When asked to nominate typical victims of cyberattacks, most people point to large corporations, financial institutions, and other organisations with sizable volumes of sensitive data. Being highly reliant on digital infrastructure and reliable communication links, these organisations present an attractive target for threat actors looking to steal valuable data or achieve financial gain.
However, there’s another sector that is reporting a rising number of cyberattacks: education. Throughout Australia, and around the world, schools, universities and research groups are experiencing sophisticated attempts to infiltrate core IT systems and data stores.
The motivations for such attacks are many and varied. Academic institutions often hold valuable intellectual property, which makes them a target for nation-state espionage operations. They also play a pivotal role in policy development, and count many influential people among their staff and alumni which makes them valuable sources for intelligence collection objectives. Further, as service providers, the academic institutions are heavily impacted by any disruption to operations, making them vulnerable to ransomware and data extortion attempts.
The attack surface of many academic institutions is also broad and complex due to the nature of its users and operations. This creates many potential weaknesses that motivated threat actors can exploit.
A growing threat
According to Falcon OverWatch, CrowdStrike’s threat hunting team, the number of intrusions launched against academic institutions during 2020 was more than four times the number observed during the previous year. The increase was largely driven by eCrime activity, which accounted for 85 percent of all attacks. Butation-state actors still present a very real threat as they are often highly skilled, well-resourced, and have the luxury of time to conduct exhaustive reconnaissance against intended victims.
The threat of cyberattack within the education sector is exacerbated for a number of reasons. Firstly, many academic institutions can have complex and physically dispersed networks. In the early days of the internet, academic networks were specifically designed to foster collaboration between globally separated research teams. Many organisations also have bring your own device (BYOD) policies and allow groups to set up and maintain servers that are outside the administration of a central IT department.
Academic institutions are also likely to have a broad cross section of users accessing their networks. Between staff and students, there is a wide range of ages, skills levels, and online behaviours that need to be managed. Also, rolling out regular security awareness training, and ensuring compliance across such a wide user base can be very challenging, and adversaries are well aware that users can be the weak point in an institution's defences.
The chance of cyberattack is also elevated because of the ways in which academic institutions share information as there is a general culture of open connectivity with few security controls deployed at these interconnection points. The academic sector operates as a nexus of information and access for numerous additional sectors, creating a tantalising prospect for threat adversaries.
Finally, there is a high chance of social engineering. Students, researchers, and professors eager to share their own research may also have their own web sites outside of university networks. Although they may not be directly linked with the university, the association still exists. Oftentimes, these sites are mined for details that can support threat actor reconnaissance, and later used for social engineering and phishing campaigns.
Overcoming the threat challenge
As the education industry continues to move more of its operations online, the risk of a cyberattack looms ever-present. But there are practical ways to manage this risk. I recommend the following best practices:
- Monitor activity: You can’t stop what you can’t see. Visibility and speed are critical for security teams when blocking attackers that have the capability and intent to steal data and disrupt operations. Security teams must establish consistent visibility into both on-premises and cloud environments and proactively monitor for threats.
- Leverage tools: Use tools to monitor traffic and funnel this data through a Security Information and Event Manager (SIEM). This can highlight events on the network that may have otherwise gone undetected.
- Integrate threat Intelligence: Threat intelligence helps you understand an attacker's motivation, skills and tradecraft. Integrating it into your security stack reports a vivid picture of threat actor behaviour, the tools they use, and the tradecraft they employ. Threat intelligence assists with criminal profiling, campaign tracking, and malware identification. Threat intelligence helps to prevent, and even predict future attacks.
- Invest in proactive threat hunting services: A growing proportion of intrusions are incorporating the use of fileless or malware-free techniques, acting as a reminder that nothing is 100 per cent, and technology alone is not enough. It is therefore more important than ever before for organisations to deploy a combination of technology based controls and human-led hunting services in order to best defend against increasingly stealthy and sophisticated threats.
- Partner with a service provider: Having a best-of-breed service provider as a partner is a necessity. Should the unthinkable happen, they can provide the support and guidance that will be required.
The cyberthreats faced by educational institutions are going to continue to increase in both number and sophistication. By taking time to review existing security measures and ensure effective tools and processes are in place, the sector can be best positioned to resist attacks and protect valuable systems and data.
Nick Lowe is director of Falcon OverWatch at CrowdStrike. Scott Jarkoff is director of the Strategic Threat Advisory Group, APJ and EMEA at CrowdStrike.Do you have an idea for a story?
Email [email protected]