Understand your adversary

As cyber security professionals we often look at technical factors in isolation. Whilst these indicators and behaviours provide great value, individually they miss important preliminary steps of identifying priority adversaries.

A good understanding of all adversaries can help answer the important question, who is likely to attack us, and why? Whilst the primary focus of most criminal enterprises is financial gain, offensive cyber action by nation states is likely to be rooted in geopolitics. Having an understanding of national political objectives can help determine if, and why, a nation state is likely to target your organisation. 

When considering adversaries on the world’s stage it is important to understand those with offensive cyber capabilities and political motivations to use them, such as Iran. 

By exploring Iran’s background and previous cyber offensive strategies, this blog will consider their motivations and potential targets. 

Background on Iran

The institutional Iranian psyche is rooted in the Iranian Revolution of 1979. The revolution's slogan was "neither East nor West, only Islamic Republic" ("Na Sharq, Na Gharb, Faqat Jumhuri-e Islami"). Today this slogan accurately describes the Iranian approach to foreign policy whereby they position themselves as the centre of the Islamic world. Iranian influence is expressed indirectly through conflict to increase regional instability especially against Israel, Iraq, Saudi Arabia and Western forces operating in the region. 

Although Iran has been involved in a number of international armed conflicts including invasions by British and Russian forces during both World Wars, it has never been the direct initiator of a conflict. The Iran-Iraq war in 1980 initiated by Saddam Hussain took  advantage of the turmoil created by the Iranian Revolution, some estimates suggest over a million people died in this conflict.

In the Middle East, Iran is a major military player. However, its adversaries also have strong conventional forces which continue to influence the Iranian approach to conflict. Iran has historically chosen indirect engagement with adversaries in order to disrupt their opponents and exert regional influence. The evolution of offensive cyber capabilities and common use of cyber operations has provided a new frontier for offensive actions and is highly likely to increase further.

Iran’s cyber capabilities

Using the MITRE ATT&CK framework we can identify 11 offensive cyber groups that have links to Iran. In volumes of groups alone this is second only to China. These groups and their targets include:

• APT33 - Elfin - Aviation and energy 

• APT39 - Chafer - Telecommunication and travel industries

• Charming Kitten - Individuals in academia, human rights and media

• Cleaver - Critical infrastructure

• CopyKittens - Individuals associated with Government, academia and critical infrastructure

• Group5 - Individuals and groups in Syria

• Leafminer - Governments and businesses in the Middle East

• Magic Hound - Energy, Government and Technology

• MuddyWater - Telecommunications, IT Services, Oil & Gas

• OilRig - Financial services, government, energy, chemical, and telecommunications

• Strider - Government, military, scientific research, telecoms and financial services

It's reasonable to conclude that Iran has a competent cyber capability that targets a broad range of sectors that align to their geopolitical interests. Offensive cyber operations align with their tactics in the physical domain and activity is likely to increase given recent events.

"Iran should be considered a first-tier cyber power"

Gabi Siboni, a cyber security expert with Israel's Institute for National Security Studies

Recent events

Since the US airstrike on Major General Soleimani tensions have escalated. The risk of offensive cyber operations against new Iranian targets beyond their traditional opponents in the Middle East has increased and it is logical to assume there will be a particular focus on Western powers.

Even if the effects of the offensive operations are not publicly observed, threat actors will pre-position and infiltrate networks for potential future use for information exploitation and disruptive effects.

Additionally Iran has internally produced a range of arms including ships, submarines, torpedoes and planes. If Iran were to focus on a military build up, offensive cyber operations are also likely to target international defence and manufacturing firms in order to make use of their intellectual property. This has been seen with other national threat actors where designs and plans to build advanced equipment have been stolen, it's even more pressing when international sanctions are impacting their economy and abilities to manufacture.

Applying the MITRE ATT&CK Framework

Once you have considered the likely adversaries of your organisation and their motivations, the next step is to understand the tactics and techniques that they commonly  employ. The MITRE ATT&CK framework provides a great basis for this as it details a wide set of adversaries and maps them to specific techniques of attacker behaviour.

The summary below is built by mapping the 11 groups associated with Iran and correlates their previous techniques counting the most common types. Techniques which were not reported to be used by any of the groups have been hidden from the table. The approach of analysing a group’s previous techniques can be used against any threat actor, tools such as the MITRE ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/enterprise/) make this easy to model. 

After this analysis we get a clear priority list of techniques to defend against.

Priority techniques

If you or your organisation are concerned about potential Iranian threat actors you will want to take measures to ensure you have sufficient controls in place to defend yourselves against the most likely techniques. Based upon previous Iranian cyber attacks, the top 5 techniques are:

• Credential Dumping T1003 - Tools such as mimikatz and other methods which extract credentials from memory and files.

• Obfuscated Files or Information T1140 - Hidden code to evade detection from static analysis methods.

• PowerShell - T1086 The primary language for Windows system administration.

• Scripting T1064 - Code such as batch files and Visual Basic to automate steps of the attack such as initial access or enumeration.

• User Execution T1204 - Encouraging vulnerable users to execute scripts directly through spear phishing or watering hole attacks.

Mapping your defences to the MITRE ATT&CK Framework

After developing a detailed view of your adversaries and  techniques they are likely to employ it is important to accurately model your own defences against each technique. Your modelling should detail your ability to prevent, detect and respond to each one of these techniques.

It's impossible to prevent many techniques without impacting business operations so ensuring you have sufficient coverage to detect and respond to these is important.

Intersecting likely adversary techniques with your own defences will highlight current areas of weaknesses within your businesses that you may wish to address such as; the education of your teams, changes in process or controls and the investment in cyber security technology.

At Senseon we help organisations of all sizes from around the world by automating the process of threat detection, investigation and response across their entire digital estates. These detections are mapped to the MITRE ATT&CK Framework to help our customers better understand the threats and adversaries they face.

If you are concerned about the impact of a nation state cyber attack on your organisation, please reach out to me at brad@senseon.io.

About the author

Brad Freeman, Head of Threat Analysis, Senseon

Brad is an expert in his field, with over a decade’s experience conducting nationally significant cyber security investigations across the critical national infrastructure and telecommunications sectors. Drawing on his extensive industry experience and knowledge, Brad leads the threat analytics team at Senseon, and specialises in finding and uncovering advanced actors deeply embedded within clients’ infrastructure.