June 25, 2025

Heightened tensions in the Middle East are a stark reminder that geopolitical conflict often spills over into cyberspace. Following recent events, the Department of Homeland Security has issued a National Terrorism Advisory System (NTAS) Bulletin pertaining to an increased threat environment, including possible retaliatory cyberattacks on U.S. businesses and critical infrastructure.

When state-sponsored threat actors ramp up activity, organizations can’t afford to wait and see. Proactive steps taken now can make all the difference in staying resilient when tensions abroad become threats at home.

We asked our GuidePoint Security experts across multiple practice areas what you can focus on today to strengthen your defenses and stay prepared.

Here’s their best advice:

Wise Words from Risk Management: Take Time to Review Your Risk Tolerances

Staying on top of cyber risk means looking at where things stand today and where they’re headed tomorrow. Just like the Butterfly Effect, shifts in global events or public sentiment can dramatically change how attackers operate and what they target. Major world events can shake up the threat landscape overnight, so it’s smart to revisit your risk assessments when big changes happen.

Here’s what you can do now to ensure you’re managing the potential risks without giving over completely to the hype:

• Review your current risk posture: Focus on real gaps, not just headlines.
• Run a targeted risk workshop: Use it to align your team on priorities and next steps.
• Double down on fundamentals: Strong identity management, regular patching, and good asset hygiene are still your best defense.

One key takeaway: never overlook the basics. Your assessments often expose everyday issues like poor access controls, missed patches, or outdated systems. They might seem minor—until a global event suddenly makes your organization a prime target. Staying strong on the fundamentals keeps you ready for whatever new risks may come your way.

– Will Klotz

The DFIR Perspective: Practice. Improve. Repeat.

Whether state-sponsored or financially motivated, cyber adversaries typically exploit the same basic weaknesses: poor credentials, lax access controls, unpatched systems, and users who click the wrong link. High-profile geopolitical threats like those warned of in the latest state-level briefing often amplify fear, but they don’t fundamentally change your incident response playbook. They do, however, test whether your team is disciplined enough to follow it under pressure.

Here are a few proactive steps you can take today to ensure you don’t have gaps in your defenses, practices, or playbooks:

• Pressure-test your incident response plan: conduct realistic tabletop exercises regularly, not just once per year as a check-box exercise.
• Revisit your detection and escalation procedures: Ensure they match the threats you’re most likely to face.
• Double-check the basics: Strong identity controls, phishing-resistant MFA, robust backups, and an up-to-date asset inventory all provide resilience in the face of an attack.
• Stay informed, but choose your sources wisely: Focus on threat intelligence feeds, emerging zero-day events published through official channels, and validated threat-actor movements.

At the end of the day, resilience comes from doing the fundamentals well, day in and day out — and verifying they hold up when it matters most. Now is a perfect time to confirm you’re not just ready on paper, but in practice.

– Curtis Fechner

Tips from Identity and Access Management: Close the Door on the Easy Attacks

Identity and Access Management (IAM) is one of the best defenses you have, especially when threats are on the rise and attackers are looking for the easiest way in. Threat actors don’t need sophisticated tools. If your credentialing policies are weak or access management is overly permissive, they walk right in. Strong IAM practices can help close those doors, limit damage if a threat actor does find their way in, and keep your business running smoothly no matter what happens in the larger world.

Here’s how to stay ready:

• Enforce MFA everywhere: Protect your cloud, IT, and OT systems with breach-resistant multi-factor authentication.
• Implement proper access controls and provisioning: Tighten user provisioning and review permissions regularly so that you know that the right people have the right access at the right time, no more, no less.
• Segment networks and elevate detection capabilities: Break up your networks to limit lateral movement and boost your detection capabilities to catch suspicious behavior early.
• Monitor current identity fraud trends: Be aware of active identity attacks by bad actors and ensure you are monitoring for these current threats.
• Create an incident feedback channel: Work with your anti-fraud teams to ensure they have a clear communications channel should they detect identity issues that require disabling or more closely monitoring user accounts.
• Create an identity management incident response plan: Ensure you have standard operating procedures in place for identity issue remediations, like potential account takeovers. Don’t be caught determining the correct course of action while an identity attack is occurring.
• Raise awareness of potential phishing attacks: Reemphasize phishing attack awareness to your staff and customers.

Remember: in cyberspace, distance doesn’t matter. What matters is intent, capability, and access. If you secure your identities, you take away the easiest path into your organization.

– Kevin Converse, Randall Gamby

The Pen Testing Perspective: Continuous Validation Keeps You Prepared

When global tensions rise, fortifying your defenses should be a top priority, and so should validating them. The worst time to discover a firewall or other critical control failure is after an attack. Ideally, organizations validate security controls regularly to ensure everything functions as expected. That way, when a zero-day hits or a global conflict gives rise to the possibility of heightened attacks, you’ll know you’re ready.

Here are a few practical steps you can take today to ensure your security validation program is properly preparing you for when threat actors ramp up activity:

• Review your threat profile: While this doesn’t sound like a step from the offensive side of the house, it is important that the red and blue teams work together to ensure everyone is up to date on the latest trends in the industry, and, more importantly, the profile remains up to date in terms of threat actors to be concerned about.
• Validate key security controls: Utilizing information from your threat profile and updated threat intelligence based on the current global state of affairs, perform testing of key security controls utilizing Tactics, Techniques, and Procedures (TTPs) outlined in threat intelligence.
• Update continuous testing programs: Confirm that any continuous-based testing is updated with current intelligence to ensure tests are better informed moving forward.

Frequent, intelligence-informed testing helps ensure you’re prepared when attackers strike, regardless of global conditions. If you haven’t already, now is the time to adopt continuous validation. Just remember, when running validation tests (especially during times of heightened awareness), make sure that people know ahead of time. This avoids triggering unnecessary alarms.

– Dale Madden

Cloud Security Advice: Strengthen Your Cloud Posture to Reduce Risk

Cloud environments are often targeted during times of heightened international tension, especially by state-sponsored threat actors. Misconfigured resources, excessive permissions, or unmonitored accounts can become fast entry points into your organization. Now is the time to reassess your cloud security posture and close critical gaps.

Here are actionable recommendations from our Cloud Security experts:

• Close the doors on cloud access: Lock down identity and access controls, enforce MFA across all accounts (especially privileged and root users), eliminate over-provisioned roles, and review and test federated identity configurations.
• Improve cloud logging and visibility: Ensure cloud monitoring services and solutions are enabled and centralized. 
• Monitor for suspicious activity: Be sure to track unusual login locations, suspicious API calls, new user creation or role changes, and configuration changes/drift.
• Implement geo-fencing and access controls: Block access from countries outside your business footprint, and use Conditional Access Policies or IP restrictions to reduce exposure.
• Patch and secure workloads: Scan for known vulnerabilities (CVEs) in cloud VMs, containers, and serverless functions, and apply patches and updates to AMIs, base images, or containers used in production pipelines.
• Reduce external exposure: Audit for publicly accessible resources such as S3 buckets, Azure Blob containers, or exposed APIs, and leverage automated CSPM tools to identify and remediate misconfiguration.

Beyond closing the gaps with the recommendations above, practicing threat detection and response in the cloud is just as critical as running on-premises simulations. By simulating attack scenarios, such as stolen API keys or lateral movement in the cloud, you can keep your response team alert and aware. You can also validate your IR playbooks so that, when an attacker does strike, your cloud defense team is ready.

– Javier Cobeaga

Operational Technology Guidance: Prepare to Keep OT Separate and Safe

A breach in your Information Technology (IT) network shouldn’t bring your Operational Technology (OT) to its knees. But if the pathways between IT and OT aren’t clearly mapped and controlled, that’s exactly what can happen.

Your priority: make sure your OT systems can keep running, even if IT is compromised. To do that, start by fully mapping every connection between IT and OT, including trusted domains, file shares, user credentials, and remote access tools. Each of these systems is a possible bridge for attackers.

What you can do right now to protect OT:

• Have a clear isolation plan: Define exactly how to disconnect OT from IT if needed, and assign roles so people know who does what.
• Segment wisely: Focus first on isolating your most critical OT zones and processes.
• Design for autonomy: Make sure OT can function independently if it must operate without IT support.

Many serious OT incidents start with an IT breach… don’t let your systems become a statistic. Your people, production, and safety depend on proactive planning today to stay resilient through today’s volatility and whatever comes next.

– Patrick Gillespie

A Reminder from TAS: Don’t Forget the Importance of Physical Perimeter Security

During times of global conflict, organizations often focus on cyber threats and overlook a key risk: physical social engineering. Distracted employees and heightened tensions make it easier for attackers to impersonate delivery drivers, contractors, or emergency responders. Exploiting people’s emotional connection to current events, social engineers may pose as security consultants, journalists, or vendors offering urgent help. This manipulation can lead to unauthorized access, stolen credentials, or malicious devices being planted on-site.

Here’s how to strengthen your physical security posture when global tensions rise:

• Reinforce access control procedures: Remind all employees that NO ONE gets through without proper verification, regardless of their story, uniform, or claimed urgency related to current events. Also, no piggybacking! Every individual must provide ID upon entry.
• Train reception and security staff on crisis-related pretexts: Social engineers often pose as emergency responders, security consultants, or aid workers during conflicts. Teach your front-line staff to verify credentials through independent channels.
• Implement buddy system verification: Require a second person to verify any unscheduled visitors, especially those claiming to provide services related to current security concerns or infrastructure needs.
• Create clear escalation protocols: Establish who employees should contact when someone requests building access using emotional appeals or crisis-related urgency.
• Conduct realistic physical penetration tests: Test your defenses with scenarios that mirror current global tensions, such as fake emergency responders or contractors claiming to upgrade security systems.

The bottom line: the strength of your physical perimeter is just as important as your network security. During times of global conflict, threat actors count on organizational chaos and human compassion to bypass traditional access controls.

– Dave West

IoT Awareness: Don’t Forget Your Internet-connected Devices

As geopolitical tensions continue to escalate, IoT security remains a pressing issue for both manufacturers and consumers alike.  It has already been reported that attackers are compromising IoT systems to support ground operations, and it is highly likely that attackers will leverage compromised IoT systems to better support their cyber operations.

With IoT devices, security responsibilities fall under two distinct parties: manufacturers and consumers.

What can manufacturers do to protect their IoT products?

• Avoid shipping devices with default/hardcoded credentials: Compromising default credentials is a simple yet highly effective means by which a device can be compromised.
• Ensure users can update devices in a secure manner: Given time, vulnerabilities will be uncovered. Ensure consumers have the necessary tools to find updates and patch their devices.
• Remove unnecessary services: Avoid enabling or installing unnecessary services to reduce the overall attack surface of a device.

What can consumers do to protect their IoT products?

• Change default passwords that are shipped with a device: Ensure systems leverage cryptographically secure passwords
• Segment IoT devices away from the public internet and away from critical infrastructure: Restricting network access greatly reduces a device’s overall attack surface. If a system cannot be shielded from the public internet, implement additional controls to restrict who and what can connect to a device.
• Regularly monitor devices and their activity: Check audit logs when available, and review systems for any anomalous network or system behavior.

Internet-connected devices are convenient, but they also represent an often-forgotten attack vector. By following IoT best practices, you can help stop attackers from using your devices to gain a foothold in your organizational and home networks.

– Austin Turecek

Smart Advice from GRIT: Understand the Threat to Your Organization

Forewarned is forearmed, and thankfully, resources and threat intelligence on nation-state cyber operations are abundantly available. While taking a critical perspective of the “worst case scenario,” organizations can prepare for state-sponsored cyber threats through the following:

• Threat Modeling: Understand whether your organization is or is not likely to face increased threats from state-aligned threat actors based on historical observations and reporting. Historically, these threat actors have emphasized targeting critical infrastructure, government, defense, financial, academic, and media organizations (among others) in pursuit of intelligence and influence goals. Private sector organizations outside of these areas may be less likely to find themselves as a priority target. 
• Understanding Behavior Beyond Indicators: If and when high-profile attacks occur, Indicators of Compromise (IOCs) often follow close behind. While useful for understanding the infrastructure and tools of an adversary, IOCs are often ephemeral in nature and reflect adversary details that are easily changed. Greater long-term protection can be afforded by moving up the “Pyramid of Pain” and focusing on the common behavior of nation-state cyber threat actors. Use of PowerShell and PowerShell-based tools for post-exploitation, data theft over C2 channels such as HTTPS or DNS, spearphishing for initial access are examples of adversary TTPs which can be proactively considered and protected against.
• Know your Attack Surface: Whether it’s externally-facing services or unpatched systems on internal networks, visibility is the Defender’s best friend. Attack Surface Management (ASM) and Exposure Management (EM) efforts can harden an organization’s external attack surface and identify previously unseen entry points susceptible to brute force access attempts and unauthenticated access. Nation-state actors of all stripes also love exploiting vulnerabilities, including historical but unpatched vulnerabilities going back one, three, or even five or more years. Threat actors linked to nation-states have historically exploited vulnerabilities impacting email systems, edge devices, and management interfaces, often seeking to bypass authentication or execute remote code. Continuous identification and remediation of these access vectors forces the adversary to work harder and reduces the volume of viable threats to an organization.

By taking these steps, organizations can shift from reactive defense to proactive resilience against sophisticated, persistent threats. In an era of escalating cyber threats, preparation is not just prudent, it’s essential.

– Jason Baker

Be Ready Before the Next Attack

Whether it’s geopolitical tensions, vulnerabilities and exposures, insider threats, or zero-day events, cybersecurity keeps us all on our toes. That’s why GuidePoint Security is here to provide trusted cybersecurity expertise, solutions, and services to keep organizations like yours ahead of the next attack.

Contact us today and let’s take the next steps together toward outcome-driven cybersecurity for the future of your organization.