Scott Ormiston is a Federal Solutions Architect at Synack and a U.S. Air Force veteran.
In summer 2013, Iranian hacker Hamid Firoozi breached the controls of a dam in New York, according to a U.S. indictment.
The dam intrusion capped off a hacking spree—allegedly dating back to winter 2011—that also saw U.S. federal websites defaced and major banks disrupted by distributed denial of service (DDoS) attacks.
Experts viewed those cyber incidents as Tehran’s response to the Stuxnet worm that damaged Iranian nuclear centrifuges.
Fast forward to last week, when the U.S. entered the ongoing Israel-Iran conflict by attacking Iranian nuclear facilities with airstrikes. While Israel and Iran have agreed to a ceasefire, U.S. federal authorities—including the Department of Homeland Security—are warning that hacktivists and government spies linked to Iran could launch digital attacks on U.S. critical infrastructure. And ABC News has reported that some retaliatory DDoS attacks have already begun.
On the bright side, Iranian threat groups have rarely showcased the skills and ingenuity needed to breach hardened U.S. targets. The dam intrusion is a case in point: scary as any breach of U.S. industrial control systems may be, hijacking New York’s tiny Bowman Avenue Dam risked flooding a few basements. Hardly the stuff of CISO nightmares.
However, recent global events highlight the need to look at computer networks as an adversary would. Even script kiddies lacking basic hacking know-how can cause trouble if an organization’s critical assets are exposed, unpatched or misconfigured. Adversarial AI tools are also lowering the bar for hacktivists hoping to wreak havoc.
“SHIELDS-UP,” as former Cybersecurity and Infrastructure Security Agency Director Jen Easterly put it Sunday. “Iran has a track record of retaliatory cyber operations targeting civilian infrastructure, including: water systems; financial institutions; energy pipelines; government networks; and more.”
The Shields Up mantra is a welcome one, and it can apply to all kinds of cyber emergencies. Beijing could act on its military threats to Taiwan, likely triggering a cyber conflict that’s not confined to the western Pacific. Russia could up the ante in its war in Ukraine by disrupting the critical infrastructure networks of Kyiv’s backers. The Department of Defense plans for these scenarios every day. Any large organization with a global footprint and a security team worth its salt should be thinking of how to prepare.
But in times of geopolitical upheaval, how do defenders know their shields won’t crumble under pressure from real-world attackers?
Pentesting is an essential piece of any mature cybersecurity program, but getting a true adversarial perspective is easier said than done. Attackers will bring a variety of skillsets and creative approaches to attacking your networks; capturing that diversity of perspective in your pentesting is a challenge in an era of limited security budgets.
Those same security budgets must also account for all the other pieces of a robust cybersecurity program: training and awareness, access controls, cloud security management, incident response, endpoint protection—you get the picture.
Hopefully, Iran’s cyber retaliation doesn’t cut deeper than Tehran’s limited, telegraphed strikes on one U.S. air base. Those attacks were easily fended off and injured no one. But as the saying goes, hope is not a strategy.
To learn more about how the global Synack Red Team community of vetted, ethical hackers can help provide an adversarial perspective on your networks, visit https://www.synack.com/red-team/.
