Major cybersecurity incidents in education and research institutions range from ransomware to advanced persistent threat level access, where the likely motivator is access to the valuable data and intellectual property held within these sectors.
Although tactics and procedures differ, all threat actors, during their reconnaissance stage, will be looking for the easiest entry point to systems and networks.
In the years that Jisc’s cybersecurity incident response team (CSIRT) has supported cybersecurity in the education and research sectors, we have learned that most incidents are preventable with the same few mitigation techniques. The recommendations below reduce the risk of these vulnerabilities:
- Secure remote access services: This includes consolidation of all remote access points into your network and ensuring that user access is by necessity only. Multi-factor authentication must be enabled for all users.
- Establish a patching schedule: Externally facing services should be prioritised, with critical vulnerabilities patched as soon as is feasible and mitigated in the meantime. All other vulnerabilities should be patched on a regular schedule, such as monthly; this supports a defence-in-depth strategy, so that vulnerabilities are not used to facilitate an attack at another stage of the cyber kill chain. One layer of security protection will not prevent a cyberattack; you need multiple layers of defence throughout the depth of your infrastructure.
- Implement comprehensive endpoint protection: Ideally, all devices should have a managed endpoint detection and response (EDR) installed and configured effectively with tamper protection set up, alerts monitored centrally and console access audited (EDR detects malicious activity based on behaviour and anomaly detection). Ensure incident response playbooks cover how to respond to EDR alerts, so analysts who have been assigned responsibility understand correct procedures and escalation points.
- Deploy an identity threat detection and response (ITDR) solution: identities, which allow your IT system to recognise and authenticate individuals in your organisation, are a prime target for threat actors across all stages of the cyber kill chain. From a low-privileged user, threat actors quickly move laterally until they gain access to valuable assets, such as sensitive accounts, domain administrators and highly sensitive data. ITDR and EDR also help build a defence-in-depth approach.
Organisations must also maintain a robust, regularly tested back-up and recovery process to ensure resilience in a worst-case scenario such as ransomware, full network compromise or destruction requiring a complete rebuild from a back-up.
Jisc CSIRT has pivoted in our methodology from a reactive viewpoint to a more proactive function. We began by identifying the threat groups that were most relevant to the sector and pulled related indicators and tools that we could block or track using our security services and monitoring of the high-speed Janet network. We then created a community to share early-warning alerts as well as advice and guidance to mitigate the tactics, techniques and procedures related to these threats.
Within the Jisc cyber security community, the Jisc cyberthreat intelligence team regularly posts updates on new tactics being used by notable threat actors. It is important that you receive a threat intelligence feed, whether from Jisc’s team or an alternative. When you receive an alert of new tactics, techniques and procedures, you need to swiftly assess whether your security measures provide protection against them or if you must implement new mitigations.
Lessons learned from UK retail attacks
With regards to recent retail attacks in the UK, the National Cyber Security Centre has produced recommendations centred around one of the groups involved, Scattered Spider. In addition to the points above, they suggest reviewing your help desk password reset processes, because this method of social engineering is a popular technique for this group and others.
There is also reporting that suggests in one of the incidents access was gained via a third-party IT provider. This serves as a reminder that the security practices of your external partners are a critical risk to your organisation. The following are recommendations for mitigating this risk:
- Regularly audit access permissions to internal systems to ensure only authorised users retain access, and consider implementing a just-in-time access model for these accounts.
- Apply the principle of least privilege by restricting third-party access to only what is necessary for their role.
- Continuously monitor third-party activity across your network to detect any unusual or unauthorised behaviour.
- Incorporate security risk assessments into the vendor onboarding process, evaluating adherence to industry certifications and reviewing any history of security breaches.
- Assess encryption standards, multi-factor authentication and incident-response capabilities, ensuring vendors have clearly defined response plans with assigned responsibilities.
- Conduct periodic compliance reviews throughout the vendor’s contract lifecycle to verify ongoing adherence to security best practices.
- Establish and enforce termination protocols to promptly revoke access, decommission shared infrastructure and securely delete data when access is no longer required.
One of the most important considerations relevant to these attacks is your organisation’s security culture. There should be visible support and leadership from the top, with all staff and students receiving regular security awareness training that enables them to recognise activity that doesn’t follow usual procedure. This should emphasise that they are empowered to report any issues or concerns instead of concealing them.
This collective responsibility will help your organisation learn from experience and drive continuous improvement.
Nicole Stewart is cyberthreat intelligence lead at Jisc.
If you would like advice and insight from academics and university staff delivered direct to your inbox each week, sign up for the Campus newsletter.
