Using Cyber Threat Hunting to Catch the Attackers Lurking in Your Cybersecurity Blind Spots

By Keith Morneau, Ed.D. Dean of Computer & Information Science, ECPI University

Keith Morneau, Ed.D. Dean of Computer & Information Science, ECPI University

Every educational organization is susceptible to cyber-attacks. K-12 and higher education are increasingly targets of hackers because they are easy targets with less budgetary dollars to protect systems. Hackers today have a financial gain motive. They are going after your school’s data because it’s worth a lot of money on the dark web.

The top three Cybersecurity issues in education are phishing, malware, and ransomware. Malware and ransomware attacks can start with a phishing email when a user clicks a malicious link or downloads an attachment. The malicious link/attachment can install malware without the user realizing it. Another scenario involves the attacker accessing user IDs and passwords from the dark web and then logs into systems and installs the malware. Oftentimes, they can use those same passwords on other systems within the victim’s network because that victim uses the same password for all their logins. In late 2019, a high school principal used the same password at school and for their personal accounts. One of their personal accounts was uncovered in a data beach and used on the school’s system. If the attacker’s motive is financial, they will either launch a ransomware attack requiring the victim to pay a ransom or steal data from sensitive student information systems to sell on the dark web.

Verizon’s 2019 Data Breach Investigations Report revealed that out of 382 education incidents, 99 involved some form of data exfiltration. Several issues included social engineering attacks and inadequately secured email accounts. Verizon’s report also mentioned that DoS attacks accounted for more than 50 percent of all attacks in education. A 2019 report from Armor, a cybersecurity firm, found that 1,039 schools nationwide have been victims of ransomware attacks. Some paid the ransom to get their systems back online because they had cybersecurity insurance that covered that cost. Experts recommend not to pay ransoms since it reinforces the criminal behavior, but it is understandable if they did not have a good disaster recovery plan in place. If there is money to be made, hackers will continue to launch ransomware attacks on unsuspecting victims. Unfortunately, you can have the best protection and monitoring tools at your disposal, yet remain vulnerable.

"Cyber threat hunting is applying data analytics to cybersecurity. Cyber threat hunters use network traffic and log data to actively search to detect, isolate, and remove advanced threats before they cause harm to your networks and systems"

Malware can morph and hide in plain sight, going undetected for months, even years, which is known as dwell time. A FireeyeMandiant M-Trends 2019 Report found that dwell times averaged78 days in 2018, down from 101 days in 2017. Organizations are getting better at detecting cyber attacks but can still do much better. Malware is increasingly hard to detect because it looks like valid traffic. Malware can change how it communicates on the fly, which makes it hard to detect. Typical malware utilizes a command and control (C&C) infrastructure. But, not all malware is of this type if the goal is to search and destroy and not financial. If the goal is monetary gain, then attackers typically use C&C malware. The C&C malware will phone home to the command and control server periodically, looking for work to do. The goal is for the malware to get a foothold onto the network and increasingly get access to credentials and go undetected. The malware will lurk until it has enough foothold to pounce on the unsuspecting victim and create havoc. In the case of data exfiltration, the attacker lurks in systems trying to get credentials in sensitive systems. Once they have them, they send the data to the C&C server. In the case of ransomware, this malware will encrypt a victim’s files on one or more computers. The only way to get their data back is to pay the ransom or if they have a good disaster recovery plan with offline backups. This is a better solution.

Your cybersecurity protections are only as good as your weakest link, your users. All it takes is one user to click on a link or download a malicious attachment of a phishing email. Also, some of your users are using the same passwords for their school and personal accounts if you like it or not. It only takes one to cause havoc. Two best practices you can employ within your organization is to do periodic phishing tests of your users and give them real-time feedback if they click on a phishing email. And for passwords, you should use two-factor authentication whenever you can. A ten-character password that contains letters, numbers, and symbols can be cracked on a supercomputer or botnet with today’s technology in three years, according to Thycotic.

But, how do you detect attackers in your networks and systems if they slipped through your protections before getting attacked? There is a relatively new discipline in cybersecurity called cyber threat hunting. Cyber threat hunting is applying data analytics to cybersecurity. Cyber threat hunters use network traffic and log data to actively search to detect, isolate, and remove advanced threats before they cause harm to your networks and systems. There are many good open-source tools available to keep costs to a minimum. This new discipline is giving educational organizations another tool in their toolbox to catch hackers before they attack.

Weekly Brief

Top 10 Security Solution Companies - 2018

Read Also

Artificial Intelligence- The Catalyst for the Most Significant Change to Education in Generations

Artificial Intelligence- The Catalyst for the Most Significant Change to Education in Generations

Dr. Clare Sullivan, Visiting Professor, Law Center, Georgetown University; and Managing Director, Cyber SMART
The Key to a Successful Strategic Technology Plan: Relationships

The Key to a Successful Strategic Technology Plan: Relationships

Camedra Jefferson, Ed.D., Director of Instructional Technology, Yes Prep Public Schools
Election Cyber Security - Considerations for Educational Institutions

Election Cyber Security - Considerations for Educational Institutions

David V Creamer, CTO-CISO, St. Petersburg College
The Ever-increasing Significance of Mobile Learning

The Ever-increasing Significance of Mobile Learning

Allen Taylor, Chief Technology Officer, Marshall University
The Emerging Landscape of AI Decision-Making

The Emerging Landscape of AI Decision-Making

Sanjiv K. Bhatia, Ph.D., Professor and Computer Science Graduate Director, University of Missouri–St. Louis
Artificial Intelligence: Wonders and Perils of XXI Century Plastics

Artificial Intelligence: Wonders and Perils of XXI Century Plastics

Eitel J. M. Lauría, PhD, Professor and Director of Graduate Programs at School of Computer Science & Mathematics, Marist College