiums of businesses and industries, to security vendor community efforts such as the Cyber Threat Alliance. This needs to be combined with an effective cyber response strategy that engages critical team members to protect resources, quickly recover from an attack using backed up data and isolated resources, and enlist the support of agencies such as your local FBI.