(Pixabay)

In the wake of the U.S. drone killing of Iran’s top general Qasem Soleimani and Iran’s 'measured' rocket retaliation on an American military base, the prevailing wisdom is that Iran will intensify its already formidable cyberwarfare capabilities in an effort to inflict damage without triggering a shooting war.

This assessment has made enterprise cybersecurity topic A in company boardrooms and local governments throughout the U.S. who are increasingly finding themselves in the crosshairs of nation-state attacks. A new study conducted before the recent hostilities by the cybersecurity firm Radware found that in 2019, there was a 42% increase in cyberattacks attributed to foreign governments. The survey was based on a survey of more than 560 employees from international companies. Cyberattacks tied to cyberwar, or geopolitical conflict, increased from 19% in 2018 to 27%.

The FBI also reports that two American municipalities were attacked by nation-state actors last year although it has declined to identify them. Like ransomware thieves, nation-states target local governments because they are easy. Often understaffed with declining budgets, they are child’s play for experienced hackers. Many companies are not that much more difficult. Said Anna Convery-Pelletier, Chief Marketing Officer at Radware:

Nation-state intrusions are among the most difficult attacks to thwart because the agencies responsible often have significant resources, knowledge of potential zero-day exploits, and the patience to plan and execute operations. These attacks can result in the loss of sensitive trade, technological, or other data, and security teams may be at a distinct disadvantage.

All of which means that for cybersecurity firms and technology investors, it’s party time. Investors are pouring massive amounts of capital into the security market in a bid to seize upon the segment’s rapid growth. Last year, cybersecurity startups attracted an estimated $5.3 billion in funding, up 20% compared with 2017 and double the investment level recorded for 2016.

One beneficiary of investor enthusiasm is a Boston-based startup called Cybereason, which bagged another $200 million in funding last week from SoftBank Group Corp. and its affiliates. The eight-year-old company, which has it roots in Israeli intelligence, has raised a total of $389 million in funding to date. The startup’s other backers are CRV, Lockheed Martin Corp. and Spark Capital.

Sam Curry, Cybereason’s Chief Security Officer, says Iran is one of the top three cybersecurity threats to the U.S. (the other two are China and Russia) and capable of launching sophisticated large-scale hacking attacks across multiple industries and targeting the networks of top government contractors and disrupting major utilities.

Iran is an intelligent cyber opponent with an army of people testing our systems every minute of every day. It is the ultimate game of cat and mouse. The US and Iran have long been at odds on the global stage, starting more publicly with history’s first known cyber-war back in 2013 when U.S. Intelligence agencies attributed a targeted attack on Wall Street to an Iranian sponsored group as retaliation for sanctions by the US on Iran.

Cybereason’s flagship product is an endpoint protection platform that both detects malware and provides tools for investigating data breaches. The platform uses a built-in antivirus, which finds threats by looking for suspicious activity patterns. For example, if a file on an employee laptop suddenly tries to encrypt other documents kept on the machine, Cybereason will report it as ransomware and halt the encryption attempt. The company protects more than 6 million endpoints worldwide and has customers in major vertical markets such as healthcare, banking, defense and technology. Said Curry:

Traditional solutions work on stopping bad malware but they fail miserably when attackers don’t show up with know malware. Cybereason offers complete endpoint detection and response (EDR). It is an automated hunting engine that detects behavioral patterns across every endpoint and blocks known bad attacks and aggregates good and bad behavioral data so it can be mined and investigated. It alerts analysts to malicious operations and offers visualization of events, as well as investigation and deep diving with options for remediation and future prevention.

The company claims that since its platform does both detection and response, one security analyst can monitor 150,000 endpoints, compared with the typical ratio of one analyst per 20,000. In today’s highly targeted environment, that could save a ton of money.

My take

The internet offers nation-states a vast and inexpensive venue to wage commercial and ideological warfare and do mischief while maintaining a position of plausible deniability. This global battlefield is only likely to grow and become more dangerous over the next several years as more countries get into the act and those with advanced hacking capabilities get even better.

It is certainly not a fun time for security managers who not only have to protect the fort but also deal with internal demands for things like microservices, serverless architectures, IoT, and a mix of multiple cloud environments as well as hybrid environments that include cloud and on-premises data centers. As organizations adapt their networks to maximize the benefits of these new paradigms, they increase their attack surface and decrease their ability for the right hand to know what the left hand is doing.

It’s not clear exactly how the U.S. government can help. A number of "hack back" bills have been floated around in Congress, but there's always industry resistance. The latest one, the Active Cyber Defense Certainty Act, is still waiting in committee.