Mitigating the Risk of Iranian State-Sponsored Cyberattacks

Tensions between Iran and the United States are at the highest they’ve been in decades. The conflict can easily spill beyond the physical realm into the realm of cyberwarfare. This means that IT and information security professionals, both in the government and the enterprise space, need to operate at a state of heightened awareness and take additional steps to protect their infrastructure from Iranian nation-state actors and proxies operating on their behalf. 

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) released an alert on January 6 with details on the Iranian state-sponsored cyberthreat profile and details on known Iranian advanced persistent threats (APTs). Among the agency’s recommendations for risk mitigation are:

  1. “Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  2. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.  
  3. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.”

At Expanse, we work with the world’s largest organizations — including the Department of Defense, the Department of State, Lockheed Martin, PayPal, Allergan, CVS, and many more — to protect their global Internet attack surface. Our Expander solution empowers you to continuously discover, monitor, and track Internet Assets automatically, anywhere in the world, and reduce your risks and exposures. Meanwhile, Behavior enables you to continuously analyze suspicious traffic patterns and exposed services — traffic originating from or going to Iran — without requiring the installation or configuration of any local agents or sensors.

For items 1 and 3 in the list of CISA recommendations, Expander can help you find any IP addresses accessible from the public Internet and identify any risky ports or protocols associated with them. With the intelligent Internet inventory you get from Expander, you are then ideally positioned to patch all externally facing equipment, because you’ve uncovered all known and unknown Internet Assets that may need attention, thus eliminating your threat vector that hackers can leverage 

Item 2 from the CISA recommendations is where Behavior comes in. With Behavior, you can discover any and all communications coming from or going to Iran from your global Internet Assets. Behavior empowers you to ensure your geofencing shapes your network as it should. 

With the risk of Iran state-sponsored cyberattacks at a high point, it’s more important than ever to know your global Internet attack surface. That means both knowing everywhere you are exposed on the Internet, and knowing what geographies (such as Iran) your Internet Assets are making connections with.


If you’re a current customer, please reach out to your Technical Account Manager to work together on reducing any Iran-related risks. And if you haven’t worked with us yet, you can set up a time to talk with our team about reducing your risk of Iranian cyberattacks here.