On January 4, 2020, the Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) bulletin describing current developments and general trends regarding the terrorist threat posed by nation-state cyber warfare programs. According to the NTAS, the catalyst for the bulletin’s issuance is the United States’ “lethal strike in Iraq killing Iranian IRGC-Quds Force commander Qassem Soleimani” and publicly stated intentions of “Iranian leadership and several affiliated violent extremist organizations … to retaliate against the United States.”
It is important to note that while the bulletin specifically states that the NTAS has no information indicating a specific, credible threat at this time, it acknowledges that “an attack in the homeland may come with little or no warning.” The NTAS also acknowledges that Iran has been implicated in previous U.S.-based plots and has the capabilities within its cyber program to carry out attacks against critical U.S. infrastructure.
The Focus on Nation-State Cyber Threats Is Not New
If U.S. companies were attacked on the cyber front by a nation-state, it would not be the first time it has happened. In just the past year:
- On June 22, 2019, the Cybersecurity and Infrastructure Security Agency (CISA) issued a Statement on Cybersecurity Threats citing the recent rise in malicious cyber activity directed at U.S. industries and government agencies. They further noted the use of “wiper” attacks with the potential to take down entire networks.
- In November 2019, a Microsoft security researcher presented findings at CyberwarCon from their threat intelligence group regarding malicious attempts to gain access to the networks of Industrial Control System (ICS) suppliers, a possible first step in a supply chain attack that could be used for acts of sabotage.
What Should Companies Do?
Protiviti recommends organizations take the following key actions to deter, identify and respond to a cyberattack. Given the source and nature of the threat, those business services that are defined as critical infrastructure sectors, or which otherwise have the potential to broadly impact many customers, should be prioritized.
- Enhance security awareness. One of the easiest ways to increase security is through employee awareness. Organizations should continue ongoing efforts to keep employees engaged and motivated, and, in view of the present environment, turn up the volume in their communications on this issue.
- Identify the most critical systems, applications, infrastructure and third-party needs to support important business services. Organizations cannot maintain and build resilience in the face of significant cyberthreats unless they have a clear understanding of their environment and the most important elements that enable the business to function.
- Implement mitigating controls to protect those critical technologies that cannot be patched. These technologies may include medical devices, industrial control systems and legacy applications, such as network segmentation and other solutions.
- Evaluate all access into systems and networks to ensure only authorized users can use or administer company assets. To that end, it is vital to ensure that default credentials are updated.
- Increase the sophistication of protection and detection strategies. One key step in the protection of systems and data is to increase monitoring of security events on systems with access to the internet. In addition, deploying more sophisticated defenses such as multifactor authentication (MFA) and active defense technologies (e.g., endpoint detection and response [EDR] and intrusion prevention systems [IPS]) can help mitigate risk to the environment.
- Seek and share the latest cyberthreat information. Sharing of cyberthreat information among businesses, as well as between government and business, could help mitigate attacks from nation states. There are numerous Information Sharing and Analysis Centers (ISACs) that can assist with the sharing process. Companies in possession of U.S. government data may prefer to access the Defense Industrial Base (DIB), which aims to protect sensitive, unclassified Defense Department program and technology information residing on, or transiting among, Department of Defense and defense contractor computers.
- Refresh the risk assessment process as it relates to cyberthreats more than once a year. Because threats are evolving so quickly, the risk assessment should be performed quarterly to ascertain the emergence of new threats and risks. In addition, the risk assessment process should consider risks beyond the loss of sensitive data. Other risks, such as operational impacts and disruption, could be realized through cyberattacks.
- Ensure the organization has a sound, up-to-date incident response plan that addresses new threats. Conduct training and rehearsals of this plan through simulations (e.g., tabletop exercises). Revisit the plan more than once a year – ideally, quarterly – depending on the risks to the organization. Review organizational business continuity and disaster recovery plans and ensure they are up to date and include recovery procedures for business disruption from a cyberattack, particularly for systems that are critical to the execution of the business model.
- Ensure cyber defenses are adequately funded and staffed to manage the evolving risks and threats. An effective and comprehensive understanding of the threat landscape facilitates the allocation of defense spend to its highest and best use.
In issuing the NTAS bulletin, DHS indicated it intends to provide protective measures when and if the understanding of the risk landscape changes. That said, it is up to each organization to take the necessary steps to protect its critical systems, assets and intellectual property and sustain its business model. The nine key actions above offer a framework for assessing next steps near term.