Earlier this month, Penn State University was forced to completely disconnect a portion of its network from the Internet in response to multiple cyber attacks. The attacks that apparently emanated from China centered on Penn State’s College of Engineering and the duration of the attack stretches all the way back to September of 2012.
The university was first alerted to the threat by the FBI November of 2014, and during the ensuing investigation, the university determined that user names and passwords for more than 18,000 people had been compromised in the attack.
In many ways, this attack conforms to what we have come to expect from cyber attacks. Like most breaches, Penn State first learned of the breach from an outside party – the FBI in this case.
Likewise, the attackers silently persisted in the network for an extended period of time before being discovered – more than two years from initial infection to notification. While these trends hold true for virtually every industry, higher education faces unique challenges that make them particularly susceptible to cyber attacks.
A perfect storm for cyber attacks
Universities and colleges have a combination of risk factors that would give most IT security managers nightmares. As research institutions, they contain highly valuable data that isn’t available anywhere else in the world.
In Penn State’s case, the engineering department performed research that was used by the U.S. Navy, making them even more of a target for both international and industrial espionage.
However, in addition to cutting-edge research, universities are a treasure trove of personal information of their students and faculty. Personal information, payment information, and medical records are all potentially on the menu for an attacker.
While these assets can make colleges and universities a target, the real trouble lies in the environments itself. Universities must support tens of thousands of users who all bring their own device.
Campus networks supported BYOD long before the term existed, and user autonomy extends well beyond the physical device. Students constantly adopt the latest applications and technologies, and where there’s file sharing, social media, and porn, malware is never far behind.
Furthermore, most universities have international connections in order to serve students and faculty. This means simple policies based on geo-location (e.g. “block all e traffic going to China”) are a non-starter for universities. Environments like these with high-value assets, combined with an expansive and porous attack surface, make infections and cyber attacks a virtual certainty.
Moving forward by focusing on the present
As attacks and infections become increasingly certain, it makes sense for organizations to begin automating the detection of these threats in real time. If a university waits until a third-party notifies them about an attack, the damage will have already been done.
And while post-mortem forensic analysis of an attack is valuable, there is no technical reason that such analysis can’t be automated and incorporated into daily security practices. The attack against Penn State serves as a good example.
As with so many attacks, one of the first goals of the attackers was to steal user credentials to gain authorized access to the network, and use those credentials to dig deeper. By using trusted and privileged user credentials, the attackers can quietly burrow into the network and access important data.
However, detecting the theft and reuse of credentials is precisely the type of behavior that can be automated using data science models and the power of modern computing.
It requires a different approach to security with a persistent focus on internal traffic and user behaviors. And with minimal human effort, this approach is incredibly accurate at proactively spotting an attack as it happens.
At a fundamental level, almost all strategic attacks need to spy on users, spread in the target network, and ultimately steal or destroy data. In the same way these behaviors can be detected forensically after damage has been done, they can also be detected in real-time using data science.
And while higher education certainly has some unique challenges, they are by no means alone in terms of facing breaches. Attackers who want to get into a network can typically afford to be patient. With an unlimited time horizon, the probability of an attacker finding their way into a network quickly approaches 100%.
This is the reality that all security teams must face. It’s imperative to use data science to bring forensic analysis from hindsight into the present moment to detect attacks as the happen so you don’t get a call from the FBI.