How Educational Institutions can Disrupt Ransomware Attackers
Educational institutions face a variety of cybersecurity challenges related to the current extended remote learning reality. Not only do they face diverse attack surfaces to secure, but they often do not have control of the devices connecting to the network and lack the budgets or staff to maintain a best-in-class security infrastructure. These challenges make the increasing ransomware attacks on education especially concerning. Ransomware attackers are looking to compromise these systems, locate important information to steal and encrypt. Attackers then force educational institutions and their security teams to pay costly ransoms or risk a major disruption, like holding online classes hostage or exposing sensitive, stolen information.
Unfortunately, it’s impossible to keep every bad actor out. It only takes one person to compromise and infect a system; it can be as simple as sending an email with a malicioius link. If a teacher or school administrator clicks a malicious link on a vulnerable system, they risk compromising the entire network. This is why early threat detection is critical, and can help prevent costly payouts and disruptions. Here are four considerations for all educational institutions and universities looking to adopt an early detection approach to cybersecurity.
Invest in Institution-Wide Visibility
Instead of trying to layer more controls at the perimeter to prevent an initial compromise, educational institutions should shift some of their budget toward gaining better internal visibility to risks and detecting the movements of attackers as they attempt to break out from an initially compromised system. Attackers have set, well-defined steps, expalined in guides like MITRE ATT&CK, which is a knowledge base of adversary tactics and techniques based on real-world observations. Cybersecurity defenders can use guides like this to assess what coverage they need and then map that to the security controls they have.
Endpoint Detection and Response (EDR)
EDR solutions can increase early detection by using behavioral analytics to alert on anomalous behavior. Still, even with this control added, gaps will persist. Security teams should invest in an endpoint solution capable of quickly detecting lateral movement, discovery and privilege escalation.
Disrupt the Attacker
Security teams need to think differently and look at technology that not only detects anomalous behavior, but also disrupts an attacker’s efforts. There are two technologies, deception and concealment, that work together to defeat cyber adversaries who are using more advanced tactics. In fact, testing under the MITRE ATT&CK DIY methodology has demonstrated that detection rates can be boosted by an average of 42% when deception has been added.
Build an Informed Defense
Fake information delivered to the attacker can help organizations build an informed defense. The fake information will lead an attacker to an engagement server where they can be safely studied and tricked into revealing their attack secrets. This information can then be used to fortify defense, hunt for other threats and incidents and accelerate system remediation.
Attackers have had ample time to take advantage of the shift to remote learning and to leverage the weaknesses that occurred during the transition. We will likely continue to see large ransomware attacks targeting universities over the next year, as well as incidents that cause a disruption of service, forcing the cancellation of classes.
University IT departments that don’t prioritize early detection and the controls to mitigate lateral movement by attackers will see an increase in adversary dwell times and, correspondingly, more devastating attacks. Those that make the effort to build the right protective controls into their networks will raise the threshold for attackers and improve their institution’s ability to quickly disrupt, detect and derail unwanted intrusions.
