top of page

Iran and Not Iran: What Our Threat Monitoring Indicates


Greetings, network defenders! We now have a moment to assess the cyber actions in the wake of events in and around Iran. There was concern that the Iranian regime would respond with widespread cyber attacks. “Be vigilant,” some said. But vigilance is a state, not a plan. It is wise to be informed, be prepared, and be connected.

What did we see in the wake of Soleimani’s demise? The Foreign Ministry in Iran increased its network traffic in the immediate aftermath, but even this didn’t achieve the level of activity from roughly 25 days prior.

What about Iranian APT? We heard and saw very little additional or new activity from the sundry Iranian APT infrastructures. Looking at one of the IP addresses behind APT34 (Oilrig) activity, we don’t see an appreciable change for the past 30 days, except on 12 JAN 2020. Why the spike? 10% of that is to a single, likely victim, IP address – in Brazil, with no obvious ties to the events. The majority of the sessions in the 30-day period were to hosts in Brazil and Bangladesh.

While there may be activity as yet unanalyzed by our systems, or activity pending, it appears that there was very little Iranian cyber response to recent events. This doesn’t mean such activity won’t occur, or that small peaks were missed. That also doesn’t mean the Internet was an inactive space. Let’s examine activity to and from Emotet, a banking trojan that has waxed and waned since circa 2014. Emotet activity will be plotted in GREEN, with the BLUE Iranian MFA and ORANGE Iranian APT34 included.

Thus while Iranian cyber activity appears to have been maintained at pre-event levels, Emotet climbs after Soleimani’s demise. For the bad folk, the phrase “be vigilant” can be — and in the past has been interpreted by them as — “watch everyone but me.”

Since physical world and geopolitical events will occur with regularity, and could impact the cyber realm, what should one do?

First, be informed: Your network is one of your best monitoring systems. Many of your network devices are willing to tell you a great deal about the activity passing through them. Do you collect network flows, such as Netflow, sFlow, or IPFIX? Send these to a collector and baseline your network. Flows can be used for alerting on raw traffic counts, as well as changes in sources and destinations of traffic. Flow analysis systems make great forensic analysis tools. You can send flows to our low or no-cost Nimbus community service platform, which combines your network flows with our threat intelligence feeds. There are plenty of open source options, such as nfsen and SiLK, readily available and capability-laden.

Second, be prepared: The basics work well; patch your systems. This won’t block 0days, but it will serve to thwart much of the routine malware we all endure. Note well that some of your best detection is often found in the people using the systems. If they see something odd, not quite right, just a bit off, they should sound a warning. Do they know who to call? Do you encourage such interactions, or fob them off as “bothersome”? There is no such thing as too much communication; encourage folks to speak up.

Third, be connected: What is your plan should a suspected compromise be reported? Who do you engage internally and externally? Will your upstream ISP provide you with flows? Will your MSSP provide you with logs, as well as analysis of the size of the victim pool beyond you? Who else in your industry would you call to see if they’re experiencing the same, and how they dealt with it? If you’re not attending important conferences such as FIRST and our own Underground Economy and RISE, you’re missing out on forging the alliances you will need. Underground Economy 2020 is August 31 to September 3 in Strasbourg. The attendee application process will be open soon. Stay tuned for updates.

Remember that vigilance is a state, not a plan. It is wise to be aware of global events, both cyber and physical. However we must guard against the temptation to catastrophise ahead of any actual event. Be prepared, be informed, be connected with the wider industry, and you’re well on your way to the key to incident response success: Don’t panic.

Be well!

Rabbi Rob.


bottom of page