Tag Archives: Iran

Uninformed thoughts on Iran as a cyber threat

Posted on 2012-04-30 | Leave a comment
Carrot bomb

Understanding the reality of a threat matters.

Last week, a number of organizations reported that Iranian oil infrastructure had gone offline in response to malware of some sort. The Iranian Oil Ministry claims the attack only affected user data, not actual production equipment, and others have indicated that the malware did not target industrial control systems. So while the whole incident might seem reminiscent of Stuxnet, the reality doesn’t quite match up to that prior incident. In fact, we don’t know at this time whether they simply had to deal with commodity malware of some sort (though that seems like a stretch), or a reconnaissance attack gathering user data, as the Iranians claimed, or some other scenario.

Side note: this reminds me of the lack of utility of the term “advanced persistent threat”. If we don’t use it as a euphemism for a particular nation-state actor, then clearly we can consider the United States and Israel as APT-type adversaries for Iran, among other potential targets. While Israel continues to talk about a possible kinetic strike on Iranian nuclear facilities despite internal controversy, disabling those same facilities via attacks in the cyber domain has lots of benefits: drastically reduced collateral damage, deniability of a covert operation, and reduced risk of generating empathy for the regime among the Iranian populace.

Recent Congressional hearings convened to discuss whether Iran’s cyber abilities constitute a significant threat to the US. Personally, I consider it highly unlikely that any serious assessments would be unclassified, so these public hearings strike me as a sort of political Kabuki theater as follow-up to previous assessments including Iran as a cyber threat, though those had more meat to them. We have to consider the possibility that this gets so much play due to interest in conflict with Iran by hawkish elements in government and related commercial power structures. The nature of power leads to its active use. Uncharitably, we might say that power is no fun if not wielded, but more realistically that dormant power leads to atrophy.

That doesn’t mean we shouldn’t consider the range of Iranian cyber capability. I don’t have sufficient data or background on Iran to take a real stab at analyzing that1, but we can ask reasonable questions. Can a small isolated nation develop the mindset in personnel required (cf. DPRK)? (Probably so, though it might take more effort and broad collaboration with friendly organizations to get there.)

Consider, too, the nature and value of threat intelligence. The risk reduction for most private organizations stems from potentially attributing attacks to Iran and mapping out indicators of compromise, whether technical, methodological, or otherwise. Preventive controls likely would not change appreciably due to an Iranian threat: we in the US and much of the West in general have all sorts of commercial sanctions against Iran, so we rarely have to consider how to secure transactions and partner networks like we do in the case of Russia, Eastern Europe, China, and similar states. Appropriate governmental groups can also track units or other sponsored actors for possible counter strikes (CNA/CNE), although at this point I’ve ventured out of the scope of speculation where I feel knowledgeable enough to ask good questions.

1: However, you might follow Ali-Reza Anghaie (@packetknife) for a far more informed perspective.

→ Leave a comment

Posted in Notes

Tagged , , ,

Analysis of DNI annual Worldwide Threat Assessment

Posted on 2012-02-02 | Leave a comment

The US Director of National Intelligence, James Clapper, provided his annual Worldwide Threat Assessment to the Senate yesterday (followed by a classified session with, we can surmise, greater detail).

The unclassified portion discusses cybersecurity several times. In fact, the introduction states:

Counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns.

Notwithstanding the idea that we should consider cybersecurity as a domain and not only a specific activity, I found it useful to see where the policymakers within the US intelligence community see specific concerns. The entire document runs about thirty pages, but over two-thirds of it addresses specific region-by-region and country-by-country concerns. Two pages cover cyber threats and counterintelligence, which for our purposes cover largely similar ground.

The assessment correctly notes that “neither the public nor private sector has been successful at fully implementing best practices.” I’d go a step further, because best practices evolve on both the attack and defense fronts. We don’t even fully implement standard practices: the things we know how to do efficiently and relatively easily. Standard practices, in my mind, constitute a reasonable bar to clear: if practitioners in a given area generally all accept some technology or process as “the way it’s done”, then we shouldn’t excuse anyone doing less than that.

Interestingly, the document first singles out China and Russia as state actors, but then refers to the 2011 NCIX report to specifically blame “entities within these countries”. This means that, although the DNI does not provide specific reasons for attribution in the unclassified report, he does claim that the entities have state sponsorship. The NCIX only said on page 5 of his report that the intelligence community has “not been able to attribute many of these private sector data breaches to a state sponsor.”

The DNI report also notes that governments cannot keep up with tech development and illustrates this by “failed efforts at censoring social media” in the Arab Spring. This should provide an object lesson to US policymakers, though the recent controversies over SOPA, PIPA, and now ACTA indicate that they might not have fully connected the dots.

As a community, we’ve talked for years about addressing the vulnerability problems (including across the entire supply chain), but the DNI also talks about threat in the context of problems regarding warning, detection, and attribution. He recommends greater “US Government engagement” with the private sector. This presents other challenges, though, because we have concerns about transparency versus legitimate secrecy needs (just for starters).

In the section on counterintelligence, the report also links cybersecurity to foreign intelligence service activity. I physically laughed out loud at the assessment that “many intrusions into US networks are not being detected“: understatement of the year. The report here adds Iran to the list of countries undertaking cybersecurity operations against the US. The private sector infosec community, outside of the defense industrial base and Stuxnet, hasn’t really paid much attention to Iran. That could change in 2012, particularly if geopolitical tensions continue to increase there.

I didn’t expect any specific data in this document, given its purpose and classification level. But it could point the way to at least some of the areas that could involve many of us in the next few years, and it certainly is useful in validating the idea that we need to improve our abilities in sharing threat intelligence and incident detection & response.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,

Third world cyberalliances

Posted on 2011-12-15 | 1 Comment

NB: Due to the nature of the story, some of the links below go to Spanish-language articles. If you don’t read Spanish, you may wish to use Google Translate. I haven’t reviewed any translation so I don’t vouch for its accuracy.

I don’t always agree with Krypteia, but I always appreciate reading and considering his thoughts on things. And given my personal and professional connections to Mexico, I particularly appreciated his latest piece on La Amenaza de Iraní (sic). He analyzes in detail the recent reports from Univision regarding the now-former Iranian ambassador to Mexico planning “cyberwar” with Mexican university students.

I don’t have much to add to his analysis at the moment, except to take exception with another analyst whom I respect, Jeffrey Carr, who rejects the idea that Iran would bother with “Mexican hackers”

While I certainly recognize the efforts to which the Chinese have gone in their economic and military espionage (even if some folks dispute some of the specifics), that doesn’t mean that they cover every initiative from every ally. Nor does it mean that the Iranians wouldn’t attempt to grow their network, not least for the reasons Krypteia mentioned in his piece. This fits together well with today’s report on links between Los Zetas and Hizbollah, the latter of which has close ties with Iran.

Whatever the reality of this specific situation, the world has changed over the last two years. We will always have debates about who and why, and even more on what to do about it, but the threat landscape shifts daily.

→ 1 Comment

Posted in Links

Tagged , , , , , ,