What happened on October 7th was horrific, but the situation for the average business with an online presence in Israel is getting worse every day. The risks grow higher, especially for companies serving international customers as SaaS, as their marketing efforts make them more visible and, thus, a more attractive target to hackers and hacktivists.
In the wake of the recent escalation in Gaza, Israeli companies have faced an uptick in cyber attacks, primarily orchestrated by Iranian threat groups. As a cybersecurity expert, it’s crucial to understand these threats, their techniques, and the necessary countermeasures. This article delves into the strategies to safeguard Israeli companies, focusing on protecting cloud services and hardening on-premises endpoints and services.
Understanding the Threat
Iranian threat actors, notably the “Imperial Kitten” group, have intensified their cyber activities against Israel’s technology, transportation, and logistics sectors. Their tactics include phishing, exploiting one-day vulnerabilities, and leveraging stolen credentials. Tools like PAExec and NetScan for lateral movement and deployment of malware like IMAPLoader and StandardKeyboard for command and control activities are notable post-exploitation activities.
On top of that, hackers often use standard system tools such as PowerShell to avoid detection by antivirus vendors, so relying on antivirus protection is often useless.
Think about Prevention, Detection, and Response.
You can’t get secure without all three of them, and you should work on developing your company’s capabilities in all three.
The best form of prevention is security hardening of everything: operating systems, office suites, browsers, PDF reader apps, etc.
The best form of detection includes frequent, daily, or more frequently, monitoring of your key infrastructure logs, especially email access. If a key email account is accessed from a strange location, your alarms should go off, leading to an investigation and locking the hacker out of the account.
Your best response should lead to improvements in your prevention and response practices.
Indicators of Compromise (IOCs)
CrowdStrike and Alienvault have published IOCs related to these threat actors, including malicious IP addresses, domains, and malware signatures. Keeping abreast of these IOCs is crucial for early detection and response.
Protecting Cloud Services
If your business is like most modern companies, you rely at least on your email on a cloud provider such as Microsoft 365 or Google. And like most, you probably make the completely wrong assumption that just using these companies, you are secure, when in fact, 90% of all security options there are turned OFF by default and have to be manually turned on by a security expert with experience.
Besides turning on the available security features, you should set up some monitoring and security policies.
Enhanced Monitoring and Incident Response: Given the opportunistic nature of Iranian cyber activities, cloud services must incorporate robust monitoring systems. Utilizing advanced threat detection tools that integrate IOCs for real-time alerting is essential. Incident response plans should be updated to address the specifics of these Iranian threat vectors.
Identity and Access Management (IAM): Strong IAM policies are crucial. Multi-factor authentication (MFA) and strict access controls must be enforced. Regular audits of user activities and permissions can prevent unauthorized access.
Data Encryption: Encrypt sensitive data both in transit and at rest. Employing key management practices where encryption keys are stored and managed securely, preferably on-premises, reduces the risk of data exposure. Data encryption is more than just a setting or technology – it is a culture that needs to be learned, applied and practiced by your entire team and some of your business partners.
Regular Security Assessments: Continuous vulnerability assessments and penetration testing of cloud infrastructure must be a priority. These tests should specifically focus on identifying weaknesses that Iranian hackers commonly exploit. The most in-depth security assessment you can run is a NIST 800-53 security audit.
- Enable and enforce 2-factor authentication. But not just in your email, everywhere. If some of your team uses Dropbox, it makes sense that you secure your Dropbox accounts just as well as your email. But here’s a caveat: hackers know how to bypass 2-factor authentication. “We have 2fa” is an excuse, nothing more. “We have 2fa and have considered bypass scenarios” – is what you should be saying. Here is an example of such an advanced attack, recently published on Microsoft’s blog: https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-mitigating-a-multi-stage-aitm-phishing-and-bec-campaign/.
Securing Endpoints and On-Premises Services
Endpoint Protection: Implement advanced endpoint protection platforms (EPPs) that use behavior-based detection to identify and mitigate threats that evade traditional antivirus solutions. Regularly update and patch all systems. One example of advanced endpoint protection we could give you is securing everyone’s Chrome browser. Chrome has over a hundred security settings, many of which are not even present in the User interface and can only be configured by policies and registry settings. The same applies to your Office suite, your PDF reader, etc.
Network Segmentation and Access Control: Segment networks to contain lateral movements. Implement strict access controls based on the principle of least privilege, ensuring employees have access only to the resources necessary for their roles.
Security Awareness Training: Human error remains a significant vulnerability. Regular training sessions on identifying phishing attempts and safe computing practices are crucial. Crucial note here: just buying a bunch of video courses won’t do the trick. You should run phishing simulations, attack simulations and regularly monitor your entire team’s susceptibility to click on malicious links and share their passwords with hackers. That trend should improve over time.
Regular Backup and Disaster Recovery Plans: Regular backups of critical data and a well-documented disaster recovery plan ensure business continuity during a successful attack. Remember, even the Pentagon and the US OPM (Office of Personnel Management, containing the data of most of the security-cleared personnel in the USA) were hacked multiple times. The likelihood that your small business will forever remain intact is almost zero. Consider the possibility of a security breach just as you would consider the chance of getting the flu – it most likely will happen; it is your preparedness that will make the whole difference.
Advanced Threat Hunting: Engage in proactive threat-hunting activities to detect and mitigate threats before they manifest into full-blown attacks. This involves analyzing network and endpoint data for signs of malicious activities aligning with Iranian tactics and techniques.
The escalation in cyber attacks by Iranian groups against Israeli companies necessitates a multi-faceted and proactive cybersecurity strategy. By understanding the threat landscape, keeping up-to-date with IOCs, and implementing robust security measures in both cloud and on-premises environments, Israeli companies can significantly enhance their resilience against these targeted attacks.
For further information or assistance in implementing these strategies, companies should contact cybersecurity experts such as Atlant, who can provide tailored solutions based on their specific needs and threat profiles.