Secure Cyber Blog

War With Iran Has Begun: 13 Immediate Actions Network Defenders Must Take Now

Written by Secure Cyber | Feb 28, 2026 9:20:31 PM

By Shawn Waldman, CEO – Secure Cyber

The United States and Israel are now at war with Iran.

If you’re asking, “What does that have to do with cybersecurity?” — the answer is simple:

Every modern kinetic war includes cyber warfare. Every single time.

We saw it in Ukraine. We saw it when the U.S. eliminated Soleimani and the IRGC retaliated with cyberattacks against American water and wastewater utilities. In that case, attackers specifically targeted utilities using Israeli-made technology that was directly exposed to the internet.

Most of this activity never makes headlines.

But it’s happening.

And if history is any indicator, we are entering a heightened cyber threat environment inside the United States.

Here are 13 immediate actions network defenders should take right now.

1. Stop Assuming You’re “Too Small” to Be a Target

Attacks come in two forms:

  • Targeted attacks
  • Crimes of opportunity

If you have exposed assets and they aren’t patched, you are a potential victim.

It doesn’t matter whether you’re:

  • A water utility
  • A manufacturer
  • A healthcare provider
  • Or a company that sells baskets online

Automated scanning doesn’t care about your size.

2. Tighten Your Perimeter Immediately

Your perimeter devices should be your top priority.

That includes:

  • Firewalls
  • Web servers
  • Web Application Firewalls (WAFs)
  • Citrix infrastructure
  • Zscaler or other remote access solutions

Action steps:

  • Download the manufacturer’s hardening guide.
  • Verify configuration against best practices.
  • Patch everything immediately.

If it’s internet-facing, it’s a priority.

3. Do Not Switch Endpoint Tools — Verify Coverage

This is not the time to rip and replace security tools.

Instead:

  • Ensure 100% endpoint coverage.
  • If you have 50 workstations and only 48 appear in your console, find the missing two.
  • Pull your vendor’s hardening guide and validate configuration.

Coverage gaps are where attackers live.

4. If You Use an MSP, Ask the Hard Questions

If you outsource IT, contact your Managed Service Provider today.

Ask:

  • Is your RMM tool protected with MFA for 100% of technicians?
  • Can we review every account with access to our environment?
  • Have any former employees retained access?

Many breaches start through compromised service providers.

Now is the time to verify — not assume.

5. Enable “Newly Registered Domain” Protections

Most next-generation firewalls have features that block:

  • Newly Registered Domains (NRDs)
  • Newly Observed Domains

Attackers frequently purchase fresh domains to launch phishing or malware campaigns. These domains are often flagged within the first 30–90 days.

Turn these protections on.

6. Increase IPS Sensitivity

Your Intrusion Prevention System (IPS) may be set conservatively to reduce false positives.

In a heightened threat environment:

  • Increase inspection levels.
  • Tighten detection thresholds.
  • Accept slightly more noise for stronger protection.

Think of it as raising your internal DEFCON level.

7. Implement a Security DEFCON Model

Security should operate in rings.

As geopolitical tension rises, so should your defensive posture.

You may not be at DEFCON 1 nationally — but internally, you should be tightening controls now.

Security is not static. It adjusts with threat levels.

8. Understand Cloud Is a Shared Responsibility

If you use:

  • Microsoft 365
  • Google Workspace

Understand this:

Microsoft and Google secure the platform’s availability.

You are responsible for your tenant's security.

Action steps:

  • Review Secure Score.
  • Remove inactive users.
  • Enforce MFA on all accounts.
  • Audit admin privileges.
  • Monitor login logs

The cloud is not “set it and forget it.”

9. Brief Your Users Immediately

Attackers exploit war, natural disasters, and breaking news.

Expect phishing emails offering:

  • “Live war footage”
  • “Breaking military intelligence”
  • “Emergency alerts”

Train users to:

  • Avoid clicking emotional or sensational links.
  • Verify unexpected emails.
  • Report suspicious messages immediately.

Humans remain the most targeted attack surface.

10. Review Your Cyber Insurance War Clause

Open your cyber insurance policy.

Most policies include a war exclusion clause.

If an investigation determines:

  • A nation-state was involved
  • The attack occurred during a declared conflict

Your claim could be denied.

This risk is real.

Know your exposure before you need the coverage.

11. Consider Geo-Filtering

If you do not conduct business in certain countries, consider blocking them at the firewall.

Yes, geo-filtering can occasionally break legitimate services that rely on global CDNs.

But in elevated threat conditions, reducing attack surface may outweigh convenience.

This is a business decision — not just a technical one.

12. Follow the CIS Top 18 Controls

If you don’t know where to begin:

Download the CIS Top 18 Controls.

Start with:
Implementation Group 1 (IG1)

This is foundational cyber hygiene.

Security is not built overnight.

Eat the elephant one bite at a time.

13. Don’t Focus Only on Iranian IP Addresses

Nation-state collaboration is common during conflict.

Iran may leverage:

  • Russia
  • China
  • North Korea

We have personally investigated incidents inside the U.S. where compromised traffic originated from Russian IP addresses.

Threat actor infrastructure is global.

Don’t narrow your detection lens too tightly.

Critical Infrastructure Warning: Water & Wastewater Facilities

If you are in local government or oversee utilities:

This is especially urgent.

Immediate Actions:

  • Remove all direct internet exposure.
  • Inventory every piece of equipment.
  • Document manufacturer origin.
  • Patch Human-Machine Interfaces (HMIs).
  • Verify logging is enabled and retained.

Most Important:

Ensure operators can run the plant manually.

Test manual mode regularly.

If the control system fails, operations must continue safely.

Logs may be the only forensic evidence after an incident.

Final Thoughts

Cyber conflict does not wait for press releases.

It runs parallel to kinetic war.

Most activity happens quietly — until it doesn’t.

Now is the time to:

  • Tighten controls
  • Validate assumptions
  • Patch aggressively
  • Educate users
  • Prepare leadership

Stay vigilant.

Cyber threats don’t wait — and neither should your organization.

Whether you need a third-party assessment, incident response readiness, compliance guidance, or fully managed security services, SecureCyber is here to help.

Take the next step today:

🌐 www.secdef.com
📞 937.388.4405
📧 sales@secdef.com

Schedule a consultation and start building a stronger, more resilient cybersecurity program.

 
View full post