Why Research and Education Sector Needs to Scale Up its Information Sharing Activities?

Over 50 million students currently attend elementary and secondary school education in the US at nearly 100,000 public and 35,000 private schools. Additionally, another 20 million students attend over 7,000 institutes of higher education in the country. To a layman, it is merely a bunch of statistics on the education sector, but for a cybercriminal, it presents a gold mine of information that can be harvested for all kinds of malicious purposes. 

“What information?” you may ask. Schools collect all kinds of data on students ranging from personal information, various assessment scores, family information, and even medical information in certain cases. Essentially, a student’s school file gives a highly detailed picture of their life, perhaps containing even more information than what the people around them are aware of. Such information, in the wrong hands, can be used to target individuals or groups through spear phishing, malware, online scams, frauds, or simply by threatening to expose sensitive information.

On the other hand, research labs at colleges and universities doing cutting-edge work in various scientific fields often have significant implications for the technological progress of the country, thereby impacting the economy and geopolitics as well. Therefore, it does not come as a surprise when they become targets for foreign actors, often working in state-sponsored groups, to steal intellectual property and spy on many of the government-sponsored projects.

In order to tackle the cyber risks posed by an increasing attack surface, educational institutes need to adopt threat information sharing activities to stay a step ahead of the ever-advancing threat actors. Let us take a look at the existing scenario and what can be done about it.

While we often hear about large data breaches exposing millions of user records, the news of a school falling prey to a cyber attack does not get nearly the same amount of attention, despite often involving more sensitive information at stake. If one were to mark every location on the map where a US school or university was targeted in a cyber attack, it would be hard for anyone to not be concerned on looking at the densely dotted map. The K-12 Cybersecurity Resource Center has documented various cyber incidents reported about K-12 public schools and districts from 2016 onwards. The Cyber Incident Map generated from this data shows 489 incidents including phishing attacks, ransomware attacks, denial-of-service attacks, unauthorized disclosures or breaches, and other cyber incidents that cause school disruptions.

Perhaps, it may be argued that many schools operate on tight budgets, often leaving no room for any expenditure on bolstering their cyber defenses as compared to universities with larger coffers. However, the tech-savvy universities which are the birthplaces of many path-breaking innovations also aren’t effective enough at protecting their networks. Within the last couple of years, dozens of universities in the US and elsewhere have been targeted to steal their research and even military secrets. As per a report by Verizon, the education sector witnessed 382 major security incidents in 2018 alone.

With much of the information stored digitally by schools and universities, it is an open field for hackers to find ways to breach their security perimeters, or even compromise sensitive data through third-parties associated with the target institution. Furthermore, as more and more schools adopt newer teaching methods involving online Learning Management Systems (LMS) and Internet-connected devices, the entry points for attackers only keep increasing. Any disruption in the learning infrastructure would also impact the ongoing academic activities.

In the face of heightened cyber risks, the education sector has proved to be alarmingly slow to adapt and evolve. In 2018, SecurityScorecard found the education sector to be the lowest performer in terms of cybersecurity out of 17 major industries in the US. While the shift towards modern teaching methods such as online platforms and learning devices is a welcome change, it is crucial to ensure the security of the institutes which train our future generation.

Despite the grim picture painted by the statistics, the education sector can make a monumental difference by promoting more information sharing activities. Like any other sector, the education sector can do a much better job at tackling cyber threats by sharing knowledge on it and how to defend against them. Schools, universities, and other organizations must join or form information sharing networks to exchange information on malware, vulnerabilities, risks, threats, and attacks that plague the education sector.

One of the modes of information sharing is through sectoral Information Sharing and Analysis Centers (ISACs). At present, National Council of ISACs (NCI Directorate) lists 22 different sectoral ISACs including the Research and Education Networks ISAC (REN-ISAC). Despite its existence, many research and educational institutes have yet to take part in such initiatives. The REN-ISAC currently lists 629 member institutions including only 578 colleges and universities from the US. Clearly, a large majority of educational institutes in the country are yet to adopt information sharing activities as part of their security operations. Many of the educational administrators and other decision-makers in schools and universities may also lack a deep understanding of threat information sharing and its relevance for their security. Hence, it is worth taking a brief look at what information sharing and threat intelligence mean and how it can help tackle cyber attacks.

Consider the scenario of a typical cyber attack aimed at a university. Attackers often start with a series of carefully crafted phishing emails to bait the academic or administrative staff at the university into advertently clicking on or downloading a malicious piece of code. Once the attackers are successful in entering a device on the university network, they can conduct reconnaissance activities to find the most impactful target devices to disrupt operations or steal sensitive data. Eventually, when the attack is discovered, it might be too late to stop the attackers from achieving their malicious goals. In cases of ransomware attacks or denial-of-service attacks, universities may end up spending millions of dollars to recover their data or restore their services. Moreover, many institutes lack the readiness to deal with cyber incidents due to a lack or shortage of dedicated staff and well-defined incident response processes.

In an ideal situation, the university must take pre-emptive measures to stop cybercriminals in their tracks, thereby altogether avoiding the lengthy and costly post-incident investigations and procedures to restore their network. In order to achieve this, educational institutes must have access to real-time threat information related to malware, vulnerabilities, risks, and attacks. The exchange of strategic intelligence can be a decisive factor in giving educational institutes an edge over the adversaries.

Implementing critical security controls and procedures is a must for any organization but it is not always enough to prevent attacks as shown in many cases of large security breaches where prior information could have saved the day. Taking a proactive approach to security by leveraging threat intelligence can not only prevent many attacks but also drastically improve the efficacy of incident response in mitigating the impact of any attacks.

There are several ways in which research and educational institutes can take up information sharing activities. Joining the sectoral ISAC is just one of the steps they can take. University systems comprising of many colleges can form information sharing networks for all the institutes that are part of it. School districts can implement a similar strategy to protect all schools under its purview. Schools and universities can also adopt the Hub and Spoke Model in Cyware Threat Intelligence eXchange (CTIX) platform to receive or exchange threat information with their peer institutes, law enforcement agencies, regulatory bodies, threat intel providers, and any other stakeholders. Furthermore, they can take collaboration to greater heights by automated actioning in their internal security tools like Firewall, IDS/IPS, UEBA, SIEM, etc. based on Intel that is validated and corroborated within the trusted sharing community using a confidence score parameter.

Till now, organizations have been hitting at the blind spots - knowing not whether the action can mitigate risks against specific and relevant threat actors. It is said that, if you do not know or cannot see your enemy, you cannot effectively defend against them. This simple principle from conventional warfare also applies to the cyberspace. The knowledge of specific threat actors, their tactics and techniques, and attack campaigns targeting educational institutes can be the key to detecting any malicious activity. With CTIX’s mapping of threat indicators to corresponding tactics and techniques listed in MITRE’s ATT&CK Navigator, security teams in educational institutions can gain a comprehensive picture of the relevant threat environment which allows them to focus their efforts on filling any security loopholes and blocking an attack in its early or intermediate stages. Not only will they be able to identify relevant threats, but can also develop common mitigations against such cyber risks. 

  

It is quite clear that the education sector is a highly lucrative target for cybercriminals due to its all-encompassing reach over the populace and the depth of information available to educational institutes. Without organized efforts to increase information sharing between various institutes, the numbers and the impact of cyber attacks are only bound to increase.

While threat actors continually learn from each other to improve their tactics and techniques, it is paramount for the defenders to exchange information about the threats and help improve the overall security posture of the sector. By incorporating information sharing activities in their policies and practice, educational institutes can go a long way towards thwarting cyber risks and taking a proactive stance on cybersecurity.